loader search icon

Interview with SOFTSWISS on the Bug Bounty Program

news thumbnail image

SOFTSWISS's new Bug Bounty Program and our talk with them about how it will help the iGaming landscape.


SOFTSWISS recently released its 2025 iGaming Trends Report, a comprehensive analysis based on industry surveys, extensive media research, data from the largest Game Aggregator in the market, and over 15 years of expertise. The report identifies 15 major trends shaping the online gaming industry, with cybersecurity remaining a top priority for 2025.

In light of this, we sat down with Evgeny Zaretskov, Group Chief Information Security Officer, and Artem Bychkov, Deputy Chief Security Officer at SOFTSWISS, to discuss today’s cybersecurity measures and the recently launched Bug Bounty Program. Artem and Evgeny shared insights into the motivations behind the program, its structure, and how it aligns with SOFTSWISS’ commitment to security in the rapidly evolving iGaming landscape.

CasinoWow's interview with SOFTSWISS - Bug Bounty Program explained

  • CW: Can you explain what inspired the decision to launch a private Bug Bounty Program now and why it was designed as an invitation-only initiative?

Evgeny Zaretskov: We decided to launch a private Bug Bounty Program because we've seen firsthand how impactful such initiatives can be. In our experience, these programs revealed vulnerabilities that traditional professional internal testing or automated tools often miss. For example, professional researchers and enthusiasts excel at identifying complex logic flaws, chaining seemingly minor issues into critical exploits, or discovering creative attack vectors that deviate from standard testing scenarios. These are the types of vulnerabilities that can only be uncovered by skilled individuals with a deep understanding of both technology and human ingenuity.

By involving independent researchers, we gain access to a diverse pool of perspectives. These experts don’t just look at our systems as developers or QA teams would – they think like attackers. This mindset allows them to uncover blind spots we might not even be aware of. It’s not just about ‘unexpected vulnerabilities’, it’s about uncovering hidden layers of risks that only a fresh, external perspective can expose.

Artyom Buchkov: Opting for an invitation-only approach at this stage is a deliberate decision. It enables us to focus on building robust internal processes and refining communication with researchers. By gradually scaling the program, we ensure that both researchers and our internal teams are aligned, resulting in higher-quality findings and more efficient remediation workflows.

Moreover, we firmly believe that collaboration with the professional community is one of the most effective ways to stay ahead in cybersecurity. No automated system can replicate the creativity of researchers who continuously push the boundaries of what’s possible. These programs are not just about fixing vulnerabilities – they are about fostering an ecosystem where innovation and defense go hand in hand.

An invite-only program allows us to strategically manage our resources while ensuring maximum impact. By starting small and scaling with time, we can maintain momentum without prematurely exhausting budgets or overwhelming internal teams. This measured approach ensures that the program remains sustainable, productive, and mutually beneficial for both our organisation and the research community.

  • CW: Could you elaborate on the selection criteria for the white hat hackers and security researchers you’ve invited? How does the program ensure that these experts meet your standards for quality and expertise?

Evgeny Zaretskov: The bug bounty platform plays a key role in identifying and recommending researchers based on their proven track records in similar programs and industries. Their expertise ensures that only skilled and reliable professionals are invited to participate.

At the same time, we have the flexibility to influence the selection process to align with our specific needs and standards. This approach allows us to balance the platform’s data-driven recommendations with our own understanding of what is most critical for our products and clients. By leveraging both the platform’s insights and our internal considerations, we ensure the program remains effective, transparent, and aligned with the high expectations of all stakeholders.

  • CW: SOFTSWISS has emphasised the importance of the test environment for the program. Can you explain the setup of this environment and how it ensures that there are no disruptions to the live casino systems?

Artyom Buchkov: This is as simple as just using a separate test environment for security testing, not connected to a production environment in any way. But for our goals, we ensure that all necessary functions are working as we expect them to work in production.

Evgeny Zaretskov: The test environment we use for the Bug Bounty Program is specifically designed to replicate the key functionalities of our iGaming applications without any connection to the live production systems. This means that everything a player might encounter in a real casino – game logic, payment processing simulations, bonus systems, and other critical features – works exactly as it would in a live environment. This setup ensures that researchers can thoroughly test for vulnerabilities in a realistic scenario, while completely isolating the testing environment from the live systems used by players and clients.

By maintaining this separation, we ensure there is no risk of disruptions to the live player experience or the operations of our clients. At the same time, this approach allows researchers to focus on identifying potential security issues in the very systems that both players and clients rely on, without affecting real-world transactions or data. It’s a meticulous balance of realism and safety, ensuring that we deliver secure and reliable solutions to our clients while safeguarding their live operations.

  • CW: What are some examples of vulnerabilities or bugs that could be discovered through this program, and how critical are they in maintaining the security of iGaming platforms?

