Banner object (1)

Hack and Take the Cash !

713 bounties in database
Valve logo


100 $ 



Valve's security philosophy

Valve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.

Security includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.

Security of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site __. This includes password problems, login issues, suspected fraud and account abuse issues.

We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.


For valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score.

Min/Max | Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)
Minimum | $1,500 | $500 | $250 | $0
Maximum | - | $2,000+ | $1,000+ | $200


The current scope is limited to the domains and pieces of software listed here:

  •,,,,,, and sub-domains, excluding domains explicitly removed in the scope section below
  • Steam Client for Windows, Mac and Linux
  • Steam command line utility (SteamCMD)
  • SteamOS
  • Steamworks SDK
  • Steam mobile apps on iOS and Android
  • Steam Servers
  • Valve game titles
  • Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers

Please note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our Support site __.

No authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.


Valve services make use of a number of open source and commercial packages. If you discover a vulnerability in
a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.

Patches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet
applied to our software or production systems.

We welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).

Responsible Disclosure and Guidelines

When submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure __as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.


Valve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.

Please note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.


While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Valve staff or contractors
  • Any physical attempts against Valve property or data centers

Scope definition

All Valve Products and Services

The following items are considered out-of-scope for all Valve offerings:

  • Hypothetical issues that do not have any practical impact.
  • Attacks that require social engineering/phishing.
  • Attacks that require physical access to the user’s device.
  • Attacks that require the ability to drop files in arbitrary locations on the user's filesystem.
  • User enumeration without any further impact.
  • Clickjacking without a well-defined security/privacy risk.
  • Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).
  • Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).
  • Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.
  • Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.
  • Host header injection without a specific proof of concept.
  • Self XSS or XSS that affects only out-of-date browsers.
  • Denial of Service Attacks.
  • Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.
  • Reports that require the user to open a crafted game demo file.

Counter-Strike: Global Offensive

For CS:GO, the scope is defined more narrowly than above, explicitly stating that only the following issues are in-scope:

  • Remote Code Execution. However, the exploit must demonstrate RCE capability by launching another application--e.g. Calculator.
  • Remote crashing of vanilla dedicated servers. Crashing a dedicated server that is running no external code and not serving any third-party content (ie, no mods, only using default game assets).
  • Exfiltration of sensitive data from CS:GO Game Coordinator.

Special Note for Valve Websites

Many Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.

The Fine Print

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Valve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.

Reports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019