https://www.gamesindustry.biz/artic...for-discovering-unlimited-free-game-codes-bug
Mod Edit:
https://hackerone.com/reports/391217
Last edited by a moderator:
-
Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.
-
We have made minor adjustments to how the search bar works on ResetEra. You can read about the changes here.
Valve rewards man $20,000 for discovering bug that gave access to previously generated keys.
- Thread starter deadasdisco
- Start date
https://www.gamesindustry.biz/artic...for-discovering-unlimited-free-game-codes-bug
Mod Edit:
https://hackerone.com/reports/391217
Yeah google pays around the same.
Mods should change the title to make it more accurate as the bug didn't give you new codes. Only ones that were premade generated, so a good chance all of those keys were already redeemed.
Yeah, it's on the higher end but not unreasonable (especially considering how much money exploiting this bug could have made).
How can you spend 20k on Steam sales when you already own every single game on Steam?
Impressive that he was able to find such a bug. It's amazing how talented some people are with this stuff.
The article says he previously received $25,000 as well for another thing related to this . I wonder if he does this sort of thing often.
Since codes are actually generated when needed, this is quite the huge difference (basically the difference between being able to reading from a database, and being able to write to it: think of the difference that would make if it was your bank account).
Yeah, but he probably would've been caught eventually. That's fraud.
It look them 3 months to acknowledge this bug, I don't think Valve gives a shit.
I was under the impression that Valve acknowledged and fixed it within a couple of weeks, but asked him to not talk about it publicly for 3 months. Pretty sure Valve do give a shit.
20k is also not bad for a bug bounty. Chrome bounties vary between $1-15k for instance
I imagine setting up a store to sell stolen keys is quite a hassle, and partnering up with an existing store would cut into profits. Then you'd probably have to limit how much you sell to fly under the radar and even then someone would probably figure out what's going on and fix it plus get your ass sued.
I'd have taken the bounty too, to be honest.
Yep.
I'd have taken the bounty too, to be honest.
Yep.
From the actual bug report.
https://hackerone.com/reports/391217
Yup, one is a multi-million dollar problem, one is a lot less expensive.
That user is probably referencing the choice between 20K and trying to use his findings maliciously in a non-testing/research environment. Maybe in response to people saying the 20K is too low. IDk
What the fuck prompted you to say such a thing? I mean, nothing says "this guy is an idiot" like "finding a vulnerability that nobody else figured out in the biggest PC game portal, and getting paid five digits for it", right? :P
Edit: Correction, two vulnerabilities:
He sounds like a non-criminal, intelligent person. And frankly, even a smart criminal would have taken the bug bounty.
I've seen a lot of dumb stuff on this forum, but labeling an obviously intelligent guy an idiot just because he chose to be a white hat hacker instead of a criminal is definitely one of the worst.