Valve Admits Mistake in Turning Away Researcher, Patches Zero Day

Valve is admitting that it made a mistake when it turned away a researcher who discovered a zero day. They have since patched Steam.

It’s a fairly classic scenario in bug tracking in general. The developer opens up a forum for public feedback. Someone reports a bug in the system. The developer, in turn, reviews the bug report and says it’s not worth fixing. The fact that the developer is actively picking and choosing which bugs to fix and which ones they feel is not worth fixing then leads to frustration on both sides.

Recently, there was a risk of something similar with Valve and a security researcher. Valve maintains a bug bounty system for its Steam service. The idea is that people from all walks of life can prod and poke the system, looking for vulnerabilities. If anything is found, they can report it to Steam so Steam can fix it. This type of system is generally an ideal setup in the software development world. Not only does it reward honesty, but it also helps make the end product much more secure.

A researcher did find a bug in the system. Valve reviewed the bug and determined that it wasn’t within the bounds of the bug bounty program. This led to frustration on the researchers part. More from ZDNet:

The bug report was filed by Russian security researcher Vasily Kravets last month, but the HackerOne staff told him the bug was out of the program’s scope, and that Valve did not intend to patch it.

The bug was a local privilege escalation (LPE) issue, which is not as dangerous as a remote code execution (RCE) vulnerability, but dangerous nevertheless, as it allows malware already present on a computer to use the Steam app to gain admin rights and take full control over a host.

Even if Valve did not intend to fix the bug, the HackerOne staff forbade Kravets from publicly disclosing the vulnerability, meaning tens of millions of Steam users would have remained vulnerable to attacks.

Kravets eventually disclosed details about the vulnerability and was banned from Valve’s bug bounty program, as a result.

The report goes on to say that the bug has since been patched. Valve admitted that it was a mistake to turn the researcher away and that they were revising the rules surrounding the bug bounty program. They also say that this whole situation was a massive misunderstanding.

Some critics are saying that the researcher isn’t exactly 100% innocent in all of this given that he disclosed the bug – contrary to the rules of the system. Still, this does show the rather precarious relationship companies have with people offering feedback for their products.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: