Valve has gotten in on the exploit-hunting trend according to recent public releases of documentation from HackerOne, a community of white-hat hackers who engage in vulnerability coordination and bug bounty. According to the statistics on Valve’s HackerOne page, $109,600 have been paid out in bounty rewards to individuals who are able to find and document loopholes, vulnerabilities and bugs in Steam services and Valve titles.
Of that $109,600, the average bounty ranges from $350 – $500 with top bounties reaching the $950 – $3,000 range. The scope of the project is listed as:
- steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below
- Steam Client for Windows, Mac and Linux
- Steam command line utility (SteamCMD)
- Steamworks SDK
- Steam mobile app on iOS and Android
- Steam Servers
- Valve game titles
- Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers
If any of this sounds confusing or concerning to you, don’t worry. Plenty of companies enlist the services of hackers to help them find vulnerabilities in their systems; the best way to fight fire is with fire, after all. Google has been paying out bounty rewards since 2010, totaling $12 million since the program’s inception and $2.9 million last year alone. Seeing Valve utilizing ethical hackers to help them improve their security is actually pretty good news.
Essentially, domains within the scope of the project are assigned a priority value, and hackers will research vulnerabilities or possible breach routes, receiving rewards based off of the priority value of the domain and the severity of the vulnerability.
If you happen to be an individual with penetration testing experience who wants some extra cash, you can head on over to Valve’s HackerOne page to check out the rewards. You can also take a look at recent activity and reports as they happen here on Valve’s hacker activity page.