14 DAY TRIAL // A security researcher found a severe local privilege escalation vulnerability through Steam but was ignored by Valve. The company now recognized its mistake and changed the rules for its HackerOne bounty program.
Modern software such as Valve’s Steam distribution platform is so sophisticated that it’s impossible to find and fix all the possible vulnerabilities. That’s why programs such the HackerOne exists, to encourage outside people to find and report problems directly to companies, and get paid in the process.
It seems like a no brainer, and any company not making use of an eager community is definitely making a mistake. Which is exactly what Valve did when it rejected and ignored an accurate report from security researchers that unveiled a significant problem with the software.
The excuse is a problem in itself
Valve issued a statement to ArsTechnica, explaining why the report was dismissed, but also admitting their mistake. The reason, turns out, was kind of ridiculous because it boiled down to a human (not some random algorithm) dismissing the report because it didn’t quite fit into the HackerOne rules.
“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam. We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported,” explained Valve.
The HackerOne program rules were changed so that it can include reports that don’t usually fall into its scope. As for the original vulnerability, shortly after the researcher made it public, the Steam client was updated to implement a fix, which only means that the hacker’s course of action was the correct one.