Valve Is Paying Hackers To Discover Security Flaws In Steam

Illustration for article titled Valve Is Paying Hackers To Discover Security Flaws In Steam

Even Steam, the biggest PC gaming platform in the world, isn’t immune to hacks and other issues that have in previous years rendered private information woefully public. That’s where Valve’s new bug bounty program comes in.


Bug bounty programs are common among major tech companies like Microsoft and Facebook. They task so-called “white hat” hackers—aka folks who can crack code with the best of them, but do so in the service of good, not evil—with discovering security exploits. If a hacker finds something, they can turn it in for a reward, usually in the form of money. Valve is hoping its new bug bounty program will suss out security flaws in everything from Steam to Steam mobile apps to Valve-developed games.

Using the Common Vulnerability Scoring System (CVSS), Valve will decide exactly how much successful hackers get paid. Low-scoring exploits will earn hackers a max of $200 (and a minimum of nothing), but high-scoring exploits can net them as much as $2,000. Critical exploits, meanwhile, start at $1,500 and have no listed maximum.

Valve doesn’t want hackers to get too crazy, though. The company has stipulated that nobody should employ DDoS attacks, spam, social engineering, phishing, or “physical attempts against Valve property or data centers” in pursuit of security flaws. If they do, they shouldn’t expect any money (and if they try that last thing, I feel like they should probably expect jail???).

It’s interesting to see Valve take this tack now, two years after a 16-year-old white hat hacker managed to post a joke game on Steam without Valve’s approval. At the time, the hacker, Ruby Nealon, hoped to receive payment or publicly displayed credit for his ploy—which involved social engineering and a big brouhaha among Steam users. He got neither. Valve thanked him in private and again in an email to Kotaku, but that was about all. Years later, it seems that the Bellevue-based brain tank is singing a different tune.

You’re reading Steamed, Kotaku’s page dedicated to all things in and around Valve’s wildly popular PC gaming service. Games, culture, community creations, criticism, guides, videos—everything. If you’ve found anything cool/awful on Steam, send us a message to let us know.

Kotaku senior reporter. Beats: Twitch, streaming, PC gaming. Writing a book about streamers tentatively titled "STREAMERS" to be published by Atria/Simon & Schuster in the future.


Foxstar loves Bashcraft

Those prices seem...low, for something that could take days, weeks, months. Are those the normal prices for bug hunting in the marketplace?