Thread: Developers Blog

EVE Online Fanfest 2012: March 22-24
The Eighth Party at the Top of the World... now in a new location!
It is time to start marking your calendars for the 2012 Fanfest in Reykjavik, Iceland, held for the first time in the brand new Harpa Concert Hall and Conference Centre; an amazing new home for Fanfest that welcomes us with open arms.

I guess it is also time for me to reintroduce myself to all of you since my debut in Fanfest 2009 (actually I was the event manager for Fanfest '07 and Fanfest '08 as a contractor). I am CCP Tyr, your personal Fanfest guy. My goal is to bring you exponentially better Fanfests, and I think I have managed to do just that. But with the explosive growth of Fanfest the last couple of years, and especially the Party at the Top of the World, I have decided to refocus the event on you, the attendees. More EVE stuff, exclusive Fanfest attendee treatment at the party, improved Pub Crawls, DUST 514 goodies and more.
And please, by all means, if you think there is something I can do to improve your Fanfest experience, drop me a line and give me your valuable feedback – fanfestsupport@eveonline.com.
Back to the important stuff, Fanfest 2012!

Fanfest brings together players in a massive celebration of EVE Online. Travelers from all around the world gather in one of the most beautiful and unique locations the planet has to offer. Allies and rivals alike set aside their in-game differences to share drinks with one another and forge new friendships. CCP developers mingle with the community, always up for "talking shop" and getting to know the fans.
Iceland is one of the world’s must-see vacation destinations, and if you haven’t been to one of our previous Fanfests, we encourage you to come.The many wonders of Iceland await your arrival. The Sisters of EVE Program will give your friend or partner a chance to visit Iceland along with you: Details regarding the program coming soon.
Get ready for another crazy weekend of:

• Pub Crawling and hanging out with the developers
• Round Tables
• Presentations with new EVE Video Premieres
• PVP tournaments
• The Party at the Top of the World!
• Poker Tournament
• Battle of the Bands
• Silent Auction
• Live Agents
• Chessboxing?.....I guess not, but you can just imagine what those crazy devs are planning this time.
• And much more!

Further details, including flights and accommodation and Fanfest 2012 Access Pass availability, will be announced later, as the event draws closer. Stay tuned for further updates.
* Please note that you have to be 18 years or older to enter the Fanfest area.








More...

Hey there.
I‘d like to announce a few fixes that are being worked on that we‘re planning to release shortly

Click to enlarge images

First off, ship spinning. The ability to see your current ship within the station hangar. This was removed when we released Captain‘s Quarters, as we felt the perspective from your own bridge overlooking the ship was enough. As it turns out, it didn‘t allow you to look at the ship from all angles, it requires far more GPU and CPU power than simply rendering a ship and a hangar and, importantly, we didn‘t retain UI functionality such as drag-dropping a ship onto your hangar to activate it or double-clicking on the ship to open its cargo. We know that it‘s annoying as hell logging into a station on a craptop trying to sort out some market orders and feel it slowly roasting your lap while it renders your pencil skirt-wearing Caldari commander lady. We are addressing this now. The original UI functionality is scheduled to be retained. Rather than a checkbox in the escape menu, you will simply be able to board and unboard your ship, toggling between Captain‘s Quarters and Ship Spinning mode. Your client will remember your last choice, so if you left your station while boarded, you will be boarded the next time you find yourself in a station and vice versa. Expect it on the test server soon™.
Second, while introducing the new turret graphics, we decided to experiment with using rendered views of each turret to replace the icons that you see in the fitting screen, HUD, market and on active targets. It turned out that the new turret models, while heavily detailed and cool, didn‘t lend themselves well to being drawn in an area just a few pixels wide and tall. Usability suffered. It was hard to distinguish between turret types. As a result, we will be reverting the change so that turret icons use the original custom drawn icons, rather than 3d renders of the turrets themselves. You will still be able to get the 3d preview of the turret, to celebrate their uberness while reading their stats.
Third, we‘ve made a number of improvements on the skin shader and on shading within the Captain‘s Quarters in general.:

