Valve has rewarded a security researcher $7500 after they reported a bug allowing players to add unlimited credits to their steam wallets. This was spotted by The Daily Swig who noticed that a researcher named “drbix” reported the exploit on HackerOne.
They stated that the exploit “allows attackers to generate steam wallet balance”. This bug allowed players with “account100” in their email address to intercept payments made via Smart2Pay and then inflate them artifically.
Valve promptly fixed the issue and thanked drbix for his work. They then invited him to attempt the exploit again to see if it was still possible after they had triaged the issue and found it had been fixed.
Drbix was awarded $5700, the equivalent of around £5400, for discovering the issue and upgraded the severity of the issue medium severity to critical.