[{"id":3754761,"new_policy":"If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our support site https://help.steampowered.com/. This includes password problems, login issues, suspected fraud, and account abuse issues.\n\nPlease read the scope, bounty, and severity information carefully before submission. Our intent is to guide researcher attention to the most important areas and to reward the most actionable reports.\n\n# Scope\nThis program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below.\n\nThe Steam components in scope are:\n\n* Steam Client, Steam Client Service, and the SteamCmd command-line utility for Windows, Mac and Linux\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* Websites as noted on the Scope section of the program. Subdomains of listed websites are not in scope unless mentioned.\n\nFor games developed and published by Valve, if the game is in scope as noted on the Scope section of the program, then we accept reports against the following components:\n\n* Game client and server binaries.\n* First-party, unmodified, game servers.\n* Game coordinators.\n\nGame bugs, glitches and gameplay exploits are not in scope for the bug bounty program.\n\nNo authorization is given to test any other websites, servers, game titles, or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Exclusions\n\nThe following items are considered out-of-scope for all Valve offerings:\n\n* Hypothetical issues that do not have any practical impact. Examples include:\n  * Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n  * User enumeration without any further impact.\n  * Clickjacking without a well-defined security/privacy risk.\n  * Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user.\n  * However, any case that allows malware or compromised software to perform privilege elevation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope.\n  * Additionally, any unauthorized modification of the privileged Steam Client Service is also in scope.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS, or XSS that only affects out-of-date browsers.\n* Denial of Service Attacks.\n* Broken links to third party sites.\n\nAdditionally, the following items are out-of-scope for issues with Valve games and related components:\n\n* Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server).\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open crafted game content: demo files, BSPs, etc not delivered as part of the exploit.\n\nWhile researching, we'd like to ask you to refrain from:\n\n* Denial of service.\n* Spamming.\n* Social engineering (including phishing) of Valve staff or contractors.\n* Any physical attempts against Valve property or data centers.\n\n## Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change management procedures).\n\n## Special Note for Valve Websites\n\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n# Assessing Severity and Rewards\n\nPlease carefully review our guidelines for remote-code-execution exploits in Valve games.\n\n## IDOR for unreleased applications\n\nWe take unintentional leaking of unreleased applications on Steam seriously. If you are reporting an insecure object reference that can leak private details about an unreleased game (name, artwork, pricing, etc.), please make sure your report includes the relevant details for appid 3717370.\n\nIf the vulnerability only exists for applications with specific configuration conditions, please carefully describe the configuration as well as the insecure reference. Severity of this type of leak will depend on the type and complexity of the required configuration as well as the scope of any potential exposure.\n\n## IDOR for profile data\n\nInsecure object references for information that Steam marks Private are in scope. For non-personally-identifying player data, severity is generally capped at Low.\n\n\n## Remote Code Execution reports - Severity\nRemote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate. \n\nYour report must meet the following requirements to be accepted:\n\n* Actual RCE must be demonstrated. Your report should include clear steps that reliably launch another application - e.g. Calculator - on the target machine.\n* The payload must be delivered over the network - not loading resource files already on the target computer.\n\n### Valve Games: Highest priority\nFor vulnerabilities in Valve games, the following are our highest priority for assessment, reward, and resolution:\n\n* Exfiltration of sensitive data from a Game Coordinator.\n* Client-to-client: malicious payload transmitted from one game client to another when playing peer-to-peer or connected to an unmodified game server.\n* Client-to-client: malicious clients that can crash other connected game clients with or without demonstrated RCE behavior.\n* Communication from malicious clients that can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n\n### Valve Games: Reduced priority\nReports of the following types may have their severity, and therefore reward, reduced one or more levels from the initial CVSS score:\n\n* Community server-to-client - malicious content including maps and textures, delivered from a community server.\n* User interaction required - reports that require victim to execute unusual console commands.\n* Client vulnerabilities that cannot be demonstrated against Windows game clients.\n\n### Ineligible for Bounty\nReports of any of the following types may be accepted as in-scope, but will not be eligible for a reward:\n\n* Reports that require crafted content (maps, sounds, mods, etc.) delivered via the Steam Workshop.\n* Techniques not specifically mentioned above that cause a game-client crash without demonstrated RCE behavior.\n* Techniques that require information from the target machine in order to function - for example, returning an address offset in memory in order to craft the payload.\n* Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.\n\n\n# Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n# The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.\n\nReports received through other channels prior to being received through the bug bounty program are not eligible for bounty.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-02T22:01:58.473Z"},{"id":3748532,"new_policy":"If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our support site https://help.steampowered.com/. This includes password problems, login issues, suspected fraud, and account abuse issues.\n\nPlease read the scope, bounty, and severity information carefully before submission. Our intent is to guide researcher attention to the most important areas and to reward the most actionable reports.\n\n# Scope\nThis program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below.\n\nThe Steam components in scope are:\n\n* Steam Client, Steam Client Service, and the SteamCmd command-line utility for Windows, Mac and Linux\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* Websites as noted on the Scope section of the program. Subdomains of listed websites are not in scope unless mentioned.\n\nFor games developed and published by Valve, if the game is in scope as noted on the Scope section of the program, then we accept reports against the following components:\n\n* Game client and server binaries.\n* First-party, unmodified, game servers.\n* Game coordinators.\n\nGame bugs, glitches and gameplay exploits are not in scope for the bug bounty program.\n\nNo authorization is given to test any other websites, servers, game titles, or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Exclusions\n\nThe following items are considered out-of-scope for all Valve offerings:\n\n* Hypothetical issues that do not have any practical impact. Examples include:\n  * Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n  * User enumeration without any further impact.\n  * Clickjacking without a well-defined security/privacy risk.\n  * Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user.\n  * However, any case that allows malware or compromised software to perform privilege elevation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope.\n  * Additionally, any unauthorized modification of the privileged Steam Client Service is also in scope.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS, or XSS that only affects out-of-date browsers.\n* Denial of Service Attacks.\n* Broken links to third party sites.