| Date | Name | Security issue | Status |
|---|---|---|---|
| 2026-04-28 | Bajinder Kumar | Enumerating users for publicly available profiles | There was a high rate limit, but the end point was removed regardless as it was no longer used. Fixed on 2026-04-28. |
| 2026-04-28 | Bajinder Kumar | Password protected translation pages for games allowed
unauthorized editing by specifically crafted POST request. Even though all translations are checked manually before being merged into the game, it still isn't the desired behavior as it's expected that password protected translations are something that the game developers consider valid. This is in contrast to the community supplied translations which don't carry the same expectations. |
Added password protection to the POST request. Fixed on 2026-04-28 |
| 2026-04-27 | Vaidik Pandya | A page loaded by Rogue Bit game allowed XSS when used directly in the browser | Fixed on 2026-09-27 |
| 2024-09-04 | Lewis Wildgoose | XSS allowed on some of the company website pages | Fixed on 2024-09-04 |
| 2023-12-26 | Ayush Kumar | Missing CAA email record in DNS | Fixed on 2023-12-26 |
| 2023-12-19 | Suprit Pandurangi, Prathamesh Choudhri | Origin IP disclosure | This is a known issue, and the report did not reveal the existence of a specific vulnerability that could be exploited. |
| 2023-12-10 | Santhosh Kumar Chandramohan | Missing SPF email record in DNS. | Fixed on 2023-12-26 |
| 2023-12-10 | Raju Basak | Missing BIMI record in DNS. | Fixed on 2023-12-10 |
| 2022-07-17 | Muhammad Arslan Kabeer, Ahmed Anwer |
Bypass of X-Frame-Options allowed for clickjacking attack. | Fixed on 2022-07-17 |
| 2022-03-16 | Gaurang Maheta | Some of our web servers allowed for open URL redirection. | Fixed on 2022-03-17 |
| 2021-10-20 | Suvendu Dash | DMARC and DKIM records weren't configured for bigosaur.com domain. This could allow anyone to spoof @bigosaur.com addresses and impersonate the company. | Fixed on 2021-10-20 |
| 2021-10-03 | Shubham Shete | HTTP headers Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy were missing from the bigosaur.com website. While the website only uses jQuery from Google API servers and embeds some YouTube videos, it could still pose a security threat for users in the future, especially if content from other sources would be introduced. | Fixed on 2021-10-03 |
| 2021-07-05 | Anonymous* | Players were able to add unlimited number of players who aren't in their friend list to their private leagues. | Fixed on 2021-07-11 |
| 2020-04-14 | Anonymous* | Players were able to get free virtual currency by changing one of the application URLs manually. | Fixed on 2020-04-15 |
| 2015-04-21 | Anonymous* | Anyone was able to check any player's profile and see when was the exact time that player played their most recent game. | Fixed on 2015-04-23 |
* Some of the reports where submitted by players who are still playing our games online and for that reason asked to keep their names anonymous. Since they don't care about recognition, we awarded them with premium virtual currency in respective games they play.
Please check our Vulnerability Disclosure Policy.