In a bizarre twist of fate, instead of calling the police on hackers, getting the FBI to hound them down, or attempting to sic lawyers after computer whizzes trying to find some new way to crack software, Valve is actually paying people to hack Steam.
Yes, you read that right. According to HackerOne, Valve is actually paying hackers to hack Steam. The goal is to help improve the overall security features and usability of Steam, and therefore Valve is running a HackerOne bounty program to reward hackers, crackers, breakers, and slicers with an opportunity to earn some extra cash by finding password problems, login issues, exploits, potential fraud, or technical issues that can be abused.
The bounty program has a tier of rewards, including a CVSS score based on low, medium, high and critical issues that are weighed on a minimum/maximum score card. At the very minimum you’ll earn $0 for just reporting a low security flaw, but the upside is that if it’s a low security flaw deemed worthy of immediate attention it can also warrant a maximum payout of $200.
Medium issues are worth a lot more, starting at a bare minimum of $250 if the CVSS is between 4.0 and 6.9. At the upper end of the medium issues you’ll be paid a maximum of $1,000, which is pretty impressive.
On the high-end of the score, things get really interesting. Security issues that tally up between a 7.0 and 8.9 on the CVSS scale will net you a minimum of $500 and well over $2,000 at the top end of the bracket.
What’s interesting is that the final entry, the critical issues ranked between a CVSS of 9.0 and 10.0 start at $1,500 but there’s no cap on the maximum payout, meaning that it could be very lucrative if someone managed to find a very dangerous security flaw in the Steam client.
Valve is centering the exploit bounty hunt around both the Steam client and Valve’s own in-house published games such as Half-Life, Team Fortress and Portal. The bounty program will cover the Steam client, the Steam community portals, the Steam game store, Valve’s software page, [Counter-Strike’s] web portal, the DOTA 2 web portal, the Team Fortress website, and the various sub-domains.
Additionally, if you can find flaws in the client for Windows, Mac and Linux, the command line utility, SteamOS, the Steamworks SDK, the mobile SDK, the dedicated Steam servers, or the multiplayer community aspect of Valve’s games, those issues will all carry rewards with them as well.
Keep in mind that if you come across exploits or bugs outside the listed scope of the current bounty program, you will not be rewarded for finding and discovering said bugs.
Just because Valve wants hackers to crack and break and pry open its software does not mean the company is giving carte blanche to DDOS the Steam servers, nor does the company condone spamming, social engineering or any physical terrorist attacks against the Valve headquarters or the data centers. It’s all software related.
All of the major bounties are classified as critical, so if you can find and report any software bugs, you’ll be able to make some decent coin for your efforts.