Gaming giant Valve has shipped fixes for the Steam client and updated its bug bounty program rules. They had called turning away the security researcher who reported a vulnerability in the company’s Steam gaming client a mistake. They are reviewing the researcher’s ban on its public bug bounty program.
The company reacted after being criticized for the manner in which the company and the HackerOne staff (where Valve runs its bug bounty program), handled a vulnerability report in the Steam gaming client.
The bug was reported by a Russian security researcher Vasily Kravets last month. However, the HackerOne staff replied that the bug was out of the program’s scope, and that Valve has no intentions to patch it.
The bug was a local privilege escalation (LPE) issue, which less harmful compared to a remote code execution (RCE) vulnerability. But this bug could let malware already present on a computer to use the Steam app to attain admin rights and take complete control over a host.
Even if Valve did not intend to fix the bug, the HackerOne staff prohibited Kravets from publicly disclosing the vulnerability. This could lead to millions of Steam users to remain vulnerable to attacks.
Kravets finally disclosed the details about the vulnerability and was banned from Valve’s bug bounty program due to it.
Valve shipped a fix for the bug disclosed by Kravets, but soon another researcher found a way around it within hours.
Kravets then published the details about a second Steam client LPE on his website as he was not able to report it through the company’s bug bounty program.
As a result of all these, Valve was considered as a mean company that did not want to pay a bug bounty reward and for banning a researcher for reporting a dangerous bug.
Bug Bounty Program Rule modified
Valve was criticized mainly ignoring LPE vulnerabilities which is a class of security flaws that almost all companies patch in their products. Valve mentioned that it was all just a misunderstanding as their HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user.
Misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam. The company has updated their HackerOne program rules to explicitly state that these issues are in scope and should be reported.
A company spokesperson also stated that turning away Kravets’ first report was a mistake and that the company is reviewing this issue to determine the necessary actions.
Valve shipped new fixes for both Valve zero-days found by Kravets in an update to its beta client. After testing and reviewing, these patches will be merged in the main client.
Earlier this year, HackerOne ranked Valve’s bug bounty program on #9 in a Top 20 list of the best bug bounty programs running on its platform.
Valve stated that in the past two years, they have collaborated with and rewarded 263 security researchers in the community for helping them identify and correct around 500 security issues, paying out over $675,000 in bounties.