• Fixed the incorrect specular behavior
• Fixed shader texture gamma issues
• Implemented a new specular glossiness model
• The specular reflection is tinted by the color of the light
• Added diffuse and specular fresnel
• Added specular light from indirect light (spherical harmonics)
• Calibrated the BRDF presets to the ones in character creator

Basically it will look better and less harsh in conditions where there is much contrast, such as the Minmatar captain‘s quarters.
Oh, and we have a new cyno effect. It is scheduled to be out on within a week, in WIP state, without sound. We‘re looking forward to getting your feedback on it. We‘re hoping that you‘ll be spending Hydropgen Isotopes like there‘s no tomorrow for the pure joy of seeing and hearing that effect.
All in all, we‘re moving forward. It‘s too soon to make announcements about what expansions and features we are developing, that will be announced in due time.
Thanks for reading!
Torfi Frans


More...

Hey there.
I‘d like to announce a few fixes that are being worked on that we‘re planning to release shortly

Click to enlarge images

First off, ship spinning. The ability to see your current ship within the station hangar. This was removed when we released Captain‘s Quarters, as we felt the perspective from your own bridge overlooking the ship was enough. As it turns out, it didn‘t allow you to look at the ship from all angles, it requires far more GPU and CPU power than simply rendering a ship and a hangar and, importantly, we didn‘t retain UI functionality such as drag-dropping a ship onto your hangar to activate it or double-clicking on the ship to open its cargo. We know that it‘s annoying as hell logging into a station on a craptop trying to sort out some market orders and feel it slowly roasting your lap while it renders your pencil skirt-wearing Caldari commander lady. We are addressing this now. The original UI functionality is scheduled to be retained. Rather than a checkbox in the escape menu, you will simply be able to board and unboard your ship, toggling between Captain‘s Quarters and Ship Spinning mode. Your client will remember your last choice, so if you left your station while boarded, you will be boarded the next time you find yourself in a station and vice versa. Expect it on the test server soon™.
Second, while introducing the new turret graphics, we decided to experiment with using rendered views of each turret to replace the icons that you see in the fitting screen, HUD, market and on active targets. It turned out that the new turret models, while heavily detailed and cool, didn‘t lend themselves well to being drawn in an area just a few pixels wide and tall. Usability suffered. It was hard to distinguish between turret types. As a result, we will be reverting the change so that turret icons use the original custom drawn icons, rather than 3d renders of the turrets themselves. You will still be able to get the 3d preview of the turret, to celebrate their uberness while reading their stats.
Third, we‘ve made a number of improvements on the skin shader and on shading within the Captain‘s Quarters in general.:

• Fixed the incorrect specular behavior
• Fixed shader texture gamma issues
• Implemented a new specular glossiness model
• The specular reflection is tinted by the color of the light
• Added diffuse and specular fresnel
• Added specular light from indirect light (spherical harmonics)
• Calibrated the BRDF presets to the ones in character creator

Click image to enlarge.

Basically it will look better and less harsh in conditions where there is much contrast, such as the Minmatar captain‘s quarters.
Oh, and we have a new cyno effect. It is scheduled to be out on within a week, in WIP state, without sound. We‘re looking forward to getting your feedback on it. We‘re hoping that you‘ll be spending Hydrogen Isotopes like there‘s no tomorrow for the pure joy of seeing and hearing that effect.
All in all, we‘re moving forward. It‘s too soon to make announcements about what expansions and features we are developing, that will be announced in due time.
Thanks for reading!
Torfi Frans


More...

