Valve is offering up big rewards for hackers to successfully find flaws across Linux, Mac and Windows. While eager to challenge the company’s security measures. Which are already in place for Steam and other Valve-owned properties.
This post is currently on the HackerOne board. Where Valve also lists all of the payouts for tech-savvy people. Those who can successfully come forward reports of vulnerabilities. And also those bugs and issues in Valve’s various features.
The post shares the company’s security philosophy. While part of which is seen below. Since comes before diving into how much they are ready to pay hackers taking up the bounties.
“Valve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.
“Security includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.
Security of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud and account abuse issues.”
Since Valve ready to reward researchers for identifying potential vulnerabilities. Rhose interested should also review the guidelines. These detail the rules of the bug bounty program. And also only this research following these guidelines will be eligible for a bounty.
For valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score.
|Min/Max||Critical (CVSS 9.0 – 10.0)||High (CVSS 7.0 – 8.9)||Medium (CVSS 4.0 – 6.9)||Low (CVSS 0.0 – 3.9)|
Scope of security (Linux, Mac, Windows)
The current scope is limited to the domains and pieces of software listed here:
- steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below
- Steam Client for Windows, Mac and Linux
- Steam command line utility (SteamCMD)
- Steamworks SDK
- Steam mobile app on iOS and Android
- Steam Servers
- Valve game titles
- Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers
Valve is keen to point out that game bugs, glitches or gameplay exploits are not part of the bug bounty program. While still being able to be submitted via the Support site.
This is a very viable means of challenging the community. Since it’s quite often some irate group who usually initiates DDOS attacks.
Just because Valve wants hackers to crack and break and pry open its software. This does not mean the company is giving carte blanche to DDOS the Steam servers. It also does not condone spamming, social engineering or any physical terrorist attacks. Which applies to Valve headquarters or the data centers. It’s all software related.
All of the major bounties are classified as critical. So if you can find and report any software bugs, you’ll be able to make some decent coin for your efforts.