Valve admits Steam security flaw mistake after banned researcher goes public

Valve admits it made a mistake disregarding researcher's security flaw report submitted to its bug bounty program


Valve has admitted it made an error when it denied submissions by a security researcher disclosing potential flaws in Steam. The acknowledgement on Valve’s behalf comes shortly after a researcher, Vasily Kravets, publically dropped the details of a zero-day vulnerability potentially exploitable within the Steam game platform following a poor interaction with the company.

Precursor to this, and according to Kravets, Valve had refused to cough up any cash for a previous elevation-of-privilege flaw unearthed by the researcher, with the company claiming the severity of the flaw was too low to validate any payout. Valve even banned Kravets from its HackerOne maintained bug bounty program following a further falling out regarding the matter (via The Register).

In response, Kravets publicly disclosed another elevation-of-privilege flaw within the Steam app. The severity of this flaw is alike to the last, and would require some form of local access to exploit. However, Kravets argues that, due to the very nature of Steam as a marketplace to download and install third-party apps, this might not be all that hard to achieve. A dodgy dev with an untrustworthy installer could be all it takes to exploit the flaw and fill your PC up to its USB ports with malware.

But Valve has now accepted that it may have made a mistake in its classification of these flaws.

“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user,” Valve says to The Register. “Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.”

Steam store

“We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.”

Valve’s bug bounty program offers cash rewards to anyone that can turn up and accurately report a security flaw in its system that could be used by a nefarious agent to carry out a malicious attack on a user through a breach of system privileges. Anyone except Kravets. Despite Valve’s new policy changes, he’s still banned from the program (but they are considering a ban reversal).

The Valve program offers $2,000+ for certain high-severity flaws. However this pales in comparison to Microsoft’s recent Edge browser bounty program that offers up to $30,000 for disclosures of critical flaws.

As for the two security flaws, Valve is reportedly patching both in updates occurring right now. The beta Steam client address the issues entirely, and some initial fixes have rolled out to the public release for all users.