Skip to main content

Valve admits it mistakenly dismissed Steam security flaw

(Image credit: Valve)

Valve has expanded a scheme in which it pays "ethical hackers" for discovering security flaws in Steam after it mistakenly dismissed a valid vulnerability reported by a researcher.

Researcher Vasily Kravets's reports of a Steam vulnerability were dismissed because they were believed to be outside the scope of the scheme, and Kravets was told Valve's security team would no longer receive his reports through the HackerOne bounty program. After Kravets made a second security flaw public this week, Valve patched both vulnerabilities and admitted its mistake.

"We are...aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake," it told Ars Technica.

"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.

"We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported." The company did not comment on Kravets's status in the program, saying only that it was "reviewing the details of each situation to determine the appropriate actions".

Valve has paid out more than $675,000 in bounties to 263 security researchers through the program over the last two years, it added.