Hey there.
I‘d like to announce a few fixes that are being worked on that we‘re planning to release shortly

Click to enlarge images

First off, ship spinning. The ability to see your current ship within the station hangar. This was removed when we released Captain‘s Quarters, as we felt the perspective from your own bridge overlooking the ship was enough. As it turns out, it didn‘t allow you to look at the ship from all angles, it requires far more GPU and CPU power than simply rendering a ship and a hangar and, importantly, we didn‘t retain UI functionality such as drag-dropping a ship onto your hangar to activate it or double-clicking on the ship to open its cargo. We know that it‘s annoying as hell logging into a station on a craptop trying to sort out some market orders and feel it slowly roasting your lap while it renders your pencil skirt-wearing Caldari commander lady. We are addressing this now. The original UI functionality is scheduled to be retained. Rather than a checkbox in the escape menu, you will simply be able to board and unboard your ship, toggling between Captain‘s Quarters and Ship Spinning mode. Your client will remember your last choice, so if you left your station while boarded, you will be boarded the next time you find yourself in a station and vice versa. Expect it on the test server soon™.
Second, while introducing the new turret graphics, we decided to experiment with using rendered views of each turret to replace the icons that you see in the fitting screen, HUD, market and on active targets. It turned out that the new turret models, while heavily detailed and cool, didn‘t lend themselves well to being drawn in an area just a few pixels wide and tall. Usability suffered. It was hard to distinguish between turret types. As a result, we will be reverting the change so that turret icons use the original custom drawn icons, rather than 3d renders of the turrets themselves. You will still be able to get the 3d preview of the turret, to celebrate their uberness while reading their stats.
Third, we‘ve made a number of improvements on the skin shader and on shading within the Captain‘s Quarters in general.:

• Fixed the incorrect specular behavior
• Fixed shader texture gamma issues
• Implemented a new specular glossiness model
• The specular reflection is tinted by the color of the light
• Added diffuse and specular fresnel
• Added specular light from indirect light (spherical harmonics)
• Calibrated the BRDF presets to the ones in character creator

Click image to enlarge.

Basically it will look better and less harsh in conditions where there is much contrast, such as the Minmatar captain‘s quarters.
Oh, and we have a new cyno effect. It is scheduled to be out on within a week, in WIP state, without sound. We‘re looking forward to getting your feedback on it. We‘re hoping that you‘ll be spending liquid ozone like there‘s no tomorrow for the pure joy of seeing and hearing that effect.
All in all, we‘re moving forward. It‘s too soon to make announcements about what expansions and features we are developing, that will be announced in due time.
Thanks for reading!
Torfi Frans



More...

Yay to the return of ship spinning

Ola!
I'm CCP Punkturis of Team BFF and I'm here to talk about font changes. Yup you heard me F O N T changes!
I know you have all had problems with differentiating between I1, O0, 5S, 6G&, 8B and I don't blame you:

So let me present Eve Sans Neue, where you can see the difference between letters:

We’re still tuning this, don’t worry if some screenshots look a bit wonky right now. The font is, for example, sitting a bit too high at the moment so it seems like there’s not enough space above it at times, but that will be fixed.
All about it
Eve Sans Neue is a refinement of the original Eve Sans font. The design was revised, it was technically updated and readability has been improved. Among other updates, it now contains native Cyrillic characters, different fonts for different size groups, and a rounder form that improves legibility.

To get the new font to render the best we could we had to update our version of FreeType. While we were at it, we decided to change our approach of using FreeType slightly and move more of the work into C++, rather than Python. This results in a significant speed boost in text rendering, meaning we spend less time opening up new windows in EVE. We've also changed how we handle characters that don't exist in our font. We used to search through your Windows Fonts folder for some preferred fallback fonts, then failing that, searching for the font with the most characters in it. Now we've simply licensed the Arial Unicode font and provide that with the EVE client, using it to render any characters not available in the EVE font.
Label styles
We didn’t have much consistency in the way we displayed labels. So to make the look of EVE more consistent we created just a few label styles and applied those to the existing labels. That means some of the text will be smaller than it was before, and some will be larger. This also means that maintaining the labels and making style changes in the future will be a walk in the park.

"I DON'T TYPE IN CAPS CAUSE I'M MAD I TYPE IN CAPS BECAUSE I'M LAZY!!!" - Kanye West
EVE was full of uppercase labels. I kind of felt sometimes like the client was screaming at me; anyone else feel the same? So we removed a lot of the uppercasing. It's our opinion that the text is more readable now.

