Valve Rewards Researcher £20,000 for Discovering Unlimited Free Game Bug

Valve has rewarded Artem Moskowsky $20,000 for discovering a bug which allowed the security researcher to generate thousands of free codes for any game on the platform, a bug which was exploitable by changing a single parameter. 

Using this bug, the researcher was able to generate and receive 36,000 keys for Portal 2, though the exploit could be used to access games from other developers. Moskowsky contacted Valve after uncovering the bug on August 7th, with Valve fixing the bug a few weeks ago, allowing information about the issue to go public. 

Because Moskowsky contacted Valve privately, he was given $15,000 through Valve’s bug bounty program, for discovering the bug, and an additional $5,000 for remaining quiet about the issue until it was addressed. In the past, the same researcher received $25,000 from Valve for discovering an SQL injection bug on the platform. 

     To exploit the vulnerability, it was necessary to make only one request, I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.

  

You can join the discussion on Valve’s unlimited free game bug on the OC3D Forums.