We've got some great discounts for this special occasion.
For today only, simply use any of these coupon codes at checkout:
You could buy your special someone a nice unusual, or buy yourself some keys. We won't judge.
Since we reduced our seller base substantially at the end of 2020, we've made a lot of changes and would like to get everyone up to date on what's been going on.
As of February 1st, we are now allowing anyone to apply to become a seller. For most people this is a quick process and you'll be ready to sell in the same day you apply.
Due to the large volume of people wanting to become sellers, we have to take this slow. We'll be opening up applications for only the first week of every month. For example, they will open on March 1st and close on March 8th.
Due to the nature of our business dealing with real money, and the very real possibility of money laundering being a thing, we have to confirm the identity of all sellers on Marketplace.tf. This is necessary to keep everyone safe, and to keep our business alive. This process consists of uploading a photo of your ID (such as a passport or drivers license) so we can be sure all sellers are who they say they are. This process is conducted by Stripe, our credit card processor.
Every seller gets 1000 inventory slots to list their items for sale in, we call this shelf space. Sellers now also have the option to purchase a monthly subscription to gain more shelf space, such as 5000, 10000, or even 20000 slots.
Since the beginning, Marketplace has been partnered with PayPal to provide payouts for our sellers in an easy and convenient way. Last year we added to that by partnering with Routable to offer direct bank account payouts to more than 50 countries. As always, Marketplace does not charge any extra fees for payouts.
More great features are coming soon for sellers. Here's just a few things currently in the pipeline:
Are you a new seller? Even if you're not, come join our discord! Chat with other sellers and suggest new features. We're always looking for good ideas.
We're back with our yearly Smissmas day discounts! We have three coupon codes for you as usual:
To redeem the following codes, simply type in the relevant coupon code on the checkout page. Make sure that you redeem these quick: they deactivate at the end of December 25th!
Note that these coupon codes cannot be combined with any other coupons. All codes may be used any amount of times until they deactivate.
Merry Smissmas!
We've added a new category of items to Marketplace.tf, Steam items! You can now buy cards, emotes, backgrounds, gifts, and more from the most trusted market in TF2.
Steam items have full support for our powerful search system, so you can filter by type of item, and by game.
Check it out by clicking the Steam logo on any page, or by visiting https://marketplace.tf/steam
Additionally, we have a new tool to quickly buy cards to complete your badges! Visit https://marketplace.tf/tools/badge_builder to check it out.
We'll be adding even more features and games soon, so stay tuned!
We're back with our yearly Smissmas day discounts! We have three coupon codes for you as usual:
To redeem the following codes, simply type in the relevant coupon code on the checkout page. Make sure that you redeem these quick: they deactivate at the end of December 25th!
Note that these coupon codes cannot be combined with any other coupons. All codes may be used any amount of times until they deactivate.
Merry Smissmas!
Last year we went through a major reduction in our seller program, and other features of our site. Marketplace.tf was growing too big and too fast for us. Now that we've had a lot of time to regroup and make some changes, we'd like to post a few updates on where we are now.
We're launching our new Twitter account! Come follow us at https://twitter.com/marketplace_tf. We're starting things off with a giveaway which you can enter by going to https://scrap.tf/raffles/RD7ODV and following the instructions.
The Seller Program
Marketplace.tf still has sellers (duh, or else there would be no items). Earlier this year we opened applications to bring a few new sellers onto the site, and we're doing that again now for a limited time. If you'd like to be a seller visit https://marketplace.tf/sell/apply to submit your application.
All our sellers are thoroughly vetted, and have more requirements than before such as identity verification and required two factor authentication.
Dota 2
We've recently brought back support for Dota 2! There's no trade holds for buyers, so any items you buy will be delivered to you right away. Keep an eye out for more games to be supported soon!
Buy Orders
Buy orders have also returned! You can place buy orders as long as you have a supported credit card and have gone through our card verification process in your account page.
Update 2: At this time, it's pretty clear that any possibility of a new Remote Code Execution exploit having been developed is essentially null.
While personally we did not think it reasonable that the release of source code of a massive project (such as the TF2 codebase) would result in the discovery of a major RCE exploit within hours, there was a clear demand for an unpacking of the situation from a reputable source. It seemed irresponsible to recommend that others simply play the game, even if the chance of any real risk was quite low.
The truth is, the discovery of an exploit on the scale of an RCE is generally difficult to find (not always, of course), and with a codebase the size of TF2's, it would take a while to find. Additionally, those willing to deal with disassembled/decompiled code have always been able to poke around with the game's client code (well, a version of it). The source code leak made things easier, but would not accelerate discovery of an exploit to the extent that'd be required for something to already have been developed.
