You can still try if the game is not fixed and is as serious as proved the game itself should be considered broken tbh.
Request a refund or possibly play only in offline node and wait.

引用自 RiO：

引用自 crunchyfrog：

The ONLY grounds you may have is if the game were faulty (and that's a MASSIVE task to prove and not applicable here as exploits aren't making the game not run as described). If you are in the EU you could have tried that.

Actually, it does apply for EU citizens and they don't have to prove anything. (Inverse burden of proof.)

As of Jan 2022 all member states are required to have activated new laws based on the EU 2019/770 Directive, colloquially the Digital Content Directive.

This directive states that conformity with contract also covers security concerns, such as software bugs that can be used to trigger remote code execution. Presence of a bug of such nature is grounds for a claim of non-conformity.

Moreover, in cases of digital content there is a lasting inverse burden of proof. It is up to the seller, whether that be Valve directly or the publisher with Valve only acting as their agent, to prove that this issue does not exist and the claim is false.
In contrast with physical goods, where the inverse burden of proof expires after a year - used to 6 months under the old Sale of Goods directive superseded by the new 2019/771 one - the period for inverse burden of proof does not expire on digital content. It is lasting.

The period where a seller can be held liable for non-conformity of digital content normally has a minimum of 2 years, where member states are allowed to afford a longer period to consumers - but not less. HOWEVER, for cases of continuous supply the period where a seller can be held liable extends for as long as supply lasts. And the directive in its recitals makes clear that digital distribution platforms for video games that allow on-demand download and installation via a library of purchased titles are to be treated as cases of continuous supply.

Moreover, nearly all parts of this directive including the articles linked to what I described above are grandfathered into existing purchases and cases of continuous supply, as they apply to all forms of supply that continue to occur from 1 Jan 2022 onward. There are only two articles that only affect new purchases concluded on 1 Jan 2022 or later, which are articles 19 and 20. The former relating to the regulation of updates outside of those that are strictly needed for conformity; and the latter being the right of redress for the seller.

(Ironically this puts sellers that offer continuous supply in a tough spot; because they are liable for supply of a purchase prior to Jan 2022, but have no right of redress to recoup losses over them.)


Summarizing:

1. The new directive applies to existing cases of supply of digital content,
   
2. which means security problems with DS3 purchased before Jan 2022 are still covered by the directive as cases of non-conformity;
   
3. where the seller is liable for these cases for as long as supply lasts, i.e. for as long as your Steam account lasts; and
   
4. it's up to the seller to disprove the claim, i.e. to prove that the security problem in question does not exist.

This doesn't mean you're eligible for a refund off the bat.
It means the seller, whether that be Steam or the publisher, is required to fix the problem and thus restore conformity. Only if they refuse to do so, are you allowed to terminate the contract and obtain a full refund of all sums paid, provided the problem is not minor. But in case of a dangerous RCE vulnerability, I wouldn't worry about that part - that's definitely not minor.


For your reference:
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32019L0770

引用自 crunchyfrog：

The ONLY possible grounds you could have is if From Software refused to patch this and the exploit did lead to consequences. Then you could sue them. However the cost in doing so would be prohibitive unless some class action suit were done.

In other words, a big fat no.

Yup. It really sucks how limited (and unrealistically expensive) your options are if you reside in the US vis-a-vis the EU.
Sad thing, really.

Does it? I wasn't aware of that one.

You got the clause that says security vulnerabilities can apply?

Ask. Steam support but I suspect the answer will be no. You'd best wait about a month or so before trying when your chances will be batter.
Why?
Because you will have given reasonable time for the dev to acknowledge and address the issue with a patch.

It's being worked on. https://twitter.com/DarkSoulsGame/status/1485210967009071108

It's an old known issue, so no.
Notice how the thread does not identify the newly registered CVE, so it's not a "new" issue at all.

...Hmm, they have just taken their servers offline as a precaution, turns out the good guys do care.

引用自 zaphodikus：

It's an old known issue, so no.
Notice how the thread does not identify the newly registered CVE, so it's not a "new" issue at all.

...Hmm, they have just taken their servers offline as a precaution, turns out the good guys do care.

