Valve has always had a habit of turning to the community for help, whether its for creating mods and new content for games, or finding and removing bugs. This time around, someone managed to find a bug within Steam that could allow anyone with a developer account to generate free keys for any game on the platform.
Artem Moskowsky has helped Valve out in the past. Previously, he discovered an SQL Injection bug within Steam's developer portal. He was paid $25,000 for finding that one. This time around, Moskowsky discovered a second bug on the developer portal side of Steam, which allowed those with access to generate activation keys for any game on Steam. This was achieved by bypassing the verification of ownership of the game by changing just one parameter in the code.
This issue was of course brought to Valve's attention privately back in August and is becoming public now as a fix is already in place. As The Register points out, Moskowsky's investigation allowed him to gain access to 36,000 activation codes for Portal 2, which shows just how severe this flaw could have been if discovered by the wrong person.
For finding the bug, Moskowsky was paid $20,000 in total, $15,000 for finding the bug and an extra $5,000 for disclosing it privately.
KitGuru Says: It's a good thing that this bug was found by someone reputable. After all, if this was discovered by the wrong person, Valve would've had a big problem on its hands.