Valve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.
Security includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.
Security of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site __. This includes password problems, login issues, suspected fraud and account abuse issues.
We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.
For valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score.
Min/Max | Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS
4.0 - 6.9) | Low (CVSS 0.0 - 3.9)
Minimum | $1,500 | $500 | $250 | $0
Maximum | - | $2,000+ | $1,000+ | $200
The current scope is limited to the domains and pieces of software listed here:
Please note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our Support site __.
No authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.
When submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure __as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.
Valve embraces transparency in our security, and will generally disclose the details of vulnerabilities found upon request, and will generally permit external discussions of them (such as blog posts) with our permission. We reserve the right to make exceptions to this policy at our discretion
While researching, we'd like to ask you to refrain from:
The following items are considered out-of-scope for all Valve offerings:
For CS:GO, the scope is defined more narrowly than above, explicitly stating that only the following issues are in-scope:
You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.
Valve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.
Reports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.
Contact us if you want more information.