I'm guessing they will be releasing patches before going back online.

Funny though that this was known about - so I'm guessing this weeks issue is a new development to have been taken seriously. Vendors are rarely going to want to give refunds for what could be argued is a temporary problem - although cyber crime is fully on the rise, and so we all need to be on the side of the goodies.

引用自 zaphodikus：

Funny though that this was known about - so I'm guessing this weeks issue is a new development to have been taken seriously. Vendors are rarely going to want to give refunds for what could be argued is a temporary problem - although cyber crime is fully on the rise, and so we all need to be on the side of the goodies.

Yup, the thing is technically such an action happening immediately invokes the part of the EU legislation, but on the other hand it means they must have adequate time to try and fix it.

So in any case, a refund they can simply say "nah, we';re ficing it mate".

引用自 zaphodikus：

, turns out the good guys do care.

For themselves, yes, like all giant corporations. I doubt, it's an entirely different exploit and it'd actually be worse if it is, because that would mean, that it's an even more serious issue. Them getting around actually doing something about this so long after it's discovery and even longer after it's disclosure to them, is not a "the good guys do care"-thing.

Elden Ring is around the corner and will likely re-use some of the netcode, that is present in previous souls-games. Plus with all the recently generated buzz from the Dark Souls community, it is no wonder, why they're doing something now. While there was and still is more fear-mongering than a healthy dose of caution (though it might have actually helped kick things into motion this time), ignoring the exploit thus far was definitely not helping either and just helped escalating things.

These days, there really are no good-guys in the literal sense, but to be honest, most of us have other games we can play in the interim. Well at any rate, you now know that a career in cyber might just be on the cards for a few more aspiring young people this year.

Matter is clearly being resolved, being a big company or not doesn't matter in this case, nor does the EU stuff. If we were to take the latter seriously a lot of expensive software could be refunded.

Stick to the subject.

People are lucky it's even being supported since the release shows 2016 for DS3, which is far outside of an expected EOL or reasonable scenario of allowing a refund or expectations of support, which is part of any competent law or defensive abilities to disallow abuse of any particular law. If the game runs/plays well, that's that; an exploit in something is hardly a reason to allow refunds, since an OS is constantly exploited and often is why 3rd party software is introduced to protect against ever-evolving issues, yet you can't just refund an OS purchase any day/year you want.

This is about the games functionality. As for the subject of this thread; clearly they're resolving the issue, especially since usually companies becoming alerted of such love to patch out such exploits to keep their customer base happy.

引用自 Mr. Gentlebot：

People are lucky it's even being supported since the release shows 2016 for DS3, which is far outside of an expected EOL or reasonable scenario of allowing a refund or expectations of support

Which doesn't matter, if it's still sold today.

引用自 Mr. Gentlebot：

If the game runs/plays well, that's that; an exploit in something is hardly a reason to allow refunds, since an OS is constantly exploited and often is why 3rd party software is introduced to protect against ever-evolving issues, yet you can't just refund an OS purchase any day/year you want.

True, but the situation is different, if a company knows about an exploit but does not do anything about it until it escalates or if they don't even warn their customers, so they could add security measures of their own.

引用自 JellyPuff：

引用自 Mr. Gentlebot：

People are lucky it's even being supported since the release shows 2016 for DS3, which is far outside of an expected EOL or reasonable scenario of allowing a refund or expectations of support

Which doesn't matter, if it's still sold today.

引用自 Mr. Gentlebot：

If the game runs/plays well, that's that; an exploit in something is hardly a reason to allow refunds, since an OS is constantly exploited and often is why 3rd party software is introduced to protect against ever-evolving issues, yet you can't just refund an OS purchase any day/year you want.

True, but the situation is different, if a company knows about an exploit but does not do anything about it until it escalates or if they don't even warn their customers, so they could add security measures of their own.

If it's EOL then it does not matter at all, EOL includes ceasing support, and if 3rd party things literally made for security exist, then there is little to no excuse from a user to demand a refund regardless of playtime on a non-faulty product. Notifying customers is mandatory only in certain situations, of which I doubt this is one; usually it's when accounts/payment methods/finances etc are compromised.

