Tomáš Duda is a young developer working for SCS Software, the developers of the Euro Truck Simulator series. He recently found a vulnerability with Valve's Steam service, and having reported it once to no response, reported it again via an elaborate prank. Which has got him suspended from certain parts of Steam for a whole year.
Duda altered the code on an old sale notice for Euro Truck Simulator 2 to be able to shake the screen and play the Harlem Shake. Which sounds harmless, but it's something Valve has taken very seriously.
Jesus fucking Christ, Valve. This for making you finally fix a vulnerability? Seriously? pic.twitter.com/NWOkdgylWk
— Tomáš Duda (@tomasduda) June 15, 2014
"Timmy essentially lives on Steam", Pavel Sebor, CEO of Czech studio SCS tells Kotaku in an email, "keeping an eye on everything happening there, every little gossip, every little new feature, parsing source code changes, he frequently suggests fixes and improvements directly to Valve. That's why I hired him really so that he can help us push our games towards closer Steam services integration, his insight into the whole system is really deep."
"Over the course of last year", Sebor explains, "Timmy has found more than one vulnerability in Steam's systems, always dutifully reporting them. This one was already reported a few months ago too, then forgotten about, but as he explained to me a short while ago, just yesterday it popped up in discussion in a closed discussion group of a few like-minded guys, and verified to still not be fixed. So Timmy supposedly wanted to play a little joke on somebody at Valve, and injected a proof of concept code into an old-forgotten announcement post, what he thought was deep enough under layers of new stuff that nobody would discover it by chance. Valve were on it within 30 minutes with a fix."
They were also quick on the banhammer. Duda has been banned from community aspects (like forums) for 12 months as a user, but he's also locked out of some developer stuff as well. Messing with Steam's code, no matter how harmless the intentions, is something Valve obviously takes pretty seriously.
"Timmy as an individual indeed had some of his personal developer/publisher permissions revoked by Valve staff, which is a penalty he will no doubt feel very harshly", Sebor adds. "He has some hard work ahead of him to earn the trust back."
"He's a good kid, I trust that he will grow wiser with time."
We've also contacted Valve for comment on this story, and will update if we hear back.