It was revealed today that Valve pays between $200 and $7,500 for finding security flaws in CS2, Dota, and other games on Source 2.
Valve, like many other companies, uses the HackerOne platform to search for vulnerabilities in their games. In this way, they save on labor specialists and provide opportunities for independent hackers to earn and gain experience.
In the last year, Valve paid a total of $2,236,250 to independent hackers for finding vulnerabilities and security gaps over six years on the HackerOne platform.
Most interestingly, the money a hacker receives is transferred to their Steam wallet, not directly to a bank card.
drbrix reported a vulnerability to Valve on August 9. It worked by changing the email of a Steam account to include "amount100", and intercepting POST requests for transactions using the Smart2Pay payment method to change the amount from, say, $1 to $100.
I think the consequences are pretty obvious; the attacker could generate money, disrupt the Steam market, sell game keys at low prices.
Valve employee, JonP, thanked drbrix for the precise vulnerability report, upgrading its severity to a critical level and paying the corresponding reward. Valve did not disclose whether the vulnerability was exploited before it was fixed.
drbrix received $7,500 for his work, while Microsoft typically pays more than $10,000 for similar discoveries, with a maximum reward of $200,000.
Moreover, Valve recently updated its YouTube channel with an advertisement for the Steam Deck, for the first time in eight months.
Comments