Similar to companies like Nintendo and Facebook, Valve has started a new bounty system that seeks to bring in people from the outside, hackers essentially, and pay them to find vulnerabilities in the name of fixing them.
These kinds of bounty programs target what are known as “white hat” hackers – people with plenty of technical skill, but who use those skills with the intent to help repair vulnerabilities rather than exploit them. Now, using the Common Vulnerability Scoring System, Valve has a set of tiers that will reward hackers based on the severity of the exploits they find.
Bugs that score low on that scale will net hacker around $200, but the severity rating can quickly go up to over $1,500 to $2,000 for a single issue, with no maximum. There are limitations to what hackers are allowed to do in pursuit of exploits, however. If a hacker does things like employing DDoS or phishing techniques to find issues, Valve won’t pay out.
Two years ago, as Kotaku’s Nathan Grayson points out, a hacker found a way to upload and list a game on Steam and bypass approval. Valve sent little more than a thank you at the time, so it’s nice to see a new system in place to get people paid.