A good example of this is the esc menu. Here's how it was before:

And here's how it is now:

I know this is quite a lot of change in something that many of you spend a lot of time staring at so it's probably going to take some time getting used to. Some people at the office thought it was a bit wonky at first but quickly started to like it.
Try it out and post!
Since there are endless things you guys do in EVE and we have probably not covered all of the use cases, we want to ask you to try it out on Singularity (real soon) and then report all issues in this thread.

Let us know if you find text that doesn't fit in windows, let us know if you notice that the wrong font is being used. Let us know if you see anything you don't like! Try typing in the chat and see if the correct font is being used (especially you guys who type in "weird" languages - I'm Icelandic and I consider Icelandic not weird).
Note that this is still work in progress!
We will be monitoring this thread and we'll try to get to things as quickly as possible.
I really hope this change is going to make life easier and EVE more readable for you all,
Thank you for listening!


More...

Ola!
I'm CCP Punkturis of Team BFF and I'm here to talk about font changes. Yup you heard me F O N T changes!
I know you have all had problems with differentiating between I1, O0, 5S, 6G&, 8B and I don't blame you:

So let me present Eve Sans Neue, where you can see the difference between letters:

We’re still tuning this, don’t worry if some screenshots look a bit wonky right now. The font is, for example, sitting a bit too high at the moment so it seems like there’s not enough space above it at times, but that will be fixed.
All about it
Eve Sans Neue is a refinement of the original Eve Sans font. The design was revised, it was technically updated and readability has been improved. Among other updates, it now contains native Cyrillic characters, different fonts for different size groups, and a rounder form that improves legibility.

To get the new font to render the best we could we had to update our version of FreeType. While we were at it, we decided to change our approach of using FreeType slightly and move more of the work into C++, rather than Python. This results in a significant speed boost in text rendering, meaning we spend less time opening up new windows in EVE. We've also changed how we handle characters that don't exist in our font. We used to search through your Windows Fonts folder for some preferred fallback fonts, then failing that, searching for the font with the most characters in it. Now we've simply licensed the Arial Unicode font and provide that with the EVE client, using it to render any characters not available in the EVE font.
Label styles
We didn’t have much consistency in the way we displayed labels. So to make the look of EVE more consistent we created just a few label styles and applied those to the existing labels. That means some of the text will be smaller than it was before, and some will be larger. This also means that maintaining the labels and making style changes in the future will be a walk in the park.

"I DON'T TYPE IN CAPS CAUSE I'M MAD I TYPE IN CAPS BECAUSE I'M LAZY!!!" - Kanye West
EVE was full of uppercase labels. I kind of felt sometimes like the client was screaming at me; anyone else feel the same? So we removed a lot of the uppercasing. It's our opinion that the text is more readable now.

A good example of this is the esc menu. Here's how it was before:

And here's how it is now:

I know this is quite a lot of change in something that many of you spend a lot of time staring at so it's probably going to take some time getting used to. Some people at the office thought it was a bit wonky at first but quickly started to like it.
Try it out and post!
Since there are endless things you guys do in EVE and we have probably not covered all of the use cases, we want to ask you to try it out on Singularity (real soon) and then report all issues in this thread.

Let us know if you find text that doesn't fit in windows, let us know if you notice that the wrong font is being used. Let us know if you see anything you don't like! Try typing in the chat and see if the correct font is being used (especially you guys who type in "weird" languages - I'm Icelandic and I consider Icelandic not weird).
Note that this is still work in progress!
We will be monitoring this thread and we'll try to get to things as quickly as possible.
I really hope this change is going to make life easier and EVE more readable for you all,
Thank you for listening!




More...

