Valve is paying hackers thousands of dollars for discovering Steam security flaws

Valve is paying hackers thousands of dollars for discovering Steam security flaws

Valve is offering cash to hackers that can identify security flaws in Steam, and is handing out thousands of dollars to anyone that can find a potentially critical exploit.

In total, it's paid out $109,000 since it first posted on HackerOne earlier this week.

The scheme is not exclusive to Steam, either: it covers a number of servers and websites related to Steam and Valve, including the Team Fortress 2, CS:GO and Dota 2 sites.

Bugs, glitches or gameplay exploits are not part of the programme, and there's a lot of fine print that the flaw hunters have to follow. Still, it's clearly paying off, with 180 reports received so far.

Even Steam, the biggest PC gaming platform in the world, isn’t immune to hacks and other issues that have in previous years rendered private information woefully public. That’s where Valve’s new bug bounty program comes in.

Bug bounty programs are common among major tech companies like Microsoft and Facebook. They task so-called “white hat” hackers—aka folks who can crack code with the best of them, but do so in the service of good, not evil—with discovering security exploits. If a hacker finds something, they can turn it in for a reward, usually in the form of money. Valve is hoping its new bug bounty program will suss out security flaws in everything from Steam to Steam mobile apps to Valve-developed games.

Using the Common Vulnerability Scoring System (CVSS), Valve will decide exactly how much successful hackers get paid. Low-scoring exploits will earn hackers a max of $200 (and a minimum of nothing), but high-scoring exploits can net them as much as $2,000. Critical exploits, meanwhile, start at $1,500 and have no listed maximum.

Valve doesn’t want hackers to get too crazy, though. The company has stipulated that nobody should employ DDoS attacks, spam, social engineering, phishing, or “physical attempts against Valve property or data centers” in pursuit of security flaws. If they do, they shouldn’t expect any money (and if they try that last thing, I feel like they should probably expect jail?).

Featured Posts