Thankfully, they're patching it anyway, so people don't have to worry about this if they update the game.

引用自 zaphodikus：

Funny though that this was known about - so I'm guessing this weeks issue is a new development to have been taken seriously. Vendors are rarely going to want to give refunds for what could be argued is a temporary problem - although cyber crime is fully on the rise, and so we all need to be on the side of the goodies.

A streamer of some repute had the actual RCE exploited live on a Twitch Stream, for everyone to see. That basically forced Bamco's hand.

They're not doing this because they're 'the good guys' - or they would've done this long, long ago with all the other RCE-vulnerabilities in not just Dark Souls 3, but also Dark Souls and Dark Souls 2. (And allegedly Elden Ring as well, when it would have released - considering the fact that the netcode between these games has changed very, very little over time and is mostly a copy&paste.)

The reason they now took all of it offline is because it's all vulnerable and this has been public knowledge for, what? - a decade? Longer? It was basically a ticking time-bomb.

引用自 crunchyfrog：

You got the clause that says security vulnerabilities can apply?

Sure. See below, emphasis mine.

Article 8 - Objective requirements for conformity

1. In addition to complying with any subjective requirement for conformity, the digital content or digital service shall:
[..]
b) be of the quantity and possess the qualities and performance features, including in relation to functionality, compatibility, accessibility, continuity and security, normal for digital content or digital services of the same type and which the consumer may reasonably expect.

You may very well expect for a triple-A video game not to contain a readily exploitable RCE-vulnerability.

引用自 Mr. Gentlebot：

Matter is clearly being resolved, being a big company or not doesn't matter in this case, nor does the EU stuff. If we were to take the latter seriously a lot of expensive software could be refunded.

The 'EU stuff' does in fact matter; and yes, a lot of expensive software could end up in non-conformity at which point (EU-)consumers could exercise their right to a remedy for said lack of conformity, meaning they could demand that the seller have the product fixed - and if they seller refuses, they could demand a partial refund proportional to the loss of functionality and retain the product; or terminate the contract and lose access to the product.

But they haven't yet because national legislation based on this directive is new and only entered into force start of this month. Moreover; if push comes to shove, it would require taking the seller to court and that's quite a leap in costs to make for what would otherwise just be a € 50 - € 70 loss.

You'd have to have the luck -- or bad luck; matter of perspective -- that someone with deep pockets and a strong sense of morality ends up affected by such a problem and is willing to make a case out of it on principle.

引用自 Mr. Gentlebot：

People are lucky it's even being supported since the release shows 2016 for DS3, which is far outside of an expected EOL or reasonable scenario of allowing a refund or expectations of support, which is part of any competent law or defensive abilities to disallow abuse of any particular law.

Except in case of the EU, they disagree with you on that point:

Article 8 Objective requirements for conformity

2. The trader shall ensure that the consumer is informed of and supplied with updates, including security updates, that are necessary to keep the digital content or digital service in conformity, for the period of time:

(a) during which the digital content or digital service is to be supplied under the contract, where the contract provides for a continuous supply over a period of time; or

(b) that the consumer may reasonably expect, given the type and purpose of the digital content or digital service and taking into account the circumstances and nature of the contract, where the contract provides for a single act of supply or a series of individual acts of supply.

Digital distribution via Steam is to be classified as continuous supply, as per examples given in the directive's recitals. I.e. 2a applies and not 2b, meaning the trader shall ensure supply of updates, including security updates, to keep the software in conformity for as long as supply lasts, i.e. for as long as the consumer's Steam account continues to have access to the game to install and play it. Reasonably expectations wrt such things as end-of-support and end-of-life only apply to the case of 2b; not 2a.

(This is logical in a sense: how can something still be in active supply, yet be end-of-life?)


Btw, chrunchyfrog, looping back to your request for the relevant clause that says security vulnerabilities apply: this is another relevant passage where security updates are explicitly mentioned as a requirement the trader shall ensure for.

Pragmatic solution: disable the game's online functionality until it's fixed.

No need to call for drama.