In an open letter to Valve, security specialists and developers have called out “Valve’s inconsistency in rewarding those who report bugs (occasionally punishing people), the speed at which Valve addresses bug reports (if at all), and the problems users face attempting to report bugs to Valve.” Saying that all of this is making an insecure client “whose systems process sensitive data for millions of customers and partners.”
The writers include members of the SteamDB group, Team Fortress Wiki, Stanley Parable developer Galactic Cafe, and gaming community Firepowered.
The first criticism the letter raises is Valve’s lack of bug bounty program. Or, at least, not a consistent one. While Valve has no stated reward program for bugfinding, “over the past few months with individuals [have received] rare economy items as a reward for reporting bugs (particularly bugs with a heavy impact on the virtual economies within Steam)” but the writers “believe ... is harmful to Valve’s products and reputation as a company, as this practise encourages casual gamers (the audience of Steam’s virtual economies) to find and report bugs which are often either questionable or entirely fabricated in hope to get a rare economy item, and we believe this practise dissuades experienced security researchers to pay any real attention to Valve’s products – as they would receive no compensation for their work.”
They point to Facebook and Google’s bug bounty programs, as examples of how to attract the best security researchers. “Facebook offers a $500 minimum reward, and Google’s rewards range from $100 to $20,00.” They call the current lack of a defined bounty system and occassional virtual gifts “both reckless and insulting to experienced security researchers.”
They also criticise the fact there’s no clear way to report bugs to Valve and that when you do get Valve’s attention “a few members of the developer community ... have received infractions against their accounts for the discovery and disclosure of bugs – a subset of which are similar to those that have been rewarded with economy items. This is further damaging, as it introduces uncertainty with regards to the fate of individuals who come across bugs: are they going to be punished or rewarded?”
Finally, the letter writers highlight the sluggishness with which Valve act when a bug is successfully reported. “In recent months a critical bug was found within OpenSSL, Heartbleed; this bug was huge – it affected a lot of the working web at the time it was published ... [I]t allowed malicious users to easily read the memory of systems which were vulnerable to it ... it took approximately 24 hours for Valve to patch their servers ... this delay in action is unacceptable for a company like Valve – whose systems process sensitive data for millions of customers and partners.
“During this time we caught the occasional mention that Valve’s servers were indeed leaking sensitive information (such as partner session IDs, logins and cleartext passwords), however upon patching the bug Valve did not mandate a password reset ... Additionally, Valve have never made an announcement to partners or customers with regards to what data may have been exposed via Heartbleed. We believe Valve’s response to Heartbleed was and remains unsatisfactory.”
Valve’s silent treatment’s been criticised in the past but that’s not changed how they operate, the company has even hinted that it’s proud of its silent ways. But when it comes to security issues they should make an exception, as the letter states, they’re dealing with millions of people’s details, it can’t be insecure or buggy.
And in a break from tradition, Valve have responded:
"Pavel et al, thank you for your concern for Steam and Valve. We take security very seriously, and your email prompted us to evaluate our current procedures. In light of that we have recently created a new security web page which explains our process for receiving and responding to security reports (http://www.valvesoftware.com/security). We believe our process is robust but we understand that we haven’t been completely transparent about the process and that has created some confusion. We hope that the above page helps to add clarity and discoverability.
"Each team at Valve has slightly different requirements and goals when working on security reports, for Steam we have chosen to thankfully accept reports but otherwise offer no formal incentives. Other teams, in particular the Team Fortress 2 team, have slightly different processes and have chosen to offer small rewards for certain valuable reports. We don’t plan on establishing any formal bug bounty programs for any of our products at this time.
"It is our policy to not ban or admonish users due to responsible research and disclosure of security issues. Our intent is always to make it safe and easy for researchers to report issues, but we do need to protect users from cases where abuse of the system that negatively affects others is occurring. In cases where we determine someone to be causing harm we may take action to prevent further abuse. We expect partners and security researchers to be careful and responsible in both their research and disclosure of issues and when that happens we work closely with them and encourage their work.
"All of us at Valve"
So no bounty program but the new, more clear way to report bugs is welcome. (Though it does look remarkably similar to another company's security page.)