Ola!
I'm CCP Punkturis of Team BFF and I'm here to talk about font changes. Yup you heard me F O N T changes!
I know you have all had problems with differentiating between I1, O0, 5S, 6G&, 8B and I don't blame you:

So let me present Eve Sans Neue, where you can see the difference between letters:

We’re still tuning this, don’t worry if some screenshots look a bit wonky right now. The font is, for example, sitting a bit too high at the moment so it seems like there’s not enough space above it at times, but that will be fixed.
All about it
Eve Sans Neue is a refinement of the original Eve Sans font. The design was revised, it was technically updated and readability has been improved. Among other updates, it now contains native Cyrillic characters, different fonts for different size groups, and a rounder form that improves legibility.
To get the new font to render the best we could we had to update our version of FreeType. While we were at it, we decided to change our approach of using FreeType slightly and move more of the work into C++, rather than Python. This results in a significant speed boost in text rendering, meaning we spend less time opening up new windows in EVE. We've also changed how we handle characters that don't exist in our font. We used to search through your Windows Fonts folder for some preferred fallback fonts, then failing that, searching for the font with the most characters in it. Now we've simply licensed the Arial Unicode font and provide that with the EVE client, using it to render any characters not available in the EVE font.
Label styles
We didn’t have much consistency in the way we displayed labels. So to make the look of EVE more consistent we created just a few label styles and applied those to the existing labels. That means some of the text will be smaller than it was before, and some will be larger. This also means that maintaining the labels and making style changes in the future will be a walk in the park.
"I DON'T TYPE IN CAPS CAUSE I'M MAD I TYPE IN CAPS BECAUSE I'M LAZY!!!" - Kanye West
EVE was full of uppercase labels. I kind of felt sometimes like the client was screaming at me; anyone else feel the same? So we removed a lot of the uppercasing. It's our opinion that the text is more readable now.
A good example of this is the esc menu. Here's how it was before:

And here's how it is now:

I know this is quite a lot of change in something that many of you spend a lot of time staring at so it's probably going to take some time getting used to. Some people at the office thought it was a bit wonky at first but quickly started to like it.
Try it out and post!
Since there are endless things you guys do in EVE and we have probably not covered all of the use cases, we want to ask you to try it out on Singularity (real soon) and then report all issues in this thread.
Let us know if you find text that doesn't fit in windows, let us know if you notice that the wrong font is being used. Let us know if you see anything you don't like! Try typing in the chat and see if the correct font is being used (especially you guys who type in "weird" languages - I'm Icelandic and I consider Icelandic not weird).
Note that this is still work in progress!
We will be monitoring this thread and we'll try to get to things as quickly as possible.
I really hope this change is going to make life easier and EVE more readable for you all,
Thank you for listening!



More...

Greetings Internet Space Citizens!

This is a topic that while near and dear to my heart, is something that's kind of languished for a while and I'm happy to begin talking about with youtoday here on the Internet.
Firstly, I want to spend some time on process and what goes into developing a web application at CCP. I'm not a web developer so I won't go into any detail regarding how we make decisions on technologies or anything, but I am The Security Guy so I do want to spend some time going over our process as it pertains to this area. In essence we follow a pretty well-established set of best practices. All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. The results of this audit are actioned on prior to code publication. If this introduces delays, it introduces delays. The applications we develop are complex because of their levels of interactivity with so many other systems. Because of that, testing these applications can be challenging. The scope can never just be limited to testing a single web application because of the degrees of interactivity, which makes testing a much larger task than if the applications were self-contained. All of that being said, there are going to be situations where we simply miss something and that's where this blog comes in.
Dating back to the last release of the forums, I've been working through exactly how we can ensure that we're properly receiving and incentivizing security information from you, our players. This is a first iteration of a how-to which will be followed by a bit of information about how we'd like to see the program develop, and a request for some feedback from you because ultimately what we're trying to to is give you something to be proud of.
As it stands today there are a number of ways people attempt to submit security-related issues to us:

1. Filing a petition - This is inefficient as the person receiving the petition is not a security expert, may not understand the severity of the issue and it therefore may take more time to get to the right people. Security issues need to be addressed in minutes to hours, not days.
2. Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports.
3. Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums.
4. Posting on another forum - huh?

None of these above-mentioned avenues of communication are really effective at getting us the information we need in the time we need to be receiving it. What we'd like to rectify is twofold:

1. Providing you with a reliable and immediate avenue to report security issues so that they can get fixed immediately and investigated responsibly
2. Providing you with a template of information which would be helpful to us in actually tracking down the issue

What is Responsible Disclosure?