\n\nAdditionally, the following items are out-of-scope for issues with Valve games and related components:\n\n* Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server).\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open crafted game content: demo files, BSPs, etc not delivered as part of the exploit.\n\nWhile researching, we'd like to ask you to refrain from:\n\n* Denial of service.\n* Spamming.\n* Social engineering (including phishing) of Valve staff or contractors.\n* Any physical attempts against Valve property or data centers.\n\n## Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change management procedures).\n\n## Special Note for Valve Websites\n\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n# Assessing Severity and Rewards\n\nPlease carefully review our guidelines for remote-code-execution exploits in Valve games.\n\n## Remote Code Execution reports - Severity\nRemote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate. \n\nYour report must meet the following requirements to be accepted:\n\n* Actual RCE must be demonstrated. Your report should include clear steps that reliably launch another application - e.g. Calculator - on the target machine.\n* The payload must be delivered over the network - not loading resource files already on the target computer.\n\n### Valve Games: Highest priority\nFor vulnerabilities in Valve games, the following are our highest priority for assessment, reward, and resolution:\n\n* Exfiltration of sensitive data from a Game Coordinator.\n* Client-to-client: malicious payload transmitted from one game client to another when playing peer-to-peer or connected to an unmodified game server.\n* Client-to-client: malicious clients that can crash other connected game clients with or without demonstrated RCE behavior.\n* Communication from malicious clients that can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n\n### Valve Games: Reduced priority\nReports of the following types may have their severity, and therefore reward, reduced one or more levels from the initial CVSS score:\n\n* Community server-to-client - malicious content including maps and textures, delivered from a community server.\n* User interaction required - reports that require victim to execute unusual console commands.\n* Client vulnerabilities that cannot be demonstrated against Windows game clients.\n\n### Ineligible for Bounty\nReports of any of the following types may be accepted as in-scope, but will not be eligible for a reward:\n\n* Reports that require crafted content (maps, sounds, mods, etc.) delivered via the Steam Workshop.\n* Techniques not specifically mentioned above that cause a game-client crash without demonstrated RCE behavior.\n* Techniques that require information from the target machine in order to function - for example, returning an address offset in memory in order to craft the payload.\n* Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.\n\n\n# Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n# The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.\n\nReports received through other channels prior to being received through the bug bounty program are not eligible for bounty.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-21T21:53:51.769Z"},{"id":3727982,"new_policy":"If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud, and account abuse issues.\n\nPlease read the scope, bounty, and severity information carefully before submission. Our intent is to guide researcher attention to the most important areas and to reward the most actionable reports.\n\nThis policy document applies to reports submitted on or after February 1, 2024.\n\n# Scope\nThis program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below.\n\nThe Steam components in-scope are:\n\n* Steam Client, Steam Client Service, and the SteamCmd command-line utility for Windows, Mac and Linux\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* The following websites: steampowered.com, steamcommunity.com, valvesoftware.com, partner.steamgames.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below.\n\nFor games developed and published by Valve, the following components are in scope:\n\n* Game client and server binaries.\n* First-party, unmodified, game servers.\n* Game coordinators.\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program.\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Exclusions\n\nThe following items are considered out-of-scope for all Valve offerings:\n\n* Hypothetical issues that do not have any practical impact. Examples include:\n  * Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n  * User enumeration without any further impact.\n  * Clickjacking without a well-defined security/privacy risk.\n  * Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user.\n  * However, any case that allows malware or compromised software to perform privilege elevation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope.\n  * Additionally, any unauthorized modification of the privileged Steam Client Service is also in scope.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\nAdditionally, the following items are out-of-scope for issues with Valve games and related components:\n\n* Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server).\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\nWhile researching, we'd like to ask you to refrain from:\n\n  * Denial of service.\n  * Spamming.\n  * Social engineering (including phishing) of Valve staff or contractors.\n  * Any physical attempts against Valve property or data centers.\n\n## Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Special Note for Valve Websites\n\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n# Assessing Severity and Rewards\n\nFor valid reports that are in scope, Valve will determine appropriate rewards.\n\nValve uses the CVSS score as a starting point in assessing severity and the reward to be paid. We may adjust the severity and reward at our discretion based on other factors including business impact, clarity and simplicity of the report, and similarity to other issues.\n\nPlease carefully review our guidelines for remote-code-execution exploits in Valve games.\n\n## Remote Code Execution reports - Severity\nRemote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate. \n\nYour report must meet the following requirements to be accepted:\n\n* Actual RCE must be demonstrated. Your report should include clear steps that reliably launch another application - e.g. Calculator - on the target machine.\n* The payload must be delivered over the network - not loading resource files already on the target computer.\n\n### Highest priority\n\nAmong issues relating to Valve games, the following are our highest priority for assessment, reward, and resolution:\n\n* Exfiltration of sensitive data from a Game Coordinator.\n* Client-to-client: malicious payload transmitted from one game client to another when playing peer-to-peer or connected to an unmodified game server.\n* Client-to-client: malicious clients that can crash other connected game clients with or without demonstrated RCE behavior.\n* Communication from malicious clients that can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n\n### Reduced priority\nReports of the following types may have their severity, and therefore reward, reduced one or more levels from the initial CVSS score:\n\n* Community server-to-client - malicious content including maps and textures, delivered from a community server.\n* User interaction required - reports that require victim to execute unusual console commands.\n* Client vulnerabilities that cannot be demonstrated against Windows game clients.\n\n### Ineligible for Bounty\nReports of any of the following types may be accepted as in-scope, but will not be eligible for a reward:\n\n* Reports that require crafted content (maps, sounds, mods, etc.) delivered via the Steam Workshop.\n* Techniques not specifically mentioned above that cause a game-client crash without demonstrated RCE behavior.\n* Techniques that require information from the target machine in order to function - for example, returning an address offset in memory in order to craft the payload.\n* Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.\n\n# Rewards\nThe following reward tables are based on Valve's severity assessment, as described above.