Blog Post

EA Forums Info Hub
2 MIN READ

EA Forums Online Security Newsletter - Volume 7

EA_Kuba's avatar
EA_Kuba
Icon for Community Manager rankCommunity Manager
3 days ago

Welcome to the latest edition of our Online Security Newsletter!

Welcome to another summer issue of our newsletter (for those in the Northern Hemisphere). Last month, we continued our series on phishing from a psychological perspective. This approach, which began two issues ago with a look at password creation, offers valuable insights into how bad actors operate. If you missed the previous issues, be sure to check them out - they’re definitely worth reading!

EA Forums Online Security Newsletter - Volume 5
EA Forums Online Security Newsletter - Volume 6

This month, we focus on the important topic of reporting vulnerabilities in EA games and products. We recently published the Vulnerability Disclosure Hall of Fame, recognizing researchers who helped patch security issues in EA products or games during the past quarter.

What is a security vulnerability, and how does it differ from cheating in a game? How can you report a security vulnerability in an EA game or service, and what information should you provide?

You’ll find answers to these questions in the Security Focus section of the newsletter.

As always, you can earn a unique forum badge by sharing your experiences in the newsletter comments or by taking the quiz.

Stay safe!

What is a Security Vulnerability?
A security vulnerability is a weakness in a system that an attacker could exploit to cause harm, like stealing information or disrupting services. This is different from cheating in a game, which involves a player unfairly manipulating game rules for personal gain within the game itself, rather than exploiting a flaw in the underlying software.

If I've found a Security Vulnerability, how do I report it?
To report a security vulnerability in an EA game or service, you should fill out the Security Vulnerability Submission form on the EA Security Website. When submitting a report, include details such as the affected game or product, platform, version, time of discovery, what the vulnerability allows, steps to reproduce it, and any supporting evidence like screenshots or sample code.

How does EA classify reported Vulnerabilities?
EA classifies the severity of reported vulnerabilities using industry standards like the CVSS scoring system and a four-tier scale (Critical, Important, Moderate, Low), with the most severe issues requiring little or no user interaction to exploit. The impact of each vulnerability is further assessed using the STRIDE Security Model, and each report is carefully triaged and investigated by EA’s security team.

Can I report cheating in-game through the Security Vulnerability Submission?
Short answer - NO. Reporting cheating or account issues is handled separately from security vulnerabilities; cheating should be reported through in-game tools, and account security concerns should be addressed via EA’s account management resources. 

Online Security Newsletter - Volume 7 Quiz

Updated 2 days ago
Version 2.0

7 Comments

  • Interesting topic, there's not much I can add to the conversation, but I do want to commend the EA Security Hall of Fame. Well done to the EA team for creating a space that recognizes capable and dedicated community members.

  • Interesting topic, thank you.

    The Volume 7 Quiz says it is 'Online Security Newsletter - Volume 6 Quiz'

  • Thank you so much again for the newsletter. Okay, for this subject I have nothing special to share/coment about, but in general these newsetters have really opened my eyes in many ways.  Thank you so much for these!! 

  • Security vulnerabilities are no joke!

    I remember hearing about how someone was able to withdraw infinite money from a bank's ATM by inputting a negative number, (which has since long been patched out across banks worldwide).

    Basically, (from what I understand), the code behind withdrawing money went something like: "(balance) minus [withdrawal amount]", and when you used a negative number, it looked like: "(balance) minus minus [withdrawal amount]", (which two negatives had made a positive), and was what had caused the issue, (and if wasn't the cause, then the issue was caused by the minus symbol being read as "infinite", as in coding, "-1" is often used for "infinite").

    What should happen now, is that the ATM should see the negative number as invalid, (thus preventing the exploit).

    The "infinite" issue has more of a history than one might think, as in one of the Sid Meier's Civilization games, Gandhi "went nuclear", (as we know, Gandhi was one of the most peaceful people to ever live), so how could this had happen?

    Well... the devs had set Gandhi's "power level" to "-1", which they had meant it as a "he has no power since he's peaceful", however the game had saw the "-1" as "he has ALL the power". (Which, the only way to fix the issue, was for the devs to set his "power level" to "0" instead of "-1").

  • Not much to add but it's an interesting read. Highlights things that we don't necessarily think about as users.