According to Wikipedia which is never wrong: Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months. (Source: http://en.wikipedia.org/wiki/Responsible_disclosure)
In essence what we're hoping to accomplish is that we can not only give you a venue to report information to us confidentially so that we can resolve the issue, but also to provide you with perks or incentives for doing so. We believe that if you're going to provide us with information that makes our product better, our customers safer and makes the Internet a better place then you should be rewarded for this. The problem with this is that incentives are not a one size fits all proposition but we'll get to that in a minute.
What information should I provide?

In the first pass we don't want to go crazy building systems or making crazy templates for submission. For the time being we think it is enough for us to say that when you send us information we need as much detail as possible. I can cite examples related to this forum:

• The Bad Example - User files a bug report that says, "You guys are idiots the whole thing is broken."
• The Good Example - User sends an email to security@ccpgames.com which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept"

Believe it or not both of these examples actually happened. The difference is in how it gets handled. In the first scenario the report was erroneous and never got to anyone who could do anything about it. Were the user to continue messing around we would have only our logs to go by, which would show that the user was exploiting. Computers aren't very good at logging intent and believe it or not there are documented cases where people who are out to do bad things have lied about their intentions. If we're witnessing an exploit being taken advantage of in our logs then, from our perspective,an exploit is being taken advantage of and the consequences for such actions are not light.
In the second example the user was rewarded. What we'd like to do is extend that concept.I'll go ahead and get to that now.
PLEX for Snitches (Working Title)

In essence, what we'd like to achieve is to provide you with an incentive to be a good Internet citizen. Though we have given people rewards in the past they have been on a case by case basis. The main thing holding it up really is figuring out what would be of interest to you. Is it your name in lights? (This can look good on a resume.) Is it some free game time? Is it some other kind of incentive? This is the type of information I'd like to gather from you so that we can tailor the program to be the most effective.
Basically you provide us with security-related information in confidentiality.If you'd like your name in lights we'd like to recognize that. We also want to ensure that if you prefer to remain anonymous that can be facilitated as well. We have some ideas, but we're going to be basing the final solution on your input from this blog.
One thing of note in the program is that not every report will be worthy of reward. In order to receive recognition or incentivization you will need to provide us with something of value. Nobody really cares that Soundwave possesses the largest anime collection Iceland. That won't help us at all;however, learning that he is studying Japanese so that he can further immerse himself in the true anime experience adds some value. To use a more relevant example, an exploit condition in our software that we can replicate and fix is of immense value. The more information you can provide the more relevant it is. Simply saying "something is broken" isn't always helpful, but saying "something's broken and here's how I broke it" is what we're looking for.
Ok I'm sold, how do I report an issue?

The best way to do this is to send a detailed email to security@ccpgames.com. No other method of contact will ensure that your issue gets attention from the team that can fix the issue. Whilewe haven't yet formalized the program, I have made it a personal mission in the cases that the information is of high value that the person gets rewarded. I'm looking forward to your feedback on this and after you've had some time to weigh in we'll get the ball rolling and present The Full Monty.


More...

Greetings Internet Space Citizens!

This is a topic that while near and dear to my heart, is something that's kind of languished for a while and I'm happy to begin talking about with youtoday here on the Internet.
Firstly, I want to spend some time on process and what goes into developing a web application at CCP. I'm not a web developer so I won't go into any detail regarding how we make decisions on technologies or anything, but I am The Security Guy so I do want to spend some time going over our process as it pertains to this area. In essence we follow a pretty well-established set of best practices. All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. The results of this audit are actioned on prior to code publication. If this introduces delays, it introduces delays. The applications we develop are complex because of their levels of interactivity with so many other systems. Because of that, testing these applications can be challenging. The scope can never just be limited to testing a single web application because of the degrees of interactivity, which makes testing a much larger task than if the applications were self-contained. All of that being said, there are going to be situations where we simply miss something and that's where this blog comes in.
Dating back to the last release of the forums, I've been working through exactly how we can ensure that we're properly receiving and incentivizing security information from you, our players. This is a first iteration of a how-to which will be followed by a bit of information about how we'd like to see the program develop, and a request for some feedback from you because ultimately what we're trying to to is give you something to be proud of.
As it stands today there are a number of ways people attempt to submit security-related issues to us:

