Valve patches recent Steam zero-days, calls turning away researcher 'a mistake'

Valve also updates bug bounty rules to prevent similar incidents from happening again.
Written by Catalin Cimpanu, Contributor

Gaming giant Valve has called turning away a security researcher who reported a vulnerability in the company's Steam gaming client "a mistake."

A Valve representative told ZDNet in an email today that the company has shipped fixes for the Steam client, updated its bug bounty program rules, and is reviewing the researcher's ban on its public bug bounty program.

The bug reporting debacle

The company reaction comes after being criticized for the poor way it, and the HackerOne staff (where Valve runs its bug bounty program), handled a vulnerability report in the Steam gaming client.

The bug report was filed by Russian security researcher Vasily Kravets last month, but the HackerOne staff told him the bug was out of the program's scope, and that Valve did not intend to patch it.

The bug was a local privilege escalation (LPE) issue, which is not as dangerous as a remote code execution (RCE) vulnerability, but dangerous nevertheless, as it allows malware already present on a computer to use the Steam app to gain admin rights and take full control over a host.

Even if Valve did not intend to fix the bug, the HackerOne staff forbade Kravets from publicly disclosing the vulnerability, meaning tens of millions of Steam users would have remained vulnerable to attacks.

Kravets eventually disclosed details about the vulnerability and was banned from Valve's bug bounty program, as a result.

Valve shipped a fix for the bug Kravets disclosed, but another researcher found a way around it within hours.

Kravets then published details about a second Steam client LPE on his website, being unable to report it via the company's bug bounty program.

In all of this, Valve found itself with cake on its face, being considered the mean company who didn't want to pay a bug bounty reward and for banning a researcher for reporting a dangerous bug.

Valve modifies bug bounty program rules

Most of the discussion and criticism aimed at Valve was about the fact that the company was ignoring LPE vulnerabilities, a class of security flaws that almost all companies patch in their products.

But in an email to ZDNet today, Valve called all of this a massive misunderstanding.

"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user's machine as that local user," Valve said.

"Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam," it added.

"We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported."

Valve to review researcher's ban

The spokesperson also said turning away Kravets' first report "was a mistake," and that the company is reviewing this particular situation to determine the appropriate actions.

When inquired earlier today, Kravets told ZDNet that he was still banned on Valve's HackerOne bug bounty program.

Valve also shipped new fixes for both Valve zero-days found by Kravets in an update to its beta client. Once tested and reviewed, these patches will be merged in the main client.

Earlier this year, HackerOne ranked Valve's bug bounty program on #9 in a Top 20 list of the best bug bounty programs running on its platform.

"In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties," Valve said.

HackerOne's top 20 public bug bounty programs

Editorial standards