Hats as compensation for bug reports hurts Dota 2 in the long run

1.The current state of affairs

[www.gamespot.com]

[en.wikipedia.org]

Originally posted by Google: Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3133.70.

Originally posted by Yahoo: Yahoo! launched its new bug bounty program on October 31, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered.

[www.riotgames.com]

2.What ends up happening

Report the bug/vulnerability to Valve, get some hats or a couple of steam-bucks and a pat on the back.

Sell the bug on zero day exploit sites/use it themselves making the time spent worthwile.

[i.imgur.com]

Makes a maphacking tool (just because everything happens serverside does not mean you cant somehow access that data. Maphacks are super profitable.



Wipes your in-game inventory clean (goodbye dragonclaw hooks and anything else of value)



Scams your friends if they get control of the social features of your account for long enough to keep the gravy train going.



Uses you as a mule to launder money/items stolen from other users possibly getting your account banned in the process (esp if there is a chargeback, because you claim you didn't buy this or traded that).



And if the security breach is really really big, then they grab your credit card info and really really go to town on your life savings.

3.Why should I care?

pick up some kind of keylogger or trojan hidden in the ads on some Dota 2 related site



click a link accidentally on the forums before mods have a chance to remove it



open an infected email or a PM that seemed legit



Dota 2 banner ads (Dude it's ingame, that ipod air has to be legit!)



When you put yourself online the possibilities are infinite. This might not happen to you, it might not happen me but if even 0.1% of the users fall for it then MISSION ACCOMPLISHED, the gravy train keeps going and black hat hackers can reinvest the money/items back into their 'business'.



Steam and Valve's games are especially irresistible to hackers, the whole thing is like flies drawn to a turd. Not only are the games fun AAA quality with with a huge user base, they are all interconnected through steam trading and the marketplace . This lets hackers turn their scams into cash at lightning speed. There is no shortage of people willing to do a paypal transaction for keys or timebreakers when the deal is just too good to pass up. Why bother with other games if Dota 2 and Steam are far more lucrative.



There's really three sides to this issue: the end user(the player), the corporation (Valve), and the hackers/scammers. Most of the time our interest fall in-line with that of a business: you want the game they want the money. Other times (if you really want something like CD keys for cheap) the hacker can provide.



Logically, it’s in our best interest to remove this turd (I'm sorry but this analogy works), thus reducing the amount of flies we have to deal with. However, in this case the user and the corporation have a conflict of interest, because doing the sensible thing, ie: cleaning up the turd, is going to dip into Valve’s profits. This is a classic case of conflicting interests.







4.Valve's Strategy

Valve is more or less playing a game of chance when they don't provide an economic incentive for reporting exploits. The users are the ones that foot the bill for cost-cutting, that's how the savings are passed on to you. Valve is counting on the good will of their users and the skill of their programmers to find vulnerabilities before they become an issue and throw hats at the poor saps that are foolish enough to report anything of value. When a user is inevitably burgled, they get to deal with the skeleton crew that is Valve's support and might not even get all their lost items back. One ends up with a scenario where it's cheaper for Valve to spend (barely any) money on a clean up crew when something does happen because as it stands, prevention won't make them as much money.



You know who has similar strategies? WAL-MART that's who, this cost-cutting approach is more or less in the same vein [www.forbes.com] .



Or mining companies that paid you with cash you could only spend in their store [en.wikipedia.org]



5.Why this won't just go away by itself/ get worse



People are cheated all the time; feel free to look on /r/Dota2 or SPUF for all the sob stories where users lost items that took years to acquire.



I personally believe this is the biggest threat to Dota 2, things like Neko-Neko Chan Drow or Starladder-Drama go away with time or are just ugly cosmetics. Valve is a corporation, and despite being staffed by people and having a human at the forefront, a corporation's ultimate goal is maximizing profits; Valve happens to do it through videogames rather than banking or something else. That means, a corp will keep doing something if it makes them the most money, Valve happens to realise that user happiness/satisfaction matter the most in the long run(still talking about profits here). This is not going to go away until we tell Valve to stop, why change an approach that saves so much money?





5.How are we playing into this?

Valve is always testing the limits of the user, because they want to find the perfect balance of ♥♥♥♥ the user is willing to put up with that also makes the most money (Any large organization understands the value of R&D, a lot of these small sometimes annoying changes are the result of that) they also understand profits are maximized when a product dominates a market like Steam is doing to digital PC games and you only stay on top if you are ahead of the curve. You can't grow lazy if you become the top dog of any market, especially video games. Valve also understands very well how user satisfaction plays into user retention with things like brand loyalty, they also understand that brand loyalty can let them do things that would not be tolerated by anyone else. That's why, despite having the far better customer support and an awesome return policy, Origin is eating a far smaller piece of the pie. If you really really really like Valve's games (I'm definitely one of them or was at one point), it's going to be a lot easier to justify some of Valve's actions.



If you take someone that has never played video games or just switched to PC from a console, they're going to put up with far less ♥♥♥♥ because they don't have anything invested into the brand/game/image, kind of how League of Legends players find it hard to switch to Dota or vice versa. I've heard 'Dude, it's fun playing dota but I'm going back LoL. All my champs and skins are there’ more times than I have fingers, it's a good example how an individual can really get invested in a brand and makes them put up with far more ♥♥♥♥.





6.Money Talks



The best thing to do is to get mad and really huff and puff. It all goes back to the relationship between user satisfaction and money {LINK REMOVED} Valve certainly understand the value of PR as well, so in the end money is going to be doing most of the talking.







7.What can we do?

