Valve admits it made ‘a mistake’ ignoring reported security flaws

Valve has acknowledged it was wrong to dismiss a security flaw on the basis that the reported issue was “out of scope” of its HackerOne program.

Researcher Vasily Kravets reported two separate vulnerabilities but their reports were dismissed by Valve as the exploits didn’t meet the program’s “scope”. As the company “gave no indication” that the issues would be addressed, Kravets made the second security flaw public last week, prompting Valve to admit its “mistake” and patch both issues. 

“We are […] aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake,” Valve told Ars Technica. “Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.

“We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported.” 

The company further added that in the past two years, it has “collaborated with and rewarded” 263 security researchers who have identified and reported “roughly 500” security issues, paying out $675,000 in bounties. 

In regards to specific researchers such as Kravets, Valve said it is “reviewing the details of each situation to determine the appropriate actions” but was not “going to discuss the details of each situation or the status of their accounts at this time”.

About Vikki Blake

It took 15 years of civil service monotony for Vikki to crack and switch to writing about games. She has since become an experienced reporter and critic working with a number of specialist and mainstream outlets in both the UK and beyond, including Eurogamer, GamesRadar+, IGN, MTV, and Variety.

Check Also

When We Made… Remnant II

David Adams, Remnant II game director and president of Gunfire Games, tells Vince Pavey about the work that went into developing the sequel to Remnant: From the Ashes as the pair avoid catching Root Rot