Valve updates bug bounty rules after Steam zero-day controversy

PC gaming giant
has said that banning a security research who reported a
zero-day vulnerability in its Steam
gaming client was “a mistake”.

Last month Russian security researcher Vasily Kravets filed a
bug report in which he revealed that Steam was vulnerable to a
zero-day which left
Windows 10 users at risk of attack

However, at that time
(which runs Valve’s bug bounty program) told him that
the bug he discovered was out of the program’s scope and that Valve
had no intention of patching it. The bug in question was a local
privilege escalation (LPE) issue which would allow
already present on a user’s device to use Valve’s Steam
client to gain admin rights and take full control over the

HackerOne’s staff also forbade Kravets from publicly disclosing
the vulnerability but he eventually did so anyway and was banned
from participating in Valve’s bug bounty program. Valve did patch
the bug disclosed by Kravets but then another researcher found
another bug only a few hours later. Kravets then published details
about a second LPE he found in the company’s Steam client as he was
unable to report it through the proper channels.

Valve bug bounty program

Valve received a great deal of criticism for ignoring LPE
vulnerabilities as they are serious enough that most other
companies issue patches for them when discovered in their

In an email to ZDNet, Valve explained that the whole situation
was a massive misunderstanding, saying:

“Our HackerOne program rules were intended only to exclude
reports of Steam being instructed to launch previously installed
malware on a user’s machine as that local user. Instead,
misinterpretation of the rules also led to the exclusion of a more
serious attack that also performed local privilege escalation
through Steam. We have updated our HackerOne program rules to
explicitly state that these issues are in scope and should be

In an update to Steam’s beta client, Valve has released fixes
for both of the zero-day vulnerabilities discovered by Kravets and
once they are tested and reviewed, these patches will be released
for its main client.


Source: FS – All Tech News 2
Valve updates bug bounty rules after Steam zero-day controversy