Valve Solves Bug Report Scandal With Fixes And Rule Modifications

Recently, an email from Valve Corporation informed that the gaming giant had taken certain measures in response to its recent bug reporting debacle. Its solutions included sending bug fixes to customers of Steam, updating rules regarding the bug bounty program, and reconsidering the restrictions placed on the researchers involved.

Valve’s bug reporting scandal

This reaction serves as an answer after being harshly criticized by netizens for how poorly Valve Corporation, and HackerOne – the platform on which it organizes a bug-finding program – responded to a recent vulnerability report.

Last month, a security researcher from Russia named Vasily Kravets reported a technical error in one of the Steam games. Instead of receiving recognition, Kravets was neglected by the staff of HackerOne. The bug was said to be out of the bug bounty program’s scope, and therefore would not be fixed by Valve.

The defect found by was a type of local privilege escalation (LPE) problem, which allows players to gain special access to restricted parts of a game. Generally, this problem is not as alarming as one in the remote code execution (RCE) category. Nonetheless, it still requires repairment as it creates a gap for already-existing malware to acquire administration rights using Steam and gain complete control over a certain host.

Despite Valve’s lack of effort in fixing the bug, HackerOne staff opposed to the publication of Kravets’ findings, indirectly allowing millions of gamers on Steam to take advantage.

Ignoring HackerOne, Kravets revealed the vulnerability in detail and consequently got banned from the bug bounty program of the company.

In response, Valve sent out a solution for the vulnerability discovered by Kravets. However, this fix was nullified within mere hours as a different researcher figured out a way to counter it.

After all, Valve is the one who suffered the most damage, being deemed somewhat vile for avoiding giving out rewards to bug finders, and for disregarding devoted researchers who just found a vulnerability.

Modification in bug bounty rules

Most criticisms and discussions targeting Valve talk about how the corporation intentionally ignored LPE bugs, which are usually looked after carefully by most developers and companies.

Nevertheless, Valve refused those opinions in their email to ZDNet, calling this whole thing a total misunderstanding. In their explanation, Valve claimed that their bug bounty program rules were set to remove reports about Steam being ordered by the user to run already-existing malware on his or her computer. However, misunderstanding of the regulations can result in the negligence of a greater possible attack that carries out LPE via Steam. To counter this problem, Valve stated that it had altered its rules and regulations so that such kinds of problems are recognized as in scope and necessary to be reported.

About the ban on researchers

A representative from Valve also addressed the way Kravets’ first discovery was treated as “a mistake.” As per Kravets, his restriction in the bug bounty program of Valve has yet to be lifted.

Valve also sent out new updates to the beta players, including fixes for Valve’s both zero-days. After receiving feedback and perfecting its work, Valve will publish these updates to their main customer base.

Valve’s program was ranked at number 9 out of 20 best bug-finding programs operating on HackerOne. According to a spokesperson, the company has received reports and sent out rewards to 263 researchers in the security research community. Ever since 2017, this kind of collaboration has helped Valve determine and fix approximately half a million technical issues, in return for almost 700 million USD as bounties.