\n\n### Steam\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500+ |               $2,500 |               $750 |               $200 |\n\n### CS2, Dota2, Dota Underlords, Artifact, Half-Life: Alyx\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### Team Fortress 2, Left 4 Dead 2, Left 4 Dead\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $2,500 |               $750 |               $200 |               $100 |\n\n### All other titles\n\nWe will accept and triage reports for other Valve games. However, any title not explicitly listed in the tables above will not be eligible for bounty.\n\n# Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n# The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.\n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-28T22:15:16.303Z"},{"id":3711285,"new_policy":"If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud, and account abuse issues.\n\nPlease read the scope, bounty, and severity information carefully before submission. Our intent is to guide researcher attention to the most important areas and to reward the most actionable reports.\n\nThis policy document applies to reports submitted on or after February 1, 2024.\n\n# Scope\nThis program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below.\n\nThe Steam components in-scope are:\n\n* Steam Client, Steam Client Service, and the SteamCmd command-line utility for Windows, Mac and Linux\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* The following websites: steampowered.com, steamcommunity.com, valvesoftware.com, partner.steamgames.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below.\n\nFor games developed and published by Valve, the following components are in scope:\n\n* Game client and server binaries.\n* First-party, unmodified, game servers.\n* Game coordinators.\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program.\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Exclusions\n\nThe following items are considered out-of-scope for all Valve offerings:\n\n* Hypothetical issues that do not have any practical impact. Examples include:\n  * Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n  * User enumeration without any further impact.\n  * Clickjacking without a well-defined security/privacy risk.\n  * Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user.\n  * However, any case that allows malware or compromised software to perform privilege elevation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope.\n  * Additionally, any unauthorized modification of the privileged Steam Client Service is also in scope.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\nAdditionally, the following items are out-of-scope for issues with Valve games and related components:\n\n* Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server).\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\nWhile researching, we'd like to ask you to refrain from:\n\n  * Denial of service.\n  * Spamming.\n  * Social engineering (including phishing) of Valve staff or contractors.\n  * Any physical attempts against Valve property or data centers.\n\n## Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Special Note for Valve Websites\n\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n# Assessing Severity and Rewards\n\nFor valid reports that are in scope, Valve will determine appropriate rewards.\n\nValve uses the CVSS score as a starting point in assessing severity and the reward to be paid. We may adjust the severity and reward at our discretion based on other factors including business impact, clarity and simplicity of the report, and similarity to other issues.\n\nPlease carefully review our guidelines for remote-code-execution exploits in Valve games.\n\n## Remote Code Execution reports - Severity\nRemote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate. \n\nYour report must meet the following requirements to be accepted:\n\n* Actual RCE must be demonstrated. Your report should include clear steps that reliably launch another application - e.g. Calculator - on the target machine.\n* The payload must be delivered over the network - not loading resource files already on the target computer.\n\n### Highest Severity\n\nIssues of the following types are among our highest priority for assessment, reward, and resolution:\n\n* Exfiltration of sensitive data from a Game Coordinator.\n* Client-to-client: malicious payload transmitted from one game client to another when playing peer-to-peer or connected to an unmodified game server.\n* Client-to-client: malicious clients that can crash other connected game clients with or without demonstrated RCE behavior.\n* Communication from malicious clients that can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n\n### Reduced Severity\nReports of the following types may have their severity, and therefore reward, reduced one or more levels from the initial CVSS score:\n\n* Community server-to-client - malicious content including maps and textures, delivered from a community server.\n* User interaction required - reports that require victim to execute unusual console commands.\n* Client vulnerabilities that cannot be demonstrated against Windows game clients.\n\n### Ineligible for Bounty\nReports of any of the following types may be accepted as in-scope, but will not be eligible for a reward:\n\n* Reports that require crafted content (maps, sounds, mods, etc.) delivered via the Steam Workshop.\n* Techniques not specifically mentioned above that cause a game-client crash without demonstrated RCE behavior.\n* Techniques that require information from the target machine in order to function - for example, returning an address offset in memory in order to craft the payload.\n* Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.\n\n# Rewards\nThe following reward tables are based on Valve's severity assessment, as described above.\n\n### Steam\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500+ |               $2,500 |               $750 |               $200 |\n\n### CS2, Dota2, Dota Underlords, Artifact, Half-Life: Alyx\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### Team Fortress 2, Left 4 Dead 2, Left 4 Dead\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $2,500 |               $750 |               $200 |               $100 |\n\n### All other titles\n\nWe will accept and triage reports for other Valve games. However, any title not explicitly listed in the tables above will not be eligible for bounty.\n\n# Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n# The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.\n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-22T21:46:01.824Z"},{"id":3688336,"new_policy":"If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud, and account abuse issues.\n\nPlease read the scope, bounty, and severity information carefully before submission. Our intent is to guide researcher attention to the most important areas and to reward the most actionable reports.\n\nThis policy document applies to reports submitted on or after May 22, 2020.\n\n# Scope\nThis program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below.\n\nThe Steam components in-scope are:\n\n* Steam Client, Steam Client Service, and the SteamCmd command-line utility for Windows, Mac and Linux\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* The following websites: steampowered.com, steamcommunity.com, valvesoftware.com, partner.steamgames.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below.\n\nFor games developed and published by Valve, the following components are in scope:\n\n* Game client and server binaries.\n* First-party, unmodified, game servers.\n* Game coordinators.\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program.\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Exclusions\n\nEffective 6/14/2023 10 AM PDT, CS:GO is out-of-scope for new reports. Reports for CS2 Limited Test are currently out-of-scope.\n\nThe following items are considered out-of-scope for all Valve offerings:\n\n* Hypothetical issues that do not have any practical impact. Examples include:\n  * Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n  * User enumeration without any further impact.\n  * Clickjacking without a well-defined security/privacy risk.\n  * Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user.\n  * However, any case that allows malware or compromised software to perform privilege elevation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope.