The person who reported the bug was rewarded with $20k USD
A cybersecurity researcher discovered and reported a bug on Steam that allowed people to download any game available on the digital platform without paying for it, as reported by digital forensics experts from the International Institute of Cyber Security.
Cybersecurity researcher Artem Moskowsky was responsible for finding this flaw, which allowed anyone to generate license keys to access material available only by purchasing a license.
Digital forensics specialists estimate that there are millions of people who use Steam to buy and download games.
Mr. Moskowsky informed Valve, owners of Steam, receiving $20k USD in return, thanks to the company’s vulnerability bounty program.
This type of program allows companies to reward cybersecurity and digital forensics experts who make the security issues known directly to companies so they can be repaid, rather than disclosing the information online.
Moskowsky claims that he discovered the issue in a circumstantial way while browsing the Steam Partners’ portal.
This portal allows game developers to generate license keys for their software, allowing them to deliver a copy to their fans or experts on the subject for testing before being available to the public.
The expert discovered that by modifying the request, anyone was allowed to generate thousands of codes for any game they want. In theory, this could be sold on any black market forum online.
“I managed to overlook the ownership verification of the game by changing only one parameter,” reports the expert.
Valve granted him $15k USD for discovering the error, plus a bonus of $5k USD for informing the company privately about the error. The flaw was corrected shortly after the company received the report.
The company also mentioned that, after an investigation into its records, it has found no evidence that the bug has been exploited in a real-world scenario.