Ultimately, the leak of this code is of great concern to Valve, but it's probably mainly Valve that has to worry about the negative consequences of such a leak. It may make cheat development easier, but the truth is that code compilation / obfuscation is never going to prevent attackers from getting what they want; only make it more difficult. (See the bit about security being in "layers" down below).
Update: It's come to our attention that a small amount of internal item server / GC source files are included in this leak. This means that some of the code running on the TF2 item servers (as of late 2017) can be read by anyone. This does not grant anyone the ability to change the code running on the item servers; only see a historical copy.
While this is a concerning update to our understanding of the situation, it is not as bad as it may appear. The ability to see the code that the servers are running is not the same as the ability to change the code.
In order to utilize this code to exploit the item servers, one would still need to do so by "tricking" the item server, by sending it carefully-constructed messages. For example, one might send it an "open this crate" message which uses a scrap metal instead of a key to open the crate. However, the item servers will already be written to detect such issues (in this example, ensuring that the "key" is really a key). The messaging format and protocols used to communicate with the item server were already document and understood before this leak, and although the leak may help find ways to "trick" the item server, there does not seem to be a major hole left open by the discovery of these files.
We currently see no way these item server source files could directly result in an attack on the ingame economy.
The original unedited article is below for posterity. The contents of the "Trading / Steam API" section are outdated, but the other sections remain accurate.
Some stuff's happening today, and it may have made you say, "Hey! What's going on?"
Let's keep it simple: a 2017 version of TF2's CLIENT source code has leaked. We'll explain what this means shortly; for now, let's go over how this impacts you.
Short answer: While there is no evidence to support the existence of new security holes, out of an abundance of caution, perhaps hold off.
So this is a bit difficult to unpack. You may have seen a video purporting to demonstrate an "RCE" exploit (Remote Code Execution; basically, the most dangerous kind of security hole) in TF2 recently; there is no reason to believe this video is real, and there are issues present that make it apparent that it is not a legitimate exploit.
However, when the full source code of an application is leaked, it makes it significantly easier to find unpatched vulnerabilities in its code (because you have the code). There is no doubt that malicious actors are searching through it at this very moment, trying to find security vulnerabilities. On the other hand, Valve has an active bug bounty program, which means there is profit in finding any such bugs and reporting them to Valve.
Additionally, this source code leak is not completely "new". It is, more accurately, a public leak of a private leak, and it's impossible to know exactly who has already seen this code or for how long. This means that vulnerabilities present in the code could have already been found and abused prior to this leak. This is unfortunately cause for more concern, not less.
Security is a difficult thing to discuss because there are so many unknowns. Any exploits found in this code will have been present in the code long before being discovered, and very well could have been discovered by someone who smartly kept themselves off the radar. Likewise, a security hole has to be discovered before it is dangerous; and if it isn't discovered, it isn't abused. A good rule of thumb is that if it's software, it can be hacked. This doesn't mean you can't make it harder, though.
Security works best in layers. Assume any of the layers can fail, but won't most of the time. Enough layers makes a specific victim too costly to attack, but not necessarily impossible. Anyways, think of your own decisions as a layer in that security. You could set up a Virtual Machine and play TF2 inside it, insulating your main OS from malware due to a possible RCE in TF2's client. However, it might be smarter to just... wait for a little bit. If there are any pressing security concerns, they will be patched in short order.
To sum it up, there is no evidence of a NEW security hole. However, finding security holes has been made easier, and right now, a lot of people -- good and bad -- are trying to do just that. Out of an abundance of caution, perhaps don't play TF2 for a short while until more concrete information is available. It shouldn't be too long.
Short Answer: Trading is fine. The Steam API was not "leaked".
The code that was leaked -- while proprietary, and definitely not something a company wants leaked -- was the TF2 client code; the code for the application you run when you play TF2. This is entirely separate from the TF2 Item Server code. The Item Server code is still completely private, and runs on Valve's private servers.
If the TF2 client were able to mess with the trading / item servers, that would already have been exploited (and has, in the past). However, these are complicated exploits that involve "tricking" the item server, and are quite rare. The TF2 client code does not help an attacker figure out how to trick the TF2 item server. They are entirely separate.
As for the Steam API "leak", there is no evidence to suggest that anything beyond client library files were leaked; these are entirely different from the internal code for the Steam API. This is, frankly, harmless. Even if the internal API source was leaked, it honestly would not likely lead to any vulnerabilities.
Boy am I glad I made you ask! Here's what happened:
Basically, someone involved on a Sourcemodder team (modder teams, oh boy) had access to a private leak of the TF2 source code from 2017 (that's this!). They got kicked off the modder team, and in retaliation, publicly leaked the private leak they had access to.
