scroll down

Valve To Offer Bounties For Reporting Critical Steam Bugs

Valve is constantly trying to improve the Steam users’ experience by introducing new policies and getting rid of bugs, however, there is so much Valve can do on its own and that is why the company has announced that it will offer bounties to hackers who report critical Steam bugs.

According to Steam, those who report bugs or flaws for Steam, SteamOS, Steamworks SDK, Steam mobile app, Steam Servers, Valve game titles and “Multiplayer and in-game economy aspects of Valve game” and more will be offered rewards. Here is the full list:

  • steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below
  • Steam Client for Windows, Mac and Linux
  • Steam command line utility (SteamCMD)
  • SteamOS
  • Steamworks SDK
  • Steam mobile app on iOS and Android
  • Steam Servers
  • Valve game titles
  • Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers

Valve will be offering the bounties for reporting critical Steam bugs through its HackerOne board. The rewards will depend on the nature of the bug or security flaw.

Valve will reward $0-$200 for those bugs that have a low risk, as for the high-risk bugs or security flaws, the company will reward up to $2,000 or more. Also, since the bounty program has started, the company has paid out over $100,000 in rewards for reporting flaws.

This is not an uncommon practice in the industry as earlier this year Microsoft announced that it would pay Up To $250,000 in rewards for reporting exploits related to Spectre and this program will continue till December 31.

However, the reward that you might earn will be based on the Tier of the Bug or exploit. Tier 1 includes speculative execution attacks and reporting these will net you $250,000.

Tier 2 includes Azure speculative execution mitigation bypass and Tier 3 represents Windows speculative execution mitigation bypass both of these can earn you up to $200,000.

Source: HackerOne