Artem Moskowsky was testing a web application on the Steam developer site one day when suddenly he noticed a bug: he could generate game keys - thousands of them.
By altering a couple of parameters he was able to, at one point, generate 36,000 Portal 2 keys, Moskowsky told The Register. The kind of keys which activate games on Steam so can be equivalent in worth to a full game.
For a hacker, it's like hitting the jackpot - but not quite. The keys Moskowsky was generating had been generated before, so probably used before. He wasn't creating 36,000 new keys for Portal 2, he was seeing 36,000 keys generated for it.
Nevertheless, Mokowsky had valuable information - so valuable, in fact, Valve paid £15,000 for it.
"Working together we can all make Steam and the internet safer." -Valve
You can see the timeline of events on bug-reporting platform HackerOne.
On 7th August, Moskowsky reported the bug. "Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access."
A few days later, on 11th August, Valve awarded Moskowsky $20,000. But this wasn't divulged publicly until 31st October 2018.
How noble of Artem Moskowsky to report it, you might think, and how nice of Valve to reward him, but it's actually a commonplace reaction in the HackerOne initiative Valve has to reward researchers finding vulnerabilities in its work.
Moskowsky himself was awarded $25,000 a mere month earlier by Valve.
"Valve recognises how important it is to help protect privacy and security," Valve's HackerOne page reads. "We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.
"Security includes everyone. Our Steam users, our developers, third-party software developers and the security community. Working together we can all make Steam and the internet safer.
"Security of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud and account abuse issues.
"We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty."
Be right back; becoming a researcher.
Will you support Eurogamer?
We want to make Eurogamer better, and that means better for our readers - not for algorithms. You can help! Become a supporter of Eurogamer and you can view the site completely ad-free, as well as gaining exclusive access to articles, podcasts and conversations that will bring you closer to the team, the stories, and the games we all love. Subscriptions start at £3.99 / $4.99 per month.