The researcher submitted the report via HackerOne in August.
Bounty Hunting is a pretty common method of weeding out bugs throughout the entire tech world. It is not uncommon for Microsoft and Apple to be seen paying bounty hunters hundreds of thousands of dollars for finding out a bug that they missed, depending upon the severity of the issue. Such a situation has recently been discovered as a bug in the Steam platform has just been patched with the help of a researcher.
As reported by NME and first featured on The Daily Swig, the researcher who goes by “drbrix” filed this report on HackerOne, which is a platform where errors such as this are regularly reported and worked on. There, a Valve representative saw how detailed and critical it was to the website’s operation and thus fast-tracked the request.
The bug seemingly required a Steam email address with “amount100” in the title, which would then cause any Smart2Pay wallet to be able to be intercepted. A hacker could easily modify the request to receive a steam balance of more than the person paid, thus potentially causing Steam to lose thousands of dollars due to the Steam Bug.
It is to be noted that the payout that the researcher received is perceived as a low amount by most commentators online, given that if this exploit had gotten out in any manner or had drbrix not informed the officials of the bug, they would have easily gotten away with a lot more than they received as compensation. Valve employees even said in the thread,
“Thank you for this report. This was clearly written and helpful in identifying a real business risk. We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly. We hope to hear more from you in the future.”
Thus, this has been said to be a little stingy of the company, but according to their comments, the researcher seemed to have been satisfied with the bounty.