Next time you discover a bug in a game or a gaming application, delve a little deeper into the problem instead of posting a clip to Reddit to moan. At least that’s what one player did, and now he’s $11,450 richer.
The ethical hacker, who goes by the moniker 2Eggs, discovered three undisclosed bugs relating to Counter-Strike: Global Offensive and Steam, and reported them to Valve through HackerOne, a reporting platform that helps make the internet safer. For all his hard work, the 19-year-old from Leicester was awarded $200, $1,500, and $9,750 for bringing them to the developer’s attention.
The pentester, who has been playing around with computers since he was ten, self taught himself everything and says that although he’s finally got some recognition for his work, the process is incredibly time consuming.
“The bugs were related to Counter-Strike and Steam,” the 19-year-old tells The Loadout. “I found them through trial and error and looking into the code itself to see if Valve missed out on protecting something. Valve is notorious for pushing out updates and content without making sure that it is fully up to par.
“The report that I received $9,750 for took around 10-11 months of me bugging Valve for updates, before I fully received information on what was going on and how they were going to progress with it. Although, they still haven’t fully fixed all the issues yet, which is why I’m not disclosing the exact details of the exploit.”
Even though we don’t know the full details of what 2Eggs found, it’s safe to assume the bug was fairly problematic for the developer, given that the average bounty awarded to ethical hackers by the company is $750.
This is why you report CS:GO Bugs instead of abuse them
My man @2Eggsss got awarded a total of $11250 in bounties from Valve via HackerOne for reporting critical bugs, which have been patched and solved.
Don’t abuse, report instead. https://t.co/RGlR9a3z3p
— Haci (@DonHaci) October 8, 2019
But for 2Eggs, finding bugs isn’t always about the money. It’s about fixing a game that he loves, and allowing him to delve deeper into the world of technology.
“I do what I do because I love Valve,” 2Eggs says. “I don’t think anyone in this community would be here without Counter-Strike. I’m also at university at the moment, and things like this help me take time off educating myself when it gets boring.
“I don’t really intend on spending the money, I’m just going to pay off some bits and bobs, help my parents out, and then dump the rest into savings.”
Valve accepts bug reports for various products, including Steam services, websites, apps, servers, and games. Game bugs, glitches, and gameplay exploits are not part of the bug bounty program, but are still reportable.
In fact, Valve has awarded $233,875 to ethical hackers in the last 90 days. It’s not bad for discovering bugs on the side but it’s a thankless job. 2Eggs has solved around 15 exploits so far – and those aren’t just limited to Valve – but you won’t ever hear about them. Some have been small, while others could have led to huge data breaches of financial details and social security numbers had it not been for his intervention.
Apart from remuneration, the only other thanks 2Eggs has received is from Pornhub, where he was given a lifetime premium membership for fixing an issue with the gift redemption function on the website. But despite being a thankless task, the impact of ethical hacking is drawing people in.
If you’re one of those people, 2Eggs has some advice for you. “If you think you have an exploit for literally any company, check to see whether they have a suitable way of reporting exploits to them,” he says. “If you can’t find anything, then try contacting them to see if there is someone you can tell, even if it’s a general helpdesk who could pass it onto someone else.
“Secondly, if you don’t really understand the concept or the ideology of pentesting or ‘whitehat hacking’, and you are interested in getting started then there are many resources that you can check out online. I self taught myself everything, so there is nothing stopping you from learning everything as well.
“Just hack responsibly, and don’t leak private information.”