This article is more than 1 year old

Steam cleaned of zero-day security holes after Valve turned off by bug bounty snub outrage

Security bod may be invited back into vuln reward program, Half-Life 3 still ain't happening

Games giant Valve is attempting to make nice with the infosec bod who disclosed zero-day exploits for vulnerabilities in Steam after the corporation refused to pay out bug bounties for the flaws.

On Thursday, Valve said it would patch both of the holes discovered by bug-hunter Vasily Kravets, and will consider reinstating Kravets into the biz's bug bounty program, run by HackerOne. "We have released updates to the Steam Client public beta channel to address these issues, and we have already pushed some initial fixes to all users," the US corp told us.

This comes after Kravets dropped the second of two zero-day elevation-of-privilege vulnerabilities in the Steam client software. Both would have potentially allowed an attacker to inject malicious code into the application, which, depending on the games installed, may run with administrator-level clearance. Either way, it was possible to hijack Steam to run malware or install spyware, as long as you already have some access to the victim's system: they basically turn a bad situation worse.

Initially, Valve, via HackerOne, declined to award any bounty or recognize the first vulnerability report, claiming that elevation-of-privilege holes did not qualify for the bounty program. When Kravets objected to the decision, he says there was an exchange that resulted in him being banned by Valve from its reward scheme.

That move prompted Kravets to publicly drop a second zero-day elevation-of-privilege exploit for Steam. This time, a .DLL injection oversight. "Since Valve decided to read a public report instead of private report one more time, I won’t take that pleasure away from them," Kravets quipped.


Microsoft: Reckon our code is crap? Prove it and $30k could be yours


The second security flaw report, it seems, along with condemnation from infosec professionals online, was enough to get Valve's attention. Shortly after news broke of the second bug disclosure, the multibillion-dollar biz issued the press (including El Reg) a statement reversing its decision.

"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user," Valve said in a statement to The Register. "Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam."

It continued: "We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program."

Valve did, however, stop short of promising to reverse Kravets' ban, saying, "we are reviewing the details of each situation to determine the appropriate actions." ®

More about


Send us news

Other stories you might like