1. Filing a petition - This is inefficient as the person receiving the petition is not a security expert, may not understand the severity of the issue and it therefore may take more time to get to the right people. Security issues need to be addressed in minutes to hours, not days.
2. Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports.
3. Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums.
4. Posting on another forum - huh?

None of these above-mentioned avenues of communication are really effective at getting us the information we need in the time we need to be receiving it. What we'd like to rectify is twofold:

1. Providing you with a reliable and immediate avenue to report security issues so that they can get fixed immediately and investigated responsibly
2. Providing you with a template of information which would be helpful to us in actually tracking down the issue

What is Responsible Disclosure?

According to Wikipedia which is never wrong: Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months. (Source: http://en.wikipedia.org/wiki/Responsible_disclosure)
In essence what we're hoping to accomplish is that we can not only give you a venue to report information to us confidentially so that we can resolve the issue, but also to provide you with perks or incentives for doing so. We believe that if you're going to provide us with information that makes our product better, our customers safer and makes the Internet a better place then you should be rewarded for this. The problem with this is that incentives are not a one size fits all proposition but we'll get to that in a minute.
What information should I provide?

In the first pass we don't want to go crazy building systems or making crazy templates for submission. For the time being we think it is enough for us to say that when you send us information we need as much detail as possible. I can cite examples related to this forum:

• The Bad Example - User files a bug report that says, "You guys are idiots the whole thing is broken."
• The Good Example - User sends an email to security@ccpgames.com which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept"

Believe it or not both of these examples actually happened. The difference is in how it gets handled. In the first scenario the report was erroneous and never got to anyone who could do anything about it. Were the user to continue messing around we would have only our logs to go by, which would show that the user was exploiting. Computers aren't very good at logging intent and believe it or not there are documented cases where people who are out to do bad things have lied about their intentions. If we're witnessing an exploit being taken advantage of in our logs then, from our perspective, an exploit is being taken advantage of and the consequences for such actions are not light.
In the second example the user was rewarded. What we'd like to do is extend that concept.I'll go ahead and get to that now.
PLEX for Snitches (Working Title)

In essence, what we'd like to achieve is to provide you with an incentive to be a good Internet citizen. Though we have given people rewards in the past they have been on a case by case basis. The main thing holding it up really is figuring out what would be of interest to you. Is it your name in lights? (This can look good on a resume.) Is it some free game time? Is it some other kind of incentive? This is the type of information I'd like to gather from you so that we can tailor the program to be the most effective.
Basically you provide us with security-related information in confidentiality. If you'd like your name in lights we'd like to recognize that. We also want to ensure that if you prefer to remain anonymous that can be facilitated as well. We have some ideas, but we're going to be basing the final solution on your input from this blog.
One thing of note in the program is that not every report will be worthy of reward. In order to receive recognition or incentivization you will need to provide us with something of value. Nobody really cares that Soundwave possesses the largest anime collection Iceland. That won't help us at all; however, learning that he is studying Japanese so that he can further immerse himself in the true anime experience adds some value. To use a more relevant example, an exploit condition in our software that we can replicate and fix is of immense value. The more information you can provide the more relevant it is. Simply saying "something is broken" isn't always helpful, but saying "something's broken and here's how I broke it" is what we're looking for.
Ok I'm sold, how do I report an issue?

The best way to do this is to send a detailed email to security@ccpgames.com. No other method of contact will ensure that your issue gets attention from the team that can fix the issue. While we haven't yet formalized the program, I have made it a personal mission in the cases that the information is of high value that the person gets rewarded. I'm looking forward to your feedback on this and after you've had some time to weigh in we'll get the ball rolling and present The Full Monty.


More...