| Date | Name | Security issue | Status |
|---|---|---|---|
| 2023-12-26 | Ayush Kumar | Missing CAA email record in DNS | Fixed on 2023-12-26 |
| 2023-12-19 | Suprit Pandurangi, Prathamesh Choudhri | Origin IP disclosure | This is a known issue, and the report did not reveal the existence of a specific vulnerability that could be exploited. |
| 2023-12-10 | Santhosh Kumar Chandramohan | Missing SPF email record in DNS. | Fixed on 2023-12-26 |
| 2023-12-10 | Raju Basak | Missing BIMI record in DNS. | Fixed on 2023-12-10 |
| 2022-07-17 | Muhammad Arslan Kabeer, Ahmed Anwer |
Bypass of X-Frame-Options allowed for clickjacking attack. | Fixed on 2022-07-17 |
| 2022-03-16 | Gaurang Maheta | Some of our web servers allowed for open URL redirection. | Fixed on 2022-03-17 |
| 2021-10-20 | Suvendu Dash | DMARC and DKIM records weren't configured for bigosaur.com domain. This could allow anyone to spoof @bigosaur.com addresses and impersonate the company. | Fixed on 2021-10-20 |
| 2021-10-03 | Shubham Shete | HTTP headers Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy were missing from the bigosaur.com website. While the website only uses jQuery from Google API servers and embeds some YouTube videos, it could still pose a security threat for users in the future, especially if content from other sources would be introduced. | Fixed on 2021-10-03 |
| 2021-07-05 | Anonymous* | Players were able to add unlimited number of players who aren't in their friend list to their private leagues. | Fixed on 2021-07-11 |
| 2020-04-14 | Anonymous* | Players were able to get free virtual currency by changing one of the application URLs manually. | Fixed on 2020-04-15 |
| 2015-04-21 | Anonymous* | Anyone was able to check any player's profile and see when was the exact time that player played their most recent game. | Fixed on 2015-04-23 |
* Some of the reports where submitted by players who are still playing our games online and for that reason asked to keep their names anonymous. Since they don't care about recognition, we awarded them with premium virtual currency in respective games they play.
Please check our Vulnerability Disclosure Policy.