Reddit users discover that Valve pays rewards for reporting bugs

A post on Reddit to the Steam subreddit has grown in popularity, praising Valve for a generous reward for a user reporting a bug. The post is titled “In 2015, Steam accidentally gave a guy $4,000 in free games.” The post tells the story of a Steam user who found a bug that allowed them to keep their games after refunding, essentially allowing them to purchase games for free. When the user reported the bug, Steam “thanked him for his honesty” and allowed them to keep the games. This sounds like a nice thing for Steam to do, and it is, but there’s more to the story.

Steam will reward players for reporting bugs, with scaling rewards based on severity

The top comment on this post shared a useful link that gives important context to the story. The link leads to Valve’s page with the company HackerOne, a company that specializes in cyber security by using “ethical hackers” to continually assess a company’s security, allowing them to fix problems that more malicious attacks might try to exploit. So, while the story might seem like Valve simply decided to reward an honest user, it’s actually something that happens fairly regularly. According to the HackerOne site, the reward for finding a flaw with Valve’s platforms falls into four categories: Low, Medium, High, and Critical. Submitting a low severity bug can amount to $100 to $200, while the report of a critical bug could reward the hacker with anywhere between $2,500 and $7,500. According to HackerOne, since Valve signed up with the company in 2018, they have paid out over two million dollars in bounties for found bugs.

Before you start thinking about how you need to get into the ethical hacker business, it’s important to note that not all submissions are rewarded. Valve will have to determine the validity of the bug, as well as what a successful submission is worth. For example, only 13.96% of submissions for critical bugs appear to have been accepted, and the average bounty (or reward) for those submissions is about $750, much lower than the suggested range.

So, while it is exciting to think that Valve might be a benevolent company that is thankful to its honest users, it is also mostly looking out for itself. A reported bug is one that they can fix and hopefully prevent other users from exploiting. Letting a user keep thousands of dollars in free games is the tiniest drop in the bucket for Valve, especially considering this person could have instead spread this information around to other users, letting them attempt the bug as well.

Reddit users commented on the post, some understanding the use of ethical hackers, others celebrating Valve such as a comment that simply stated: “Common Valve W” and saying that this move was “Dirt Cheap PR” for Valve. Many users also question why Valve would punish this user at all since they reported the bug and didn’t intentionally cause the issue. The original poster, and some other users, would not have been surprised if Valve decided to take back all the effected games, leaving the user with nothing in return for the report.

Some information was shared about the alleged Steam user in question, with key details pointed out that they own thirty-seven thousand games and twenty thousand DLCs but spend 76% of their time playing games in Dota 2. Clearly this person is a big fan of Valve.

Dota 2

July 9, 2013

Rate It!

• Overview
• Guide

• Steam
• Valve
• Reddit