Valve gives $20k as reward for man who found exploit that generated infinite Steam keys
Security is highly important for any company, especially Valve, which runs the largest PC gaming storefront: Steam. This of course means that it's up to the team at Valve to make sure everything is secure and safe as can be, for both its customers and itself. Sometimes, though, that's just not enough, which is when freelance system researchers come in, to see if there's any bugs or exploits that they can get through. Enter Artem Moskowsky, a system researcher who had figured out a way to generate unlimited Steam game keys for himself. All this required was for any user with a Steam developer account to make a slight change to a single parameter, which then allowed him to request any number of copies of any game hosted on Steam. Attempting to test if this actually would work, he made a request for 36,000 keys for Portal 2, which he received instantly through the exploit. Moskowsky immediately reported the bug to Valve's team, which was then quickly fixed from ever happening again. Valve awarded him a bounty of $15,000 dollars for finding this massive bug, along with a $5,000 bonus on top of it. This marks the second time that Moskowsky has helped Valve fix a major error within their system, in which he also was rewarded $25,000 for finding an issue that allowed SQL data to be easily read earlier this year.
Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access. Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.
Source