\n  * Additionally, any unauthorized modification of the privileged Steam Client Service is also in scope.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\nAdditionally, the following items are out-of-scope for issues with Valve games and related components:\n\n* Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server).\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\nWhile researching, we'd like to ask you to refrain from:\n\n  * Denial of service.\n  * Spamming.\n  * Social engineering (including phishing) of Valve staff or contractors.\n  * Any physical attempts against Valve property or data centers.\n\n## Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Special Note for Valve Websites\n\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n# Assessing Severity and Rewards\n\nFor valid reports that are in scope, Valve will determine appropriate rewards.\n\nValve uses the CVSS score as a starting point in assessing severity and the reward to be paid. We may adjust the severity and reward at our discretion based on other factors including business impact, clarity and simplicity of the report, and similarity to other issues.\n\nPlease carefully review our guidelines for remote-code-execution exploits in Valve games.\n\n## Remote Code Execution reports - Severity\nRemote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate. \n\nYour report must meet the following requirements to be accepted:\n\n* Actual RCE must be demonstrated. Your report should include clear steps that reliably launch another application - e.g. Calculator - on the target machine.\n* The payload must be delivered over the network - not loading resource files already on the target computer.\n\n### Highest Severity\n\nIssues of the following types are among our highest priority for assessment, reward, and resolution:\n\n* Exfiltration of sensitive data from a Game Coordinator.\n* Client-to-client: malicious payload transmitted from one game client to another when playing peer-to-peer or connected to an unmodified game server.\n* Client-to-client: malicious clients that can crash other connected game clients with or without demonstrated RCE behavior.\n* Communication from malicious clients that can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n\n### Reduced Severity\nReports of the following types may have their severity, and therefore reward, reduced one or more levels from the initial CVSS score:\n\n* Community server-to-client - malicious content including maps and textures, delivered from a community server.\n* User interaction required - reports that require victim to execute unusual console commands.\n* Client vulnerabilities that cannot be demonstrated against Windows game clients.\n\n### Ineligible for Bounty\nReports of any of the following types may be accepted as in-scope, but will not be eligible for a reward:\n\n* Reports that require crafted content (maps, sounds, mods, etc.) delivered via the Steam Workshop.\n* Techniques not specifically mentioned above that cause a game-client crash without demonstrated RCE behavior.\n* Techniques that require information from the target machine in order to function - for example, returning an address offset in memory in order to craft the payload.\n* Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.\n\n# Rewards\nThe following reward tables are based on Valve's severity assessment, as described above.\n\n### Steam\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### CS:GO, Dota2, Team Fortress 2, Dota Underlords, Artifact, Half-Life: Alyx\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### Left 4 Dead 2, Left 4 Dead\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $2,500 |               $750 |               $200 |               $100 |\n\n### Portal 2, Portal, Counter-Strike: Source, Half-Life 2 titles\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $1200 |               $500 |               $200 |               $100 |\n\n### Legacy Titles\nOther titles including all titles using the GoldSrc engine - including Counter-Strike 1.6, Half-Life, and Day of Defeat.\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $750 |               $400 |               $200 |               $100 |\n\n# Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n# The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.\n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-31T00:46:24.656Z"},{"id":3646097,"new_policy":"If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud, and account abuse issues.\n\nPlease read the scope, bounty, and severity information carefully before submission. Our intent is to guide researcher attention to the most important areas and to reward the most actionable reports.\n\nThis policy document applies to reports submitted on or after May 22, 2020.\n\n# Scope\nThis program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below.\n\nThe Steam components in-scope are:\n\n* Steam Client, Steam Client Service, and the SteamCmd command-line utility for Windows, Mac and Linux\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* The following websites: steampowered.com, steamcommunity.com, valvesoftware.com, partner.steamgames.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below.\n\nFor games developed and published by Valve, the following components are in scope:\n\n* Game client and server binaries.\n* First-party, unmodified, game servers.\n* Game coordinators.\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program.\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Exclusions\n\nThe following items are considered out-of-scope for all Valve offerings:\n\n* Hypothetical issues that do not have any practical impact. Examples include:\n  * Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n  * User enumeration without any further impact.\n  * Clickjacking without a well-defined security/privacy risk.\n  * Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user.\n  * However, any case that allows malware or compromised software to perform privilege elevation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope.\n  * Additionally, any unauthorized modification of the privileged Steam Client Service is also in scope.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\nAdditionally, the following items are out-of-scope for issues with Valve games and related components:\n\n* Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server).\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\nWhile researching, we'd like to ask you to refrain from:\n\n  * Denial of service.\n  * Spamming.\n  * Social engineering (including phishing) of Valve staff or contractors.\n  * Any physical attempts against Valve property or data centers.\n\n## Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Special Note for Valve Websites\n\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n# Assessing Severity and Rewards\n\nFor valid reports that are in scope, Valve will determine appropriate rewards.\n\nValve uses the CVSS score as a starting point in assessing severity and the reward to be paid. We may adjust the severity and reward at our discretion based on other factors including business impact, clarity and simplicity of the report, and similarity to other issues.\n\nPlease carefully review our guidelines for remote-code-execution exploits in Valve games.\n\n## Remote Code Execution reports - Severity\nRemote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate. \n\nYour report must meet the following requirements to be accepted:\n\n* Actual RCE must be demonstrated. Your report should include clear steps that reliably launch another application - e.g. Calculator - on the target machine.\n* The payload must be delivered over the network - not loading resource files already on the target computer.\n\n### Highest Severity\n\nIssues of the following types are among our highest priority for assessment, reward, and resolution:\n\n* Exfiltration of sensitive data from a Game Coordinator.\n* Client-to-client: malicious payload transmitted from one game client to another when playing peer-to-peer or connected to an unmodified game server.\n* Client-to-client: malicious clients that can crash other connected game clients with or without demonstrated RCE behavior.