If a certain approach makes the most money, no corporation that expects to be around in the next ten years is going to stop doing it because 'it’s just not right', things like this change through external pressure: if a competitor complains to a regulatory board about some of the questionable tactics used by a corp or in our case the way it negatively impacts the game.



We can apply that external pressure by letting our disapproval be heard by Valve, stating clearly that their business practices are wrong. In other words, we need to get mad and cause an online temper tantrum while hurting Valve right in the pocketbook, only then will we get them to do the things that are in our best interest.



8.Conclusion tl;dr

Whether you place any value on this post or care about hats at all, the facts are still the same: Steam and Dota exploits are big business, and business is booming.

So yeah, bug bounties are a big deal and I had no idea I would spend the better part of a day writing this.





More stuff to read up on:

http://www.darkreading.com/vulnerabilities-and-threats/so-you-want-to-be-a-zero-day-exploit-millionaire/d/d-id/1101256?



P.S: У меня не было время перевезти это сообщение на русский язык. Если кто то может, напишите конспект для тех которые англиский не понимают. Я думаю что всем стоит это прочитать.

After seeing this posted and doing a bit of browsing it turns out VALVe pays people in hats for reporting vulnerabilities. Here is VALVe's security page , notice how there's no mention of any sort of compensation. If you report a bug to VALVe they, but go on to reward you with virtual items that cost them next to nothing to make. This money saving tactic is extremely disrespectful to the time spent doing VALVe's QA work for them(Pouring over code, seeing if they can reproduce the bug consistently, etc.) and is ultimately going to make Dota 2 worse off in the long run.Just skimming through this page on Wikipedia shows you how much vulnerabilities are worth for other billion-dollar companies if you report them through legal channels:When someone finds a nice juicy vulnerability in Dota 2 or the Steam client, they have two options:In the long run, where do you think most serious bugs end up when people have bills to pay and stomachs to fill?I found this after just 5 minutes on a search engine:This guy is claiming one can make 6000 rubles (about 100 dollars a day) using bots to hack inventories, another guy replied with:Good exploit, definitely going to try it. I think you need to improve [the program's] detection evasion and give this info out privately.People don't think this is a big deal and dismiss it rather quickly since this does not apply to them personally, but in item scamming, the name of the game isso it's foolhardy to think that nothing is going on just because you barely see it . When there are tons of exploits being sold out in the open, you can bet that far more serious ones are being found and sold on private channels.When a hacking group gets a hold of a particularly nasty exploit, you can bet they are going to run that horse straight into the ground because maximizing profit is a race against the clock. Time is the resource that really limits how much damage/profit a hacker can make. When an exploit is put to use, it’s like a cheetah trying to gorge on a kill as quickly as possible because sooner or later you’re going to get vultures and lions. Putting that metaphor to use, a typical exploit run on Steam takes two things into account: 1.how long until other hackers (the vultures) try to get in on the action. It’s an important checkpoint in an exploit run because it brings unwanted attention and shortens the lifespan of an operation, 2. leading up to the finale where Valve takes notice (the lion that goes to see what the fuss is about), resulting in Steam/Dota getting a small quick hotfix making the party officially over.What you've got is a system where cyber-gangsters end up being more generous than VALVe because for them the cash is just a money for goods transaction that:The last point obviously hasn't happened (to Dota), but if all you get is hats and a 'keep up the good work ;)' from Valve then it's only a matter of time before someone finds a bug that rakes in the rubles big time.Why work doing QA for 15$ an hour in Moscow (rent in there is ♥♥♥♥ing) working gruelling hours when you could be making 5 times as much scamming Dota 2? When you provide a program designed to be consumed by the public, your stuff is going to come to the attention of less than desirable individuals. Someone is going to look through code, sniff packets, poison cookies, etc. regardless whether or not your program/platform is for games or serious business, especially if it has a large user base because more people means more opportunities for money to be made. It's not a coincidence that so many scammers and hackers think Steam and Dota as part of their bread and butter.No one saidwhen Sony had a massive breach with ♥♥♥♥♥♥♥♥s of credit cards stolen, so we can at least agree that identity theft matters. That kind of loss is a huge deal resulting in media coverage, public outcry, and tons of damage control. For a vulnerability that big, the payout for a heist is oftentimes way more than the cash a corporation is willing to part with (assuming they pay people for reporting threats of that magnitude in the first place). A hacker’s decision boils down to one of risk and morality: I’m going to get lots of cash one way or another, is that extra money worth it? I would be profiting off of the misery of others, and risk getting caugh likely landing me in jail (a question that probably warrants its own post).But I think the small zero day exploits that impact items should matter to Dota 2 in particular. There will always be bugs in the Dota 2/Steam Inventory because dealing with virtual items/currency is super intricate, hell, Steam's market is more or less a small scale stock exchange.Until Valve makes it worthwhile to report serious security flaws directly to them, these small exploits will keep ending up in the hands of hackers running small-time operations. Let’s be realistic: most police that deal with cybercrime don’t care how many TI1 couriers you lost, it’s exactly because of this that there is virtually no risk in scamming the steam marketplace.Sure you could you say:But I thinkand their testimonials don't really matter in the big picture. This kind of business venture (we’ve hopefully agreed people do it for profit by now, the people affected are just collateral for them) is a numbers game, if a hacker can fool even one person out of 1000, then he and his scummy steam chat scam-bot operating pals made the whole thing profitable; this stuff is really tempting financially if you live in a place with undervalued currency, that's why most of the hackers on steam are usually Chinese or Russian.Steam chat is not even the only source of these kind of exploits. There are so many angles of approach to separate you from your valuables, you can :