Valve rewards hacker with $20,000 after he generated 36,000 Portal 2 codes

More tech companies are employing a bug bounty program.

Valve has paid a hacker $20,000 after he reported a bug that let him generate unlimited game codes in Steam. The bug, which was accessed via the developer portal of the online marketplace, was reported in early August by security researcher Artem Moskowsky. Valve fixed the exploit not long after.

"To exploit the vulnerability, it was necessary to make only one request," Moskosky told The Register. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys."

One particular experiment resulted in 36,000 codes for Portal 2, according to Moskosky. Rather than going public with the exploit, he reported it to Valve and was rewarded with a $15,000 bounty, plus a $5,000 bonus.

Moskowsky makes a living as a security researcher, a sort of digital bounty hunter who searches for weaknesses in software and reports them for a cash reward. Lots of big tech companies like Microsoft and AT&T employ programs that reward white hat hackers for discovering exploitable gaps in their code. In this age of cyber attacks and data breaches, offering payment to hackers who can help bolster security is all but necessary.

Moskowsky’s $20,000 bounty is sizable, but it’s not even his most lucrative payday from Valve this year; in July he received a $25,000 reward for reporting an SQL injection bug in Steam. SQL injections are mainly used to attack website code in order to retrieve data that was never meant to be displayed.

Valve’s bug hunter program outlines the scope of their efforts to keep hackers on its side. Rewards for reporting bugs in Valve-owned websites and software vary based on the severity, nature, and platform of the exploit. This bounty system is a smart way to help keep code secure without actually employing more engineers. The benefit for companies is twofold: their data is more secure, and there are fewer hackers actively working against them. Do you have any coding or hacking chops? If so, there just may be a payday waiting for you in the next line of code.

Sam has been freelancing since 2016, and has bylines at IGN, PCGamesN, PCGamer, and Unwinnable. When not writing about games, he is most likely taking care of his two dogs or pretending to know a lot about artisan coffee. Get in touch with Sam by emailing him at sdesatoff@gmail.com, or follow him on Twitter.