Exploiting touches nearly every online game that we play and unfortunately, EVE Online is not immune to it. How exploits are handled is unique to each game, but EVE has taken the classy route and not only punished the exploiters, but have also explained what happened, why, and what is being done to keep it from happening again. CCP's Lilith goes into great detail on the POS exploit in this developer blog.

Crime and Punishment by GM Grimmi

As clearly stipulated in our rules and policies, exploiting is strictly prohibited. In our Suspension and Ban Policy there is a special clause about so-called "duping" exploits. Employing this sort of exploit will lead to permanent bans for anyone directly involved as well as possible reprimands for players who benefit from such exploits from removal of the items in question up to, and including, banning of their accounts.

A "duping" exploit is basically an exploit by which some bug in the system is used to create items or ISK out of nothing. The POS reactor exploit was an example of a "duping" exploit and it was handled accordingly.

At the time we discovered the exploit in early December, there were 232 reactors running in the bugged state. Those were installed at 178 POS complexes owned by seven corporations. The scale of the operations differed quite a bit, with one corporation running 81 bugged reactors and another with 3 reactors active.

The opening action on our part regarding the exploit included the total destruction of all the POS complexes involved. This entailed flying to each one and basically nuking everything in sight - a fireworks show of epic proportions but with no witnesses except the GMs in the demolition team.

Users directly involved in the exploit were permanently banned. Direct involvement meant that the character had a director role in the corporation using the exploit or was directly involved in servicing the POSes in exploited state. Others that were found to be involved in moving the exploited goods and laundering the ISK also received bans for their part. A number of players who had benefitted directly from the exploit were also banned. The total number of accounts banned in relation to the exploit of POS reactors is 134.

The purpose of the exploiting was quite different for the corporations involved. Two of them, including the one with the largest operation, were found to be involved in RMT, selling off the proceeds for real money to random players. Another two had funneled what they had gained into expanding their operation and at the time of discovery had not made much more from the exploit than what they rolled over back into the operation. The last three were exploiting the reactor bug in order to gain unfair advantages for the users involved, meaning that ISK and assets were moved to their other characters.

The assets removed from the game by our actions because of this exploit consist of large numbers of capital ships including some motherships and titans, over 30 Tech II BPOs and other valuable items as well as large amounts of ISK.

How did we not see this?

To date, we have found three petitions regarding the reactor bug in our systems. Two of those are since late October 2005 and one since late October 2007. In all cases, the issue was handled as an isolated bug for the players reporting it and the work done was geared towards fixing that particular issue.

In one of the older cases, the user petitioning was asked to file a bug report but the resulting report was closed after the bug hunters were not able to reproduce the issue. At the time, no procedures were in place on our end to ensure that reproduction steps were included. Nowadays, our bug hunters will contact the player submitting the report and request that the steps be added if they are missing.

Quite frankly, it must be said that at the time, the documentation and logs available for POS-related things left much to be desired and anyone involved in handling such issues would have been facing a very difficult task indeed. Very little information was available to staff and players alike about how things were supposed to work and what little logs existed were in no way sufficient to provide information needed to successfully tackle problems with POS mechanics. The usual stopgap fix was to simply repackage the structures and hope that it would take care of the issue at hand.

The last petition was correctly filed into the exploit category but it was simply handled as an individual problem for the player reporting it. Thus it fell through the cracks and did not raise the flags it should have and no exploit investigation was launched.

All the staff members involved in handling the cases have been thoroughly investigated and cleared of any involvement in the exploit by our Internal Affairs department.

Internal Affairs have also investigated other staff members for involvement in the exploit and have found no links to the exploiting corporations or characters involved in the exploit. CSM members were checked and cleared as well.

How will this not happen again?

Our systems for detecting issues failed and this brought it to our attention that they are due for an overhaul. The way exploit petitions are received and handled is currently being restructured. The same is true for the bug reporting tools and work procedures in regards to how bug reports are handled.

The QA and Customer Support departments are working on these matters together and new updated systems and procedures will be implemented as soon as they become available. In some cases, the necessary changes have already been implemented.

Active monitoring of individual items on the market will also be part of our line of defense against exploits and handled by our Research & Statistics department. This means that instead of looking at general trends based on our interests in researching specific markets we will focus more on automated detection of anomalies In the market data.

So in the end.....

There will be exploits in the future and we will do our best to discover them in their early stages and minimize their effect on EVE with new and proactive procedures. We do hope that the EVE community will accept our way of handling these once they are found. The procedures and rules used against those using these exploits will also be reviewed on a regular basis. We have already had discussions with the CSM on fines and other tools to punish those that directly, or indirectly, reap the benefits from illegal activity within EVE. No final decisions have been made yet, but now is your chance to contact your CSM representatives and let your voice be heard.