Valve Is Paying Hackers Thousands to Test Security

Valve is offering up huge rewards for hackers who can successfully point out flaws in the [...]

Steam-Logo 610

Valve is offering up huge rewards for hackers who can successfully point out flaws in the company's security measures in place for Steam and other Valve-owned properties.

Over on the HackerOne board, Valve has all of the payouts listed for tech-savvy people who can successfully come forward with reports of vulnerabilities in Valve's various features. The post shared the company's security philosophy, part of which is seen below, before diving into how much they'll be paying hackers who take up the bounties.

"Valve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.

"Security includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer."

The amounts that Valve is willing to dish out for the various bounties differs depending on what score the problems are given through the Common Vunlerability Scoring System (CVSS) system. Less serious problems can earn hackers up to $200 while the problems that rank in the "Critical" tier with a CVSS score of 9-10 will earn a minimum of $1,500. The ranks between those have various minimums and maximums as well that could lead up to thousands more in bounties paid. Many of the bounties that are currently listed in the post are categorized in the higher-tiered "Critical" level as well, so there's a good chance to earn big if you know what you're doing, especially since Valve's already payed out thousands in the past.

According to Valve's rules for the bounty incentives and the guidelines for the project, Vavle's also only looking for hackers to try and target certain areas with out-of-scope software and features ineligible for rewards. As part of the guidelines for what Valve is looking for, the full scope of all the company's properties that are up for being hacked can be seen below:

  • com,,,,,, and sub-domains, excluding domains explicitly removed in the scope section below
  • Steam Client for Windows, Mac and Linux
  • Steam command line utility (SteamCMD)
  • SteamOS
  • Steamworks SDK
  • Steam mobile app on iOS and Android
  • Steam Servers
  • Valve game titles
  • Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers

The full guidelines can be seen through the HackerOne board.