Valve just recently attracted a great deal of criticism from the cyber-security community after turning away a researcher who discovered a number of zero-day vulnerabilities in Steam, and ultimately obstructed him from its bug bounty platform. Valve has actually now taken cognizance of the entire occurrence, and after covering the two possibly serious Local Privilege Escalation (LPE) vulnerabilities, the company has actually called the treatment meted out to the scientist an error and has likewise upgraded its bug bounty programmer guidelines. What deserves keeping in mind is that the Valve partner handling it at first refused to identify the zero-day defect as a serious concern, prompting the security scientist to reveal it publicly.
Russian security researcher, Vasily Kravets, discovered a Local Privilege Escalation (LPE) concern in Steam and proceeded to submit a bug report. HackerOne, the Valve partner managing the Steam bug bounty program, called the report out of scope and pointed that Valve has no objectives to patch it. In addition, they forbade Kravets from divulging the concerns publicly, leaving countless Steam users vulnerable to a flaw that could allow a regional malware to exploit the Steam app for gaining admin rights and eventually taking over the host.
Nevertheless, the security researcher ultimately went public with his discovery causing him being prohibited from the bug bounty programmer by HackerOne. And even though Valve later rolled out a spot to fix it, an alternative method to exploit it was quickly discovered. To make matters worse, Kravets eventually found a second LPE vulnerability and published it on his own, given that he was not able to submit the bug report.
The entire saga painted an unfavorable image of Valve as a business that is reckless with security and deals with such vulnerabilities in a careless fashion, in addition to treating researchers severely. But it appears that Valve has now presented a patch to repair the 2 LPE defects in Steam, and more importantly, has admitted that ignoring Kravets’ very first report was an error. Valve also kept in mind that whole legend was because of a misconception of its bug bounty rules.
“Our HackerOne program guidelines were meant only to omit reports of Steam being advised to release previously installed malware on a user’s machine as that regional user. Instead, misinterpretation of the guidelines likewise caused the exclusion of a more major attack that likewise carried out regional privilege escalation through Steam,” Valve was priced estimate as stating by ZDNet. In addition, the business behind Steam has updated the guidelines of its bug bounty program to avoid such occurrences in the future. While Valve’s rule modification is reassuring, the victim scientist is still banned from the Steam bug bounty program run by HackerOne.