Valve has given a security researcher a $20,000 reward for reporting a bug that permitted people to generate thousands of free codes for any game on its Steam platform.
The full timeline, spotted by HackerOne (via GamesIndustry.biz), shows how the event unfolded. Artem Moskowsky – a professional bug-hunter – reported the exploit to Valve back on August 7th, and by August 11th, he’d been rewarded a $15,000 reward for identifying the flaw, as well as a bonus $5,000 for revealing the exploit privately to Valve.
"This bug was discovered randomly during the exploration of the functionality of a web application," Moskowsky told The Register, after reportedly entering a random string generating 36,000 keys for Portal 2. "It could have been used by any attacker who had access to the portal."
"To exploit the vulnerability, it was necessary to make only one request," Moskowsky added. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."
As The Register points out, astonishingly this isn’t even Moskowsky’s biggest payout from Valve. Just the month before, in July 2018, he reported a SQL Injection bug via the same reporting portal and received a hefty $25,000; $20,000 for the exploit report itself, and another $5,000 for once again keeping the flaw confidential whilst Valve addressed the security issue.
In other Valve news, the developer has responded to reports that it is not doing enough to tackle racism in public Dota 2 matches. Following two separate incidents of racism, Chinese fans started writing emails and review bombing Dota 2 to get Valve to notice their complaints, adding almost 6,000 negative reviews to Dota 2’s Steam page.