It appears Valve has been paying “ethical hackers” for at least the last seven months to find security flaws in Steam and related platforms, but it only came to light this week because its post on HackerOne was previously private. That means that the $109,000 it has handed out has been paid over a much longer timescale than I initially suggested. The full activity page shows a list of all the payments it has made.
Valve is offering cash to hackers that can identify security flaws in Steam, and is handing out thousands of dollars to anyone that can find a potentially critical exploit.
It’s paying the rewards through HackerOne, a community of “ethical hackers” that aims to find security problems before they are exploited by criminals. Valve is handing out cash on a sliding scale, rewarding anyone identifying a low-risk flaw with up to $200, right up to a minimum of $2,000 for a “critical” exploit. The ranges are in part determined by a flaw’s CVSS score, which is a common standard.
In total, it’s paid out $109,000 since it first posted on HackerOne earlier this week.
The scheme is not exclusive to Steam, either: it covers a number of servers and websites related to Steam and Valve, including the Team Fortress 2, CS:GO and Dota 2 sites.
Bugs, glitches or gameplay exploits are not part of the programme, and there’s a lot of fine print that the flaw hunters have to follow. Still, it’s clearly paying off, with 180 reports received so far.