But what got leaked? The source code for the TF2 client. ("Source" here does not mean "Source" the game engine; "source code" is a programming term, not a Valve one). This is all the code files that get turned into your favorite game. However, there's some stuff missing.
For example, the game might run fine, but it has to connect to the item server. This is entirely different code, which was not leaked, and which was never intended to run on your computer. It's special code, reserved for Valve's super special servers. The game client doesn't have the ability to mess with the item server code; it can only politely request things from the item server. The item server -- fully under Valve's control -- can simply refuse dumb requests like "give me a golden pan." This is why trading is not impacted by this leak.
The "item server" (a misnomer, as I am about to explain) also handles matchmaking. It actually handles pretty much every other "live service" aspect of the game (parties, time-limited events, etc). So you really need this item server for a lot of what makes TF2 "TF2". You might be able to make changes to the game code and distribute your "own version" of TF2, but it would still need to connect to the actual TF2 backend servers (unless you made your own, which is a big task).
Good God, yes. Unless you don't want to. We're cool. There's a pandemic. It aight.
We here at Marketplace.tf would like to wish you all a merry Smissmas -- and a happy every other hat-themed Winter Holiday as well!
Good tidings are nice, but you know what's nicer? Well, an end to global war. That's a bit too hard for us, but perhaps you'd be interested in some chilly discounts?
This year, we've got three different gifts for you. To redeem the following codes, simply type in the relevant coupon code on the checkout page. Make sure that you redeem these quick: they deactivate at the end of December 25th!
Note that these coupon codes cannot be combined with any other coupons. All codes may be used any amount of times until they deactivate.
Merry Smissmas!
We've been hard at work, and we're proud to announce our latest feature: auctions! Although we can't prove that we invented the concept of auctions (although our media team is hard at work figuring out how to do just that), we'll say it anyways. Guys, we just invented auctions!
To kick it off, how about an auction for a Golden Frying Pan with a $100 starting bid? Check it out!
Just like the real world, auctions are best for items whose price isn't concretely known ahead of time. With that in mind, in the beginning, we're restricting auctions to the following items:
We will, of course, be expanding this list to include more types of items as time goes on. Additionally, we will add support for auctioning items from games other than TF2 soon.
We put a large amount of thought into the pricing structure for auctions, and in the end, we decided that the best solution was to go with what we already know works.
Therefore, auctions have the same 10% commission as any other sale on Marketplace.tf.
Before placing any bids, you'll need to add your phone number to your account. This is to prevent abuse of auctions and provide a safe environment for everyone. We will never spam you or sell your data.
When you place a bid with a card, you will not be charged unless you win. When you win an auction, you will have 48 hours to return to Marketplace.tf and pay for the item you won. Failure to pay within 48 hours will result in a permanent ban from placing further bids.
Additionally, to bid with a credit or debit card, you must add a card to your account that meets our verification requirements:
We understand that these requirements may inconvenience some bidders; unfortunately, these measures are necessary to prevent fraudulent transactions.
Bidding with PayPal will be available in the future.
If you have Wallet Funds on your Marketplace.tf account, which are obtainable either by selling items or by purchase, you may bid with that instead of a card.
When you place a bid with Wallet Funds, we will deduct your maximum bid from your balance immediately. This will be refunded if you are outbid.
If your winning bid is lower than your maximum bid, the difference will be refunded to you at the end of the auction.
Note: if you opt to purchase Wallet Funds to bid with, please be aware that they are NON-REFUNDABLE. For this reason, we do not recommend that you purchase Wallet Funds to place bids.
If you've been paying very careful attention over the past week, you may have picked up on a temporary glitch that caused old crates to produce unusuals 100% of the time. You can read Valve's writeup and solution here.
On Marketplace.tf's side of things, we were lucky enough to have shut down all services about 1 hour into the event, but within that timeframe, some users managed to sell some of these "glitched" unusuals to buy orders made on Marketplace.tf. To that end, we will be refunding in full any buy order filled with a "glitched" unusual. This is about 150 unusual hats that we will be refunding. Some users who sold these unusuals to buy orders have graciously agreed to return what they earned through them, but this is a minority of the unusuals; the majority will be refunded by Marketplace.tf.
While we are not responsible for Valve's mistakes, we could have done more to prepare for such an event. We will be instituting safeguards moving forward to detect similar anomalies, as well as providing safety features for those who create buy orders -- such as the ability to set a limit on the total amount spent by your buy orders within a 24 hour period. We'll let you know when this goes live.