It turns out there are some significant vulnerabilities in Steam’s game submission process, and 16 year-old Ruby Nealon has been trying to bring it to Valve’s attention. The company repeatedly ignored his claims, prompting him to take matters into his own hands and release a game by completely circumventing Valve’s authority.
The result was Watch paint dry, a 45-second long “game” that, for a brief time, was on Steam’s front page. Although it enraged community members and almost started another heated debate about swindlers releasing trash on Steam, Nealon defended his actions by saying that his intent was to expose serious security flaws, not to release a bad game or make money through illegitimate means.
Nealon managed the feat by obtaining the Steamworks tools (through social engineering) and carefully examining their contents. By digging through codes and scripts, he was able to drill his way through Steam’s three-step approval process after a mere two nights of fiddling.
Valve has since patched the vulnerabilities and removed Watch paint dry from the store, but Nealon is annoyed that his contribution has gone largely uncredited. Working as an ethical hacker, Nealon has helped identify bugs and security flaws for tech giants such as Microsoft and Google. He has appealed to Gabe Newell personally to start a “bug bounty” program, paying and acknowledging hackers such as Nealon to identify bugs and exploits. It should be top priority, especially for a company as large as Valve.
The fascinating saga is documented (and it gets quite technical) in a post Nealon made on Medium.