As you may be aware, many online companies offer bug bounty programs to people known as white hat hackers. The basic premise of this is that although they do their own in-house security testing (or at least they should), it’s often far more cost-effective and successful to simply open to the doors to regular people out there with the trade-off that if they do find a serious problem, a payout will be issued. – Well, following a report via Eurogamer, it would appear that Valve has just paid one such person a pretty substantial $7,500 reward for finding a confirmed glitch within Steam that could’ve potentially allowed people to fill up their ‘wallets’ with seemingly unlimited amounts of currency.
Spotted by a user known as “drbrix” back in August last year they submitted a ‘bug bounty’ claim to Valve, claiming that they’d found a means of adding practically unlimited funds to a Steam Wallet by simply utilising a bug within the email system. Now, admittedly, it’s a little more complicated than that, but the short version is that it was proposed that people with “amount100” in their Steam account email address could successfully intercept payments made to the associated wallet (made via Smart2Pay) and then artificially inflate them. – With this, it would be possible to basically add 10 dollars worth of credit and fiddle the numbers to change this to $1,000.
Upon the report, Valve investigated the matter themselves and confirmed that this exploit did indeed exist. It has, therefore, since been fixed. Therefore, to reward “drbrix” for their efforts, they have just cut them a cheque for $7,500. Not without a bit of controversy from the community, though.
The key factor in the controversy here is that if “drbrix” had made the glitch a matter of public knowledge, rather than reporting it as they did, this could’ve potentially cost Valve hundreds and thousands of dollars before they found a means of fixing it. Let alone discovering what was happening in the first place. – As such, many within both the gaming and ‘white hat hacking’ community are questioning whether $7,500 was really a payment sufficient to reward the merits of the discovery.
Microsoft, for example, regularly issues huge (often 6 figure) payouts for people who discover problems with their software/hardware. While this is, of course, based on the severity of the exploit, the bottom line here is that if “drbrix” was a significantly less ethical person, this bug in the Steam Wallet payment system could’ve cost Valve a colossal amount of money that it may have taken them years to detect.
So, I guess it boils down to a matter of opinion, but in a nutshell, many think the $7,500 payment was a bit stingy of Valve. – But what do you think? – Let us know in the comments!