A security expert just saved Valve from massive lost sales due to a major bug he discovered. Valve rewarded him with $20,000 in total for not only discovering it but being the good guy. He kept the exploit to himself and didn’t, you know, share it with the world for everyone to take advantage of. Valve has Artem Moskowsk to eternally thank for what could have amounted to millions in free games flooding the internet. He first shared his story with The Register in the U.K.
What he discovered
Located inside Valve’s Steam developer portal he found the bug by sheer accident. For those who don’t know the Steam developer portal is used by game publishers to generate free keys so outlets like us can review their games or so they can give them away during promotions. Inside the application program interface (API) he realized it was quite simple to make some changes to the parameters in order to get unlimited keys for virtually any game out there no matter whose game it was. You, of course, need to have a Steamworks developer account to even be able to generate keys in the first place.
During one key example he said he put a random number in and got about 36,00 keys for Portal 2 ( They retail for about $10.00 each) apparently that would amount to about $360,000 dollars in lost sales to Valve.
He bypassed verification
“To exploit the vulnerability, it was necessary to make only one request,” said Moskowsky. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”
After he discovered it he reported the major bug to Valve back on August 7, who went to fix it instantly. Within three days of him reporting it to Valve, they gave him a $15,000 “finders fee” plus $5,000 as a bonus. He has actually found 19 other bugs for Valve before but those payouts were about a couple hundred dollars each. This one tops the motherload though and I hope he gets some good karma out of that (and enjoys his $20,000 payout). Bad news for those who are now finding out about it (and maybe wanted to take advantage) but good news for Valve’s bottom line.