\n* Communication from malicious clients that can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n\n### Reduced Severity\nReports of the following types may have their severity, and therefore reward, reduced one or more levels from the initial CVSS score:\n\n* Community server-to-client - malicious content including maps and textures, delivered from a community server.\n* User interaction required - reports that require victim to execute unusual console commands.\n* Client vulnerabilities that cannot be demonstrated against Windows game clients.\n\n### Ineligible for Bounty\nReports of any of the following types may be accepted as in-scope, but will not be eligible for a reward:\n\n* Reports that require crafted content (maps, sounds, mods, etc.) delivered via the Steam Workshop.\n* Techniques not specifically mentioned above that cause a game-client crash without demonstrated RCE behavior.\n* Techniques that require information from the target machine in order to function - for example, returning an address offset in memory in order to craft the payload.\n* Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.\n\n# Rewards\nThe following reward tables are based on Valve's severity assessment, as described above.\n\n### Steam\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### CS:GO, Dota2, Team Fortress 2, Dota Underlords, Artifact, Half-Life: Alyx\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### Left 4 Dead 2, Left 4 Dead\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $2,500 |               $750 |               $200 |               $100 |\n\n### Portal 2, Portal, Counter-Strike: Source, Half-Life 2 titles\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $1200 |               $500 |               $200 |               $100 |\n\n### Legacy Titles\nOther titles including all titles using the GoldSrc engine - including Counter-Strike 1.6, Half-Life, and Day of Defeat.\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $750 |               $400 |               $200 |               $100 |\n\n# Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n# The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.\n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-23T20:53:38.121Z"},{"id":3636343,"new_policy":"If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud, and account abuse issues.\n\nPlease read the scope, bounty, and severity information carefully before submission. Our intent is to guide researcher attention to the most important areas and to reward the most actionable reports.\n\nThis policy document applies to reports submitted on or after May 22, 2020.\n\n# Scope\nThis program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below.\n\nThe Steam components in-scope are:\n\n* Steam Client, Steam Client Service, and the SteamCmd command-line utility for Windows, Mac and Linux\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* The following websites: steampowered.com, steamcommunity.com, valvesoftware.com, partner.steamgames.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below.\n\nFor games developed and published by Valve, the following components are in scope:\n\n* Game client and server binaries.\n* First-party, unmodified, game servers.\n* Game coordinators.\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program.\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Exclusions\n\nThe following items are considered out-of-scope for all Valve offerings:\n\n* Hypothetical issues that do not have any practical impact. Examples include:\n  * Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n  * User enumeration without any further impact.\n  * Clickjacking without a well-defined security/privacy risk.\n  * Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user.\n  * However, any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope.\n  * Additionally, any unauthorized modification of the privileged Steam Client Service is also in scope.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\nAdditionally, the following items are out-of-scope for issues with Valve games and related components:\n\n* Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server).\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\nWhile researching, we'd like to ask you to refrain from:\n\n  * Denial of service.\n  * Spamming.\n  * Social engineering (including phishing) of Valve staff or contractors.\n  * Any physical attempts against Valve property or data centers.\n\n## Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Special Note for Valve Websites\n\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n# Assessing Severity and Rewards\n\nFor valid reports that are in scope, Valve will determine appropriate rewards.\n\nValve uses the CVSS score as a starting point in assessing severity and the reward to be paid. We may adjust the severity and reward at our discretion based on other factors including business impact, clarity and simplicity of the report, and similarity to other issues.\n\nPlease carefully review our guidelines for remote-code-execution exploits in Valve games.\n\n## Remote Code Execution reports - Severity\nRemote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate. \n\nYour report must meet the following requirements to be accepted:\n\n* Actual RCE must be demonstrated. Your report should include clear steps that reliably launch another application - e.g. Calculator - on the target machine.\n* The payload must be delivered over the network - not loading resource files already on the target computer.\n\n### Highest Severity\n\nIssues of the following types are among our highest priority for assessment, reward, and resolution:\n\n* Exfiltration of sensitive data from a Game Coordinator.\n* Client-to-client: malicious payload transmitted from one game client to another when playing peer-to-peer or connected to an unmodified game server.\n* Client-to-client: malicious clients that can crash other connected game clients with or without demonstrated RCE behavior.\n* Communication from malicious clients that can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n\n### Reduced Severity\nReports of the following types may have their severity, and therefore reward, reduced one or more levels from the initial CVSS score:\n\n* Community server-to-client - malicious content including maps and textures, delivered from a community server.\n* User interaction required - reports that require victim to execute unusual console commands.\n* Client vulnerabilities that cannot be demonstrated against Windows game clients.\n\n### Ineligible for Bounty\nReports of any of the following types may be accepted as in-scope, but will not be eligible for a reward:\n\n* Reports that require crafted content (maps, sounds, mods, etc.) delivered via the Steam Workshop.\n* Techniques not specifically mentioned above that cause a game-client crash without demonstrated RCE behavior.\n* Techniques that require information from the target machine in order to function - for example, returning an address offset in memory in order to craft the payload.\n* Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.\n\n# Rewards\nThe following reward tables are based on Valve's severity assessment, as described above.\n\n### Steam\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### CS:GO, Dota2, Team Fortress 2, Dota Underlords, Artifact, Half-Life: Alyx\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### Left 4 Dead 2, Left 4 Dead\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $2,500 |               $750 |               $200 |               $100 |\n\n### Portal 2, Portal, Counter-Strike: Source, Half-Life 2 titles\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $1200 |               $500 |               $200 |               $100 |\n\n### Legacy Titles\nOther titles including all titles using the GoldSrc engine - including Counter-Strike 1.6, Half-Life, and Day of Defeat.\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $750 |               $400 |               $200 |               $100 |\n\n# Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n# The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.\n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-15T22:26:26.298Z"},{"id":3636314,"new_policy":"# Policy\nIf you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud, and account abuse issues.\n\nPlease read the scope, bounty, and severity information carefully before submission. Our intent is to guide researcher attention to the most important areas and to reward the most actionable reports.