Artem Bychkov: Bug bounty programs are incredibly versatile, allowing us to include in scope a wide range of potential vulnerabilities that could impact the security of iGaming platforms. For instance, researchers might uncover weaknesses in critical areas such as:

  • Game Integrity: Vulnerabilities that could allow a malicious actor to manipulate game outcomes, bypass fairness algorithms, or exploit random number generation processes. Ensring the integrity of games is paramount for maintaining player trust and the reputation of operators.
  • Payment Systems: Issues like insecure API endpoints, flaws in transaction validation, or vulnerabilities in wallet systems that could enable unauthorised withdrawals or deposits. Protecting payment flows is crucial, as financial security directly impacts player confidence and operator liability.
  • Player Accounts: Bugs that allow account takeover, credential stuffing, or unauthorised access to sensitive data. Preventing such vulnerabilities is vital for safeguarding personal information and player funds.
  • Bonus and Reward Systems: Exploits that could enable abuse of promotional offers, such as claiming bonuses multiple times or bypassing wagering requirements. While these may seem minor, they can result in significant financial losses for operators.
  • Social Engineering Entry Points: Even beyond the technical side, researchers can help identify how human-operated processes – like online support or account recovery systems – might be exploited. For example, they might find ways to trick support agents into revealing sensitive information or altering account settings.

Evgeny Zaretskov: These types of vulnerabilities are not just theoretical, they represent real-world threats that could lead to financial losses, reputational damage, and erosion of trust among players and operators. By uncovering and addressing these issues early, we not only protect the applications our clients rely on but also contribute to the overall security and stability of the iGaming industry.

The criticality of such vulnerabilities cannot be overstated. In iGaming, where real money, sensitive personal data, and regulatory compliance are all at stake, even a single overlooked flaw could have far-reaching consequences. That’s why we take a comprehensive approach with our Bug Bounty Program – ensuring that every aspect of our products, from core functionalities to auxiliary processes, is rigorously tested and secured.

  • CW: Cybersecurity is a constantly evolving field. How do you see this Bug Bounty Program evolving in the future, especially with the planned inclusion of more products and refined requirements?

Evgeny Zaretskov: As cybersecurity continues to evolve, so will our Bug Bounty Program. We see this program as a dynamic initiative that grows alongside our products and the threats they face. In the future, we plan to expand its scope to cover an increasing number of the products, services and applications we develop, ensuring that every new product or feature we release is rigorously tested for vulnerabilities.

Additionally, we aim to significantly increase the rewards for finding critical and complex vulnerabilities. By offering more substantial incentives, we can attract top-tier talent from the global cybersecurity community and motivate researchers to dive deeper into uncovering even the most challenging and unconventional flaws. This not only benefits our products but also ensures that the applications our clients rely on remain secure and resilient.

Finally, as we continue working with researchers and reviewing their findings, the program itself will naturally evolve. Each submission brings new insights – whether it’s identifying novel attack vectors, previously overlooked areas of our systems, or additional products that should be included in scope. This iterative approach ensures that the program remains relevant, effective, and aligned with the ever-changing cybersecurity landscape.

  • CW: We have one more question for you. You are familiar with our latest research on the Stake Casino hack. Could you comment on that? Do you think it all happened due to some vulnerabilities that could have been prevented?  

Artem Bychkov: We probably won’t have all the details of the Stake Casino hack, but it undoubtedly occurred because one or more security controls failed. What’s important to note is that not all vulnerabilities exploited by attackers are purely technical. Groups like Lazarus are infamous for leveraging social engineering tactics to gain initial access, bypassing even robust technical defenses. This highlights a critical lesson: cybersecurity isn’t just about tools and technologies – it’s about understanding and addressing the human factor as well.

In hindsight, it’s always tempting to believe that such incidents could have been prevented with the right measures in place, because retrospection often makes solutions appear obvious. However, the truth is that threat actors are constantly innovating, finding creative ways to exploit even the smallest gaps in security. This is, in part, why we’ve prioritised crowdsourcing our security testing through a Bug Bounty Program. By involving a diverse pool of researchers with unique perspectives and skillsets, we aim to uncover vulnerabilities – whether technical, process-related, or human-driven – before malicious actors can exploit them.

Evgeny Zaretskov: Our goal isn’t just to prevent potential breaches but to foster a culture of proactive security. We’re building platforms where trust isn’t just a feature – it’s a foundation. Incidents like the Stake Casino hack serve as stark reminders of what’s at stake in our industry, and they reinforce our commitment to staying ahead of threats, not just reacting to them.

At the end of the day, cybersecurity is a shared responsibility. By collaborating with the global community of ethical hackers, we’re not just protecting our products and clients – we’re helping raise the bar for security standards across the entire iGaming industry.

SOFTSWISS & CasinoWow

We've previously done an interview with SOFTSWISS on their Tournament Tool and were really excited to learn more about their concept. Now, we see that they keep evolving and providing the whole gaming community with great tools and solutions.

We at CasinoWow, are more than happy to be collaborating with SOFTSWISS and want to thank them for the interview, and for inspiring us with every part of their journey. 

Leave us a review on Trustpilot!

Published: November 29, 2024

Anything incorrect or missing?

Stelly avatar image

Article by Stelly

CasinoWow Contributor

Hey there! I am Stelly, and happily, I'm part of CasinoWow's content team. It excites me to be able to write and share with all gambling enthusiasts unbiased reviews and news that contribute to the gambling community and industry. Thankfully, I also have the chance to help you make an informed choice for casino brands and games, as well as provide interesting guides and news.

CasinoWow.com Cookies

We use 🍪 cookies to improve your user experience. By continuing to use this site, you are agreeing to our use of cookies as described in our Cookie Policy.

Accept
subscribe icon

SUBSCRIBE for EXCLUSIVE offers!

Be the first to get exclusive bonuses and WOW casino promotions! Get access to our new online casinos, top stories and special iGaming events for FREE.

follow us icon

Share this page across social platforms!