Bounty bug rules valve updates after steam zero-day controversy

PC gaming giant Valve said the ban on security research that reported a zero-day vulnerability in its steam game client was "a mistake."

Last month, Russian security researcher Vasily Kravets filed a bug report in which he said the pair were vulnerable to zero-day attacks that left Windows 10 users behind.

However, at the time HackerOne (who runs the valve bug bounty program) told him that the bug he found was not the volume program and the valve wasn't going to patch it. A bug in a Local Privilege Issue (LPE) issue that would allow malware already present on a user's device to use a valve in the Steam client to gain administrator rights and take full control of the system.

  • A couple of gamers warned about the security risk of Windows 10
  • Apple ups bug bounty rewards in security push
  • Microsoft paid out millions of error bounties last year

HackerOne staff also banned Kravets from publicly disclosing the vulnerability, but he eventually did so anyway and was banned from participating in the bug-heads valve program. Valve made a patch bug uncovered by Kravets, but then another researcher found another bug only a few hours later. Kravets then posted details about the second plz he found on the company's Steam client as he was unable to report it through the appropriate channels.

Valve program bug bounty

Valve has received a lot of criticism for plz ignoring vulnerabilities as they are severe enough that most other companies release patches for them when discovered in their products.

In an email to ZDNet websiteValve explained that the whole situation was a massive misunderstanding, saying:

Do not miss:  Sale Presidents Day 2020: Offer Finale from Best Buy, Walmart, Amazon, and More

“Our HackerOne program rules were only intended to exclude reports of steam instructing to run previously installed programs on a user's computer as a local user. Instead of interpreting the rules, it also leads to the exception of a more serious attack, which is also performed by local privilege escalation through Steam. We've updated our HackerOne rules to clearly state that these issues are in the area and should be submitted."

In an update for the Steam beta client, Valve has already released a patch for the zero-day vulnerability discovered by Kravets and after they are tested and verified, these patches will be released for their main client.

  • Protect your PC with the best free antivirus program of 2019

Through ZDNet website


Please rate the article
Translate »