In response to an open letter written by a group of developers and "concerned citizens" criticizing the company for its inconsistent handling of security issues on Steam , Valve has created a new security web page explaining its processes for handling reports but says there are no plans to introduce a "bug bounty program."
The letter begins by noting that Valve does not have a formalized system for rewarding bug reports, but will instead sometimes offer "rare economy items" to people who dig them up. It states that this is actually more harmful to the system than helpful, as it encourages casual players to report "questionable or entirely fabricated" bugs in the hopes of getting a new Team Fortress 2 hat, while minimizing interest among serious security researchers.
It also expresses concern over the lack of a clear system for reporting issues, and how Valve acknowledges and acts on those reports. Citing the Heartbleed bug, it says Valve took 24 hours to patch its servers, an unacceptable amount of time for a company "whose systems process sensitive data for millions of customers and partners." It also noted that Valve did not require password changes for all users, which led to further trouble a few days later and proved that Steam Partner credentials were "exposed and abused" as a result of the flaw.
Even so, "Valve have never made an announcement to partners or customers with regards to what data may have been exposed via Heartbleed," the letter states. "We believe Valve's response to Heartbleed was and remains unsatisfactory."
"We believe Valve are putting themselves, their customers, and their partners at risk by not having a well defined bug bounty policy; not having any clear instructions on how users can report bugs; and not being transparent with the various parties involved when serious bugs arise," the letter concludes. "We're all fans of Valve, and our ultimate goal is not to be an inconvenience, but to help make Valve's products and customers more secure."
In a response posted yesterday, Valve said it takes Steam security "very seriously" and believes its system is robust, but acknowledged that it hasn't always been entirely open about how it handles things. The new security page is meant to address that shortcoming by providing a clear method for reporting bugs—encrypted, if necessary—and a promise that all such reports will be acknowledged.
It also revealed that the inconsistency in its handling of bug reports in the past is the result of different teams within the company handling them individually and in different ways. "For Steam we have chosen to thankfully accept reports but otherwise offer no formal incentives," it says. "Other teams, in particular the Team Fortress 2 team, have slightly different processes and have chosen to offer small rewards for certain valuable reports."
Valve also emphasized that while its policy is not to "ban or admonish" people who report bugs or security flaws, it will take steps to protect its users from abuse of the system. "In cases where we determine someone to be causing harm we may take action to prevent further abuse," it wrote. "We expect partners and security researchers to be careful and responsible in both their research and disclosure of issues and when that happens we work closely with them and encourage their work."
It brings to mind the tale of Euro Truck Simulator 2 developer Tomas Duda, who was banned from Steam for one year for "reporting" a security flaw in community announcements by exploiting it to redirect users to a Harlem Shake video. He claimed he did so out of frustration that his initial report of the problem, made a few months prior, went ignored.
"I was talking about the script tag vulnerability multiple times. No one fixed it. Now I did Harlem Shake for fun (yay for #steamdb)," Duda explained in the wake of his ban. "Imagine if someone used the vulnerability to steal users' session IDs? Redirected to a phishing site?"
Duda has since had his ban removed which, while a happy ending, also serves to highlight the inconsistency in Valve's approach. And based on Valve's response, not much has changed beyond a link and a promise to do better. The authors of the letter describe it as a "step in the right direction" but note that some points remain unaddressed, and said the post will be updated with future communications with Valve as it becomes available.