Leave a Comment
The folks over on The Register picked up on a rather interesting story that ended with a professional code researcher walking to the bank with a $20,000 payday. I knew that companies like Valve would pay folks for discovering and reporting major bugs on their service, I just didn't realize the compensation could be so large.
Now that I've got a handle on what, exactly, this guy discovered, it makes sense that Valve was in such a generous mood when it came to compensation. To be clear, I've only got a basic grasp on the particulars of the exploit that was discovered, but I fully understand the end result would have been utterly terrifying for Valve had someone more nefarious made the discovery first.
Rather than try to muddle my way through the particulars I'll just say that, long story short, Artem Moskowski was poking around in Steam's developer site when he discovered a way to manipulate the system into giving him keys for seemingly any game hosted on the game site. According to his report, he ended up punching in a random string of commands knowing that it would likely result in keys for the game Portal 2. What he got was 36,000 keys for that single game. He could have done the same thing for any game, as it turns out, which could have turned out to be an utterly devastating security hole.
Just as an example, Portal 2 sells for $9.99 these days. Now imagine if he decided to sell his 36,000 copies for half off on various message boards and the like. That would have been a hell of a lot of money out of Valve's pocket, especially since they're the developer/publisher of that very game. Imagine the damage that could have done to a smaller studio with an indie game being sold to the service. On the other side of the spectrum, imagine if someone had managed this for a big, $60, AAA game like Hitman 2 or Soul Calibur 6.
Moskowski reports that the process he used could have been duplicated for any game on Steam, so it's a good thing that he's a good guy and did the right thing by reporting his findings to Valve. He was paid 20 large in compensation but, again, that's a little more than half of what he could have made had he simply decided to sell the keys he "discovered" for a buck each.
This isn't his first experience with bug squashing on Steam and, in fact, it's not even the highest single pay day he's had for discovering exploits. He once earned $25,000 for digging up an SQL Injection bug which, again, is completely beyond my comprehension. In this most recent case, though, Valve forked over a $15,000 bounty initially, then went on to offer a $5,000 bonus.