Valve awards $20,000 to a researcher who reported a Steam bug that generated free codes

Valve has given a security researcher a $20,000 reward for reporting a bug that permitted people to generate thousands of free codes for any game on its Steam platform.

The full timeline, spotted by HackerOne (via, shows how the event unfolded. Artem Moskowsky – a professional bug-hunter – reported the exploit to Valve back on August 7th, and by August 11th, he’d been rewarded a $15,000 reward for identifying the flaw, as well as a bonus $5,000 for revealing the exploit privately to Valve.

"This bug was discovered randomly during the exploration of the functionality of a web application," Moskowsky told The Register, after reportedly entering a random string generating 36,000 keys for Portal 2. "It could have been used by any attacker who had access to the portal."

"To exploit the vulnerability, it was necessary to make only one request," Moskowsky added. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."

As The Register points out, astonishingly this isn’t even Moskowsky’s biggest payout from Valve. Just the month before, in July 2018, he reported a SQL Injection bug via the same reporting portal and received a hefty $25,000; $20,000 for the exploit report itself, and another $5,000 for once again keeping the flaw confidential whilst Valve addressed the security issue.

In other Valve news, the developer has responded to reports that it is not doing enough to tackle racism in public Dota 2 matches. Following two separate incidents of racism, Chinese fans started writing emails and review bombing Dota 2 to get Valve to notice their complaints, adding almost 6,000 negative reviews to Dota 2’s Steam page.

About Vikki Blake

It took 15 years of civil service monotony for Vikki to crack and switch to writing about games. She has since become an experienced reporter and critic working with a number of specialist and mainstream outlets in both the UK and beyond, including Eurogamer, GamesRadar+, IGN, MTV, and Variety.

Check Also

Safe in Our World logo

Debugging D&I: Safe in Our World on what games companies can do to support their staff

Amiqus’ Business Manager Liz Prince speaks to Safe In Our World’s Charity Manager Sarah Sorrell about the organisation – and what games companies can do to support their staff…