If you discovered a bug that just showed you game keys for games you don’t own, what would you do? Would you give in to darker impulses and hoard it for yourself? Or go further and sell the information to the highest bidder? Or tell the company in charge that they have a massive vulnerability? In Artem Moskowsky’s case, he chose the last option, and was pretty handsomely rewarded for it.
When testing a web application on Steam’s developer site, Moskowsky discovered that a bug surfaced over 30,000 Portal 2 keys, a game with which he had zero involvement. It makes sense for a developer to be able to generate their own keys on Steam, but despite not being Valve, Moskowsky was able to see a number of keys for Valve’s last big single-player game.
Upon closer inspection, he discovered that the codes being shown to him weren’t new, but were already pre-generated codes. Somebody may have used any given code or they might not have, but it was definitely information he was not supposed to have and the bug was seemingly reproducible.
Moskowsky reported the bug to Valve and explained exactly how he did it.
“Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access,” he wrote using Valve’s official vulnerability report tools.
A few days later, Valve got in contact with Moskowsky and awarded him a $20,000 prize for finding the vulnerability. Valve utilizes cash bounties through a HackerOne initiative to encourage people who find cracks in the seal to report it to them instead of disseminating the information in less scrupulous parts of the internet. Moskowsky knew this quite well – he had received $25,000 through the same initiative just a month before.