Valve Is Paying Hackers To Discover Security Flaws In Steam

Even Steam, the biggest PC gaming platform in the world, isn't immune to hacks and other issues that have in previous years rendered private information woefully public. That's where Valve's new bug bounty program comes in.

Bug bounty programs are common among major tech companies such as Microsoft and Facebook. They task so-called "white hat" hackers - AKA folks who can crack code with the best of them, but do so in the service of good, not evil - with discovering security exploits. If a hacker finds something, they can turn it in for a reward, usually in the form of money.

Valve is hoping its new bug bounty program will suss out security flaws in everything from Steam to Steam mobile apps to Valve-developed games.

Using the Common Vulnerability Scoring System (CVSS), Valve will decide exactly how much successful hackers get paid. Low-scoring exploits will earn hackers a max of $US200 ($268) (and a minimum of nothing), but high-scoring exploits can net them as much as $US2000 ($2680). Critical exploits, meanwhile, start at $US1500 ($2010) and have no listed maximum.

Valve doesn't want hackers to get too crazy, though. The company has stipulated that nobody should employ DDoS attacks, spam, social engineering, phishing, or "physical attempts against Valve property or data centres" in pursuit of security flaws. If they do, they shouldn't expect any money (and if they try that last thing, I feel like they should probably expect gaol?).

It's interesting to see Valve take this tack now, two years after a 16-year-old white hat hacker managed to post a joke game on Steam without Valve's approval.

At the time, the hacker, Ruby Nealon, hoped to receive payment or publicly displayed credit for his ploy - which involved social engineering and a big brouhaha among Steam users. He got neither. Valve thanked him in private and again in an email to Kotaku, but that was about all.

Years later, it seems that the Bellevue-based brain tank is singing a different tune.


    Seems like a no brainer really. a lot of companies do employ people to do this very thing. bug bounties just mean you get people who aren't intimately familiar with the system finding new methods the people who are familiar with it might never have thought of.

Join the discussion!

Trending Stories Right Now