I learned today that there is a site called "Hackerone" that connects companies with users who like to hack and tinker with websites, apps, and other pieces of software. These individuals can then submit exploits and hacks to companies privately, and in exchange they are frequently compensated with a fair amount of money. This is precisely what happened earlier this week when a user called Drbrix found an exploit on Valve's Steam app.
The Steam wallet exploit discovered by Drbrix would have allowed a user to gain unlimited funds. Considering how much Valve stood to lose should such an exploit have leaked to the public, it's fortunate that the discovery was made by someone who chose to report it. He alerted Valve of the bug on August 9th, and Valve confirmed it shortly after.
The exploit involved a user changing their email address and interception transactions that use any Smart2Pay payment method. If you want to read about the exploit in detail, you can read the Hackerone report here. According to the report, a Valve employee identified as JonP thanked Drbrix for their find and explained that Valve had validated the bug and were taking steps to fix the issue. A follow-up message said that the report was "clearly written" and "helpful in identifying a real business risk."
Apparently, the members of Hackerone have a track record for squashing exploits before they can go public - Nintendo utilized the members of the website heavily before releasing the Switch. Valve paid Drbrix $7500 for finding the exploit, but considering how much the company stood to potentially lose because of it, the sum doesn't seem like all that much.
Have you ever stumbled upon an exploit or bug before? What did you do? Share with me!