Valve Rewards Bug Hunter 20k for Finding a Game Duplication Bug

A lot of tech companies have things called “Bug Bounties” – basically, a reward system for white-hat hackers and other techie folks who can report problems and bugs in software and get a cash reward. For smaller bugs, you can get something like $100, but if you happen to stumble upon a huge vulnerability – or, worse, a bug that can cost a company money – you can earn five-digit bank with an hour’s worth of work. And recently, Valve paid a man named Artem Moskowsky 20,000 big ones when he discovered a flaw that could allow him to reproduce game keys limitlessly.

"Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access,"

That might not make a lot of sense, so here’s the simple version: on Steam developer’s site, it was possible for him to create 30,000 Portal 2 keys, a game which he should have the right to produce keys for, given as he has no formal or informal relationship with it. He was able to find out what caused the problem and reproduce it reliably and decided to do the ethical thing and report it.

Which earned him $20,000.

A good but also a smart thing to do as well. He probably could have earned a few hundred bucks selling these duplicate keys, but it would only be a matter of time before Valve discovered the vulnerability and fixed it themselves, so in a way, this was both the moral and the economically smart thing to do.

In any case, it is possible that someone knew about this and took advantage of it for a time. And in that case, they’re about to have a very unwelcome surprise when they try to do it again.