We may earn a commission when you buy through links in our articles. Learn more.

Valve paid a hacker $20,000 for finding a bug that generated free Steam keys

A professional bug hunter reported a Steam bug that let anyone generate free Steam keys and got paid handsomely


Valve has paid a hacker a total of $20,000 for reporting a bug that allowed anyone to generate thousands of Steam keys for free. The bug no longer exists, obviously. Sorry, you cannot use it to get a load of free PC games, you little scamp.

You might question why anyone would report such a bug – surely they could make loads of money from selling those keys, an absolute fortune in fact? It’s true, but hunting Steam bugs and reporting them to Valve is what Artem Moskowsky likes to do. He calls himself a professional “bug hunter” and he’s very good at what he does.

As Kotaku reports, and as filed on the bug hunting site HackerOne, the bug that Moskowsky found used an exploit within Steam’s developer tools. Part of these tools allows game makers to generate as many Steam keys for their games as they need. However, anyone who knew of the bug and had access to those tools was able to generate thousands of Steam keys for any game.

Moskowsky explained to The Register how easy this was to do once the bug was discovered. “I managed to bypass the verification of ownership of the game by changing only one parameter,” he said. “After that, I could enter any ID into another parameter and get any set of keys.”

Doing this, at one point Moskowsky was able to generate 36,000 Steam keys for Portal 2. Rather than exploit this further, Moskowsky reported the bug to Valve privately in August, who investigated it and promptly fixed it, only making public the bug’s existence on October 31.

Surprisingly, this isn’t the biggest payout for a Steam bug that Moskowsky has had. In July of this year he received $25,000 from Valve for reporting a SQL Injection bug. Makes sense that he would report the Steam key bug after this and get the money rather than risk being sued by Valve if he continued to exploit it and the developer found out .