Valve updates bug bounty rules after Steam zero-day controversy

PC gaming giant Valve has said that banning a security research who reported a zero-day vulnerability in its Steam gaming client was “a mistake”.

Last month Russian security researcher Vasily Kravets filed a bug report in which he revealed that Steam was vulnerable to a zero-day which left Windows 10 users at risk of attack.

However, at that time HackerOne (which runs Valve's bug bounty program) told him that the bug he discovered was out of the program's scope and that Valve had no intention of patching it. The bug in question was a local privilege escalation (LPE) issue which would allow malware already present on a user's device to use Valve's Steam client to gain admin rights and take full control over the system.

HackerOne's staff also forbade Kravets from publicly disclosing the vulnerability but he eventually did so anyway and was banned from participating in Valve's bug bounty program. Valve did patch the bug disclosed by Kravets but then another researcher found another bug only a few hours later. Kravets then published details about a second LPE he found in the company's Steam client as he was unable to report it through the proper channels.

Valve bug bounty program

Valve received a great deal of criticism for ignoring LPE vulnerabilities as they are serious enough that most other companies issue patches for them when discovered in their products.

In an email to ZDNet, Valve explained that the whole situation was a massive misunderstanding, saying:

"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user's machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam. We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported."

In an update to Steam's beta client, Valve has released fixes for both of the zero-day vulnerabilities discovered by Kravets and once they are tested and reviewed, these patches will be released for its main client.

Via ZDNet

How It works

Search Crack for

Latest IT News

Sep 22
Chrome is the most widely-used browser in the world, but many people seem to use it begrudgingly. Should Google be worried?
Sep 22
Sets was going to usher in a massive change to the fundamental way Windows works, and it could still be happening…
Sep 21
Several nifty touches have arrived, although not everyone can get them yet, at least according to chatter online.
Sep 20
Independent security researcher Andy Michael has discovered three VPN apps and one antivirus app that are serving users full-screen popup ads.
Sep 20
Surfshark has released a new secure DNS resovler to help Android users protect their privacy online.
Sep 20
Google unveiled a number of new Google Pay initiatives at its annual event in New Dehli.
Sep 19
If you've got creative work to show off on the web, you need to be aware of the best site builders to help.

Latest cracks