Security Researcher Hall of Fame

Date Name Security issue Status
2021-10-20 Suvendu Dash DMARC and DKIM records weren't configured for bigosaur.com domain. This could allow anyone to spoof @bigosaur.com addresses and impersonate the company. Fixed on 2021-10-20
2021-10-03 Shubham Shete HTTP headers Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy were missing from the bigosaur.com website. While the website only uses jQuery from Google API servers and embeds some YouTube videos, it could still pose a security threat for users in the future, especially if content from other sources would be introduced. Fixed on 2021-10-03
2021-07-05 Anonymous* Players were able to add unlimited number of players who aren't in their friend list to their private leagues. Fixed on 2021-07-11
2020-04-14 Anonymous* Players were able to get free virtual currency by changing one of the application URLs manually. Fixed on 2020-04-15
2015-04-21 Anonymous* Anyone was able to check any player's profile and see when was the exact time that player played their most recent game. Fixed on 2015-04-23

* Some of the reports where submitted by players who are still playing our games online and for that reason asked to keep their names anonymous. Since they don't care about recognition, we awarded them with premium virtual currency in respective games they play.

Please check our Vulnerability Disclosure Policy.