I've been doing free pentesting on a lot of the new casinos posted on here, and I've noticed that at least 1 in 3 will have major vulnerabilities.
Please do NOT launch a business that operates with other peoples funds if you have no idea how (An example) basic input validation works.
If you are serious about your casino, then please do look into hiring a professional pentester.
Had to get this off my chest as the amount of new casinos with shitty security is skyrocketing.

This also serves as a PSA to users; Please use your brain when picking places to spend your hard earned cash. You might end up with nothing because the sites bankroll got ripped.

(If you've got a different view on this topic, then feel free to keep it to yourself)

Sent you an email.
Check it before launching with live currencies

I'll post warning messages no matter what.
Wintomato paid me for the data leakage vulnerability, and I still let people know about it.
The reason for posting warning messages is to let people know that they fucked up, and that it might happen again.

I totally agree that leaving a bad review just because I wasn't paid isn't fair.

The point of my review is to let potential customers know that a bug has been found (And fixed), and that their funds might not be safe.
The reason I'm saying their funds might not be safe, is due to how easily I found the vulnerability. If a malicious actor had found the vulnerability (And not me), then they could've slowly stolen your bankroll over time, and users wouldn't be able to withdraw what they'd won.

That said, I welcome you to the gambling scene.

Pro tip; Start a bug bounty program. Paying people to find bugs is a lot better than people finding bugs and exploiting them.

This website is the least secure one I've ever seen.
After finding a serious vulnerability, I reported it to their team.
I obviously can't expect bug bounty rewards when the website doesn't have such a program, but this is the first website I've ever bug hunted on that didn't pay ANYTHING.
The vulnerability made me able to generate infinite USDT+BTC.
My advice is to avoid this site. You could easily lose your crypto due to a malicious actor (If the site bankroll is cleaned).

Just gonna start off by saying that this is a blatant lie...
I've told your support team & a moderator about the endpoints with information leaks, and they've all told me that they've let higher ups know. I see that one endpoint has been fixed, but that's just one out of multiple... I've messaged you on-site, and I need a reply within 1-2 hours or I'll be gone for 7 days again.

Apparently messaging support didn't make the admins/devs fix this, so I'll just throw it out there. Wintomato is leaking user information through their API; and despite being told exactly what part of the API does this, they've done nothing about it. The information leaked is honestly not the biggest deal in the world (2FA status, Email, IP, other shit), but it breaks shit such as GDPR etc.