Valve has recently courted controversy among those in the white-hat hacker circle. The company, via cybersecurity firm HackerOne, rejected a bug report by an independent security researcher. Said researcher was not only banned from reporting more bugs, but also found a second one of the same nature.
Security researcher Vasily Kravets first reported on a vulnerability on Steam that allowed existing malware in a Windows PC to gain admin access via the Steam app. Kravets then reported to HackerOne, only to be told that the vulnerability was out of scope. He then disclosed the vulnerability publicly earlier this month. This got him banned form reporting more bugs to Valve via HackerOne.
Valve issued a patch after the public disclosure, but another security researcher, Xiaoyin Liu said that it’s possible to bypass the fix. Kravets has also since found another vulnerability, which also gives existing malware admin rights.
A third security researcher, Matt Nelson, also found one of the bugs discovered by Kravets. He, too, made a report to HackerOne, only to get the same response as Kravets did. Nelson then reported his discovery directly to Valve. The company acknowledged the report but told Nelson that he “shouldn’t expect any further communication”.
Valve claims to have since fixed both vulnerabilities, and updated its HackerOne program rules to state that bugs of such nature are within scope. The company chalked up the previous rejection of the bug report as a misinterpretation of of the bug bounty rules. All that said, it appears that Kravets’ ban from reporting more bugs has not yet been reversed.