\n\nThis policy document applies to reports submitted on or after May 22, 2020.\n\n# Scope\nThis program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below.\n\nThe Steam components in-scope are:\n\n* Steam Client, Steam Client Service, and the SteamCmd command-line utility for Windows, Mac and Linux\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* steampowered.com, steamcommunity.com, valvesoftware.com, partner.steamgames.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below.\n\nFor games developed and published by Valve, the following components are in scope:\n\n* Game client and server binaries.\n* First-party, unmodified, game servers.\n* Game coordinators.\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program.\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Exclusions\n\nThe following items are considered out-of-scope for all Valve offerings:\n\n* Hypothetical issues that do not have any practical impact. Examples include:\n  * Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n  * User enumeration without any further impact.\n  * Clickjacking without a well-defined security/privacy risk.\n  * Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user.\n  * However, any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope.\n  * Additionally, any unauthorized modification of the privileged Steam Client Service is also in scope.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\nAdditionally, the following items are out-of-scope for issues with Valve games and related components:\n\n* Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server).\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\nWhile researching, we'd like to ask you to refrain from:\n\n  * Denial of service.\n  * Spamming.\n  * Social engineering (including phishing) of Valve staff or contractors.\n  * Any physical attempts against Valve property or data centers.\n\n## Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Special Note for Valve Websites\n\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n# Assessing Severity and Rewards\n\nFor valid reports that are in scope, Valve will determine appropriate rewards.\n\nValve uses the CVSS score as a starting point in assessing severity and the reward to be paid. We may adjust the severity and reward at our discretion based on other factors including business impact, clarity and simplicity of the report, and similarity to other issues.\n\nPlease carefully review our guidelines for remote-code-execution exploits in Valve games.\n\n## Remote Code Execution reports - Severity\nRemote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate. \n\nYour report must meet the following requirements to be accepted:\n\n* Actual RCE must be demonstrated. Your report should include clear steps that reliably launch another application - e.g. Calculator - on the target machine.\n* The payload must be delivered over the network - not loading resource files already on the target computer.\n\n### Highest Severity\n\nIssues of the following types are among our highest priority for assessment, reward, and resolution:\n\n* Exfiltration of sensitive data from a Game Coordinator.\n* Client-to-client: malicious payload transmitted from one game client to another when playing peer-to-peer or connected to an unmodified game server.\n* Client-to-client: malicious clients that can crash other connected game clients with or without demonstrated RCE behavior.\n* Communication from malicious clients that can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n\n### Reduced Severity\nReports of the following types may have their severity, and therefore reward, reduced one or more levels from the initial CVSS score:\n\n* Community server-to-client - malicious content including maps and textures, delivered from a community server.\n* User interaction required - reports that require victim to execute unusual console commands.\n* Client vulnerabilities that cannot be demonstrated against Windows game clients.\n\n### Ineligible for Bounty\nReports of any of the following types may be accepted as in-scope, but will not be eligible for a reward:\n\n* Reports that require crafted content (maps, sounds, mods, etc.) delivered via the Steam Workshop.\n* Techniques not specifically mentioned above that cause a game-client crash without demonstrated RCE behavior.\n* Techniques that require information from the target machine in order to function - for example, returning an address offset in memory in order to craft the payload.\n* Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.\n\n# Rewards\nThe following reward tables are based on Valve's severity assessment, as described above.\n\n### Steam\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### CS:GO, Dota2, Team Fortress 2, Dota Underlords, Artifact, Half-Life: Alyx\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $7,500 |               $2,500 |               $750 |               $200 |\n\n### Left 4 Dead 2, Left 4 Dead\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $2,500 |               $750 |               $200 |               $100 |\n\n### Portal 2, Portal, Counter-Strike: Source, Half-Life 2 titles\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $1200 |               $500 |               $200 |               $100 |\n\n### Legacy Titles\nOther titles including all titles using the GoldSrc engine - including Counter-Strike 1.6, Half-Life, and Day of Defeat.\n\n|              Critical |                  High |                Medium |                   Low | \n| --------------------- | --------------------- | --------------------- | --------------------- | \n|               $750 |               $400 |               $200 |               $100 |\n\n# Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n# The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.\n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-15T18:11:11.217Z"},{"id":3616941,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\nFor valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score. Please review the Scope sections below for certain exclusions.\n\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,500 | $500 | $250 | $0 | \n| Maximum | - | $2,000+ | $1,000+ | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* Valve game titles, with restrictions noted below\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n### Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in \na library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet \napplied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n## Disclosure\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission.  We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Scope definition\n### All Valve Products and Services\nThe following items are considered out-of-scope for all Valve offerings:\n* Hypothetical issues that do not have any practical impact.\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user. However, any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\n\n### Valve Games\nWe welcome reports for security-related issues found in Valve games. In order to make sure we focus attention on the highest-value issues, we define a narrower scope for game issues. These requirements are in addition to the general program scope and requirements.\n\nClient-side Remote Code Execution exploits are in-scope **only if the following requirements are met**:\n* the exploit must demonstrate RCE capability by launching another application--e.g. Calculator. \n* payload must be delivered over the network - not loading resource files already on the target computer. \n* technique must not require crafted content (maps, sounds, models, etc.) delivered via the Steam Workshop.\n\nAdditionally, note that an otherwise valid client-side RCE technique that is not demonstrated against Windows game clients will be capped at a maximum severity of High.\n\nGame server exploits are in-scope in the following cases:\n* malicious client can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n* exfiltration of sensitive data from a Game Coordinator.\n\nPlease be aware of the modified bounty schedule for legacy titles, below.\n\n### Legacy titles\n\nLegacy titles using the GoldSrc engine - including Counter-Strike 1.6, Half-Life, and Day of Defeat - are in-scope but with the following important differences. \n\nFor GoldSrc titles and the GoldSrc engine itself, we will use the following modified bounty schedule.