Valve admits mistake in rejecting zero-day vulnerability report by security researcher

Updates bug bounty rules and releases fixes for two zero-day vulnerabilities - but researcher says he's still banned

Valve has finally accepted that it was a mistake on its part to turn away the security researcher who reported vulnerabilities in the Steam gaming client.

The company said it has now updated its bug bounty rules and also released fixes for the zero-day vulnerabilities discovered by the security researcher.

"Our HackerOne programme rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user's machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam," the company told Ars Technica.

"We have updated our HackerOne programme rules to explicitly state that these issues are in scope and should be reported," it added.

Regarding the ban on the security researcher who disclosed the bugs in public domain, the company said it was "reviewing the details of each situation to determine the appropriate actions".

According to Valve's new rules for HackerOne programme, any vulnerability that allows compromised software or malware to carry out a privilege escalation through Steam, without confirming a UAC dialogue or providing administrative credentials, is in scope.

Valve's statement and its policy changes come a couple of days after Russian security researcher Vasily Kravets disclosed second zero-day vulnerability in Steam gaming client in public domain on 20th August.

Kravets said he was forced to disclose the bug publically as the company had banned him from submitting further bug reports via the HackerOne programme.

Kravets revealed that he had received an email from Valve's security team telling him that the company would not accept any vulnerability report from him in future.

"Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection programme (the rest of H1 is still available though)," Kravets wrote in a blog post.

The saga around Valve's Steam client service started earlier this month, when Kravets disclosed an EoP/LPE flaw affecting the Steam service. Kravets said he reported the flaw to Valve, but that his report was rejected by the company for being out of scope.

On 7th August, Kravets released the details of the flaw in the public domain.

Valve's response during this entire episode irked security professionals and Steam users, who criticised the company for its poor way of handling the vulnerabilities reported by security researchers.

Valve, however, argued that the issue revealed by Kravets was not very serious as the exploit would have required an attacker to have physical access to a vulnerable system.

Valve's arguments led to massive outcry among Steam users, eventually forcing the company to release a fix for the flaw.

But the patch released by Valve was found to be insufficient, as a second security researcher claimed that he had found an easy way to bypass it.

Matt Nelson, an independent researcher, said that he had notified Valve in June about the same Steam flaw that Kravets found, but his report was also rejected for being out of scope.

Nelson has now welcomed Valve's admission that it was mistaken to reject the vulnerability report submitted by Kravets.

Kravets, however, told Ars Technica on Thursday that he was still unable to access Valve's bug-reporting section of HackerOne and had not received any communication from Valve about the status of his ban.