According to Ars Technica, Valve has admitted in a that turning away a researcher who discovered two separate vulnerabilities in Steam’s system was ‘a mistake’.
The researcher apparently reported the bugs through Valve’s HackerOne bug bounty program, but had his report “classified as out of scope” and was rejected. The company says that the mis-classification of the report was a mistake.
You can read Valve’s entire statement on the issue below:
We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.
Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.
In regards to the specific researchers, we are reviewing the details of each situation to determine the appropriate actions. We aren’t going to discuss the details of each situation or the status of their accounts at this time.
Ars Technica say that the statement came just two days after security researcher Vasily Kravets was informed that Valve would not longer receive any bug reports filed through HackerOne from him.
Kravets’ original reports regarding two individual Steam vulnerabilities that would allow hackers access to previously compromised systems were rejected by Valve and deemed out of scope.
On Thursday, the same day that Valve’s statement was issued, Kravets told Ars that he had “yet to receive any communication from Valve and that he remained locked out of the Valve bug-reporting section of HackerOne.”