\n\n| GoldSrc reports |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)|\n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $250 | $250 | $100 | $0 | \n| Maximum | $750 | $750 | $750 | $200 | \n\nAlso, as these titles are updated infrequently, the resolution and bounty payment times may fall outside our expected service level.\n\n### Special Note for Valve Websites\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.  \n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-22T02:46:06.105Z"},{"id":3614913,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\nFor valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score. Please review the Scope sections below for certain exclusions.\n\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,500 | $500 | $250 | $0 | \n| Maximum | - | $2,000+ | $1,000+ | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* Valve game titles, with restrictions noted below\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n### Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in \na library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet \napplied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n## Disclosure\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission.  We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Scope definition\n### All Valve Products and Services\nThe following items are considered out-of-scope for all Valve offerings:\n* Hypothetical issues that do not have any practical impact.\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that require the ability to drop files in arbitrary locations on the user's filesystem.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\n### Valve Games\nWe welcome reports for security-related issues found in Valve games. In order to make sure we focus attention on the highest-value issues, we define a narrower scope for game issues. These requirements are in addition to the general program scope and requirements.\n\nClient-side Remote Code Execution exploits are in-scope **only if the following requirements are met**:\n* the exploit must demonstrate RCE capability by launching another application--e.g. Calculator. \n* payload must be delivered over the network - not loading resource files already on the target computer. \n* technique must not require crafted content (maps, sounds, models, etc.) delivered via the Steam Workshop.\n\nAdditionally, note that an otherwise valid client-side RCE technique that is not demonstrated against Windows game clients will be capped at a maximum severity of High.\n\nGame server exploits are in-scope in the following cases:\n* malicious client can crash a vanilla dedicated server (i.e. no mods; using only default game assets).\n* exfiltration of sensitive data from a Game Coordinator.\n\nPlease be aware of the modified bounty schedule for legacy titles, below.\n\n### Legacy titles\n\nLegacy titles using the GoldSrc engine - including Counter-Strike 1.6, Half-Life, and Day of Defeat - are in-scope but with the following important differences. \n\nFor GoldSrc titles and the GoldSrc engine itself, we will use the following modified bounty schedule.\n\n| GoldSrc reports |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)|\n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $250 | $250 | $100 | $0 | \n| Maximum | $750 | $750 | $750 | $200 | \n\nAlso, as these titles are updated infrequently, the resolution and bounty payment times may fall outside our expected service level.\n\n### Special Note for Valve Websites\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.  \n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-25T21:20:19.080Z"},{"id":3606488,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\nFor valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score. Please review the Scope sections below for certain exclusions.\n\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,500 | $500 | $250 | $0 | \n| Maximum | - | $2,000+ | $1,000+ | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* Valve game titles, with restrictions noted below\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n### Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in \na library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet \napplied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n## Disclosure\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission.  We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Scope definition\n### All Valve Products and Services\nThe following items are considered out-of-scope for all Valve offerings:\n* Hypothetical issues that do not have any practical impact.\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that require the ability to drop files in arbitrary locations on the user's filesystem.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\n### Counter-Strike: Global Offensive\nFor CS:GO, the scope is defined more narrowly than above, explicitly stating that **only the following issues are in-scope:**\n* Remote Code Execution. However, the exploit must demonstrate RCE capability by launching another application--e.g. Calculator. \n* Remote crashing of vanilla dedicated servers. Crashing a dedicated server that is running no external code and not serving any third-party content (ie, no mods, only using default game assets). \n* Exfiltration of sensitive data from CS:GO Game Coordinator. \n\n### Legacy titles\n\nLegacy titles using the GoldSrc engine - including Counter-Strike 1.6, Half-Life, and Day of Defeat - are in-scope but with the following important differences. \n\nFor GoldSrc titles and the GoldSrc engine itself, we will use the following modified bounty schedule.\n\n| GoldSrc reports |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)|\n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $250 | $250 | $100 | $0 | \n| Maximum | $750 | $750 | $750 | $200 | \n\nAlso, as these titles are updated infrequently, the resolution and bounty payment times may fall outside our expected service level.\n\n### Special Note for Valve Websites\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.  \n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-29T18:07:31.935Z"},{"id":3603098,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\nFor valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score. \n\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,500 | $500 | $250 | $0 | \n| Maximum | - | $2,000+ | $1,000+ | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile apps on iOS and Android\n* Steam Servers\n* Valve game titles\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n### Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in \na library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet \napplied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n## Disclosure\n\nValve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission.  We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.\n\n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Scope definition\n### All Valve Products and Services\nThe following items are considered out-of-scope for all Valve offerings:\n* Hypothetical issues that do not have any practical impact.\n* Attacks that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* Attacks that require the ability to drop files in arbitrary locations on the user's filesystem.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Vulnerabilities reported by use of automated tools/scanners, without accompanying validation / POC.\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* Reports against Source Engine tools, e.g. Hammer, Source Filmmaker.\n* Reports that require the user to open a crafted game demo file.\n\n### Counter-Strike: Global Offensive\nFor CS:GO, the scope is defined more narrowly than above, explicitly stating that **only the following issues are in-scope:**\n* Remote Code Execution. However, the exploit must demonstrate RCE capability by launching another application--e.g. Calculator. \n* Remote crashing of vanilla dedicated servers. Crashing a dedicated server that is running no external code and not serving any third-party content (ie, no mods, only using default game assets). \n* Exfiltration of sensitive data from CS:GO Game Coordinator. \n\n### Special Note for Valve Websites\nMany Valve websites use a cookie called 'sessionid.' This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.