Valve recently attracted a lot of criticism from the cyber-security community after turning away a researcher who discovered a couple of zero-day vulnerabilities in Steam, and eventually blocked him from its bug bounty platform. Valve has now taken cognisance of the whole incident, and after patching the two potentially serious Local Privilege Escalation (LPE) vulnerabilities, the company has called the treatment meted out to the researcher a mistake and has also updated its bug bounty programme rules. What is worth noting is that the Valve partner handling it initially refused to recognise the zero-day flaw as a serious issue, prompting the security researcher to disclose it publicly.
Russian security researcher, Vasily Kravets, discovered a Local Privilege Escalation (LPE) issue in Steam and proceeded to file a bug report. HackerOne, the Valve partner overseeing the Steam bug bounty programme, called the report out of scope and pointed that Valve has no intentions to patch it. Additionally, they forbade Kravets from disclosing the issues publicly, leaving millions of Steam users vulnerable to a flaw that could enable a local malware to exploit the Steam app for gaining admin rights and eventually taking over the host.
However, the security researcher eventually went public with his discovery leading to him being banned from the bug bounty programme by HackerOne. And even though Valve later rolled out a patch to fix it, an alternative way to exploit it was soon discovered. To make matters worse, Kravets eventually discovered a second LPE vulnerability and published it on his own, since he was unable to file the bug report.
The whole saga painted a negative picture of Valve as a company that is reckless with security and handles such vulnerabilities in an irresponsible fashion, in addition to treating researchers badly. But it appears that Valve has now rolled out a patch to fix the two LPE flaws in Steam, and more importantly, has admitted that ignoring Kravets’ first report was a mistake. Valve also noted that whole saga was due to a misunderstanding of its bug bounty rules.
“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam,” Valve was quoted as saying by ZDNet. Additionally, the company behind Steam has updated the rules of its bug bounty program to avoid such incidents in the future. While Valve’s rule change is reassuring, the victim researcher is still banned from the Steam bug bounty program run by HackerOne.