\n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.  \n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-19T21:24:07.161Z"},{"id":3593078,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\nFor valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score. \n\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,500 | $500 | $250 | $0 | \n| Maximum | - | $2,000+ | $1,000+ | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile app on iOS and Android\n* Steam Servers\n* Valve game titles\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n### Dependencies\n\nValve services make use of a number of open source and commercial packages. If you discover a vulnerability in \na library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.\n\nPatches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet \napplied to our software or production systems.\n\nWe welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n## Disclosure\n\nValve embraces transparency in our security, and will generally disclose the details of vulnerabilities found upon request, and will generally permit external discussions of them (such as blog posts) with our permission.  We reserve the right to make exceptions to this policy at our discretion.\n\nPlease note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable and where Valve has not taken a specific corrective action.\n\n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Scope definition\n### All Valve Products and Services\nThe following items are considered out-of-scope for all Valve offerings:\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\n### Counter-Strike: Global Offensive\nFor CS:GO, the scope is defined more narrowly than above, explicitly stating that **only the following issues are in-scope:**\n* Remote Code Execution. However, the exploit must demonstrate RCE capability by launching another application--e.g. Calculator. \n* Remote crashing of vanilla dedicated servers. Crashing a dedicated server that is running no external code and not serving any third-party content (ie, no mods, only using default game assets). \n* Exfiltration of sensitive data from CS:GO Game Coordinator. \n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.  \n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-30T19:07:14.795Z"},{"id":3583905,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\nFor valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score. \n\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,500 | $500 | $250 | $0 | \n| Maximum | - | $2,000+ | $1,000+ | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile app on iOS and Android\n* Steam Servers\n* Valve game titles\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\nValve embraces transparency in our security, and will generally disclose the details of vulnerabilities found upon request, and will generally permit external discussions of them (such as blog posts) with our permission.  We reserve the right to make exceptions to this policy at our discretion\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n \n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Scope definition\n### All Valve Products and Services\nThe following items are considered out-of-scope for all Valve offerings:\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\n### Counter-Strike: Global Offensive\nFor CS:GO, the scope is defined more narrowly than above, explicitly stating that **only the following issues are in-scope:**\n* Remote Code Execution. However, the exploit must demonstrate RCE capability by launching another application--e.g. Calculator. \n* Remote crashing of vanilla dedicated servers. Crashing a dedicated server that is running no external code and not serving any third-party content (ie, no mods, only using default game assets). \n* Exfiltration of sensitive data from CS:GO Game Coordinator. \n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.  \n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-27T21:39:08.989Z"},{"id":3576150,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\nFor valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score. \n\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,500 | $500 | $250 | $0 | \n| Maximum | - | $2,000+ | $1,000+ | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile app on iOS and Android\n* Steam Servers\n* Valve game titles\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\nValve embraces transparency in our security, and will generally disclose the details of vulnerabilities found upon request, and will generally permit external discussions of them (such as blog posts) with our permission.  We reserve the right to make exceptions to this policy at our discretion\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n \n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Out-of-scope Bugs\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects or linkfilter bypasses that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.  \n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-10T21:08:20.134Z"},{"id":3575763,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,000 | $500 | $250 | $0 | \n| Maximum | $3,000 | $1500 | $500 | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile app on iOS and Android\n* Steam Servers\n* Valve game titles\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\nValve embraces transparency in our security, and will generally disclose the details of vulnerabilities found upon request, and will generally permit external discussions of them (such as blog posts) with our permission.  We reserve the right to make exceptions to this policy at our discretion\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n \n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Out-of-scope Bugs\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nValve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.  \n\nReports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-07T18:03:35.454Z"},{"id":3575753,"new_policy":"# Policy\n\n## Valve's security philosophy\nValve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.\n \nSecurity includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.\n \nSecurity of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our [Support site](https://help.steampowered.com/). This includes password problems, login issues, suspected fraud and account abuse issues.\n\nWe are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n## Rewards\n| Min/Max |Critical (CVSS 9.0 - 10.0)| High (CVSS 7.0 - 8.9)| Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)| \n| ------------- | ------------- | ------------- | ------------- | ------------- | \n| Minimum | $1,000 | $500 | $250 | $100 | \n| Maximum | $3,000 | $1500 | $500 | $200 | \n\n## Scope\nThe current scope is limited to the domains and pieces of software listed here: \n\n* steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below\n* Steam Client for Windows, Mac and Linux\n* Steam command line utility (SteamCMD)\n* SteamOS\n* Steamworks SDK\n* Steam mobile app on iOS and Android\n* Steam Servers\n* Valve game titles\n* Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers\n\nPlease note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our [Support site](https://help.steampowered.com/).\n\nNo authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.\n\n## Responsible Disclosure and Guidelines\nWhen submitting potential vulnerabilities, we ask that you follow [HackerOne's general guidelines for disclosure](https://www.hackerone.com/resources/hack-learn-earn) as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.\n\nValve embraces transparency in our security, and will generally disclose the details of vulnerabilities found upon request, and will generally permit external discussions of them (such as blog posts) with our permission.  We reserve the right to make exceptions to this policy at our discretion\n\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n \n## Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Valve staff or contractors\n* Any physical attempts against Valve property or data centers\n\n## Out-of-scope Bugs\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n\n## The Fine Print\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nReports received thorugh other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-07T17:20:38.700Z"}]