Bug Hunter Complains About Lack of Steam Bounty

Steam link logo

A  bug-hunter revealed details of two flaws with gaming platform Steam. Parent company Valve angered him by refusing to pay him a bounty (via the Register).

No Bug Bounty Paid

Vasily Kravets originally revealed details of an elevation of privilege error earlier this month. “It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges,” Kravets noted.

However, he said his report was marked “n/a” on June 16 because: “Attacks that require the ability to drop files in arbitrary locations on the user’s filesystem.” Mr. Kravets said he received a similar response from HackerOne.

He explained:

I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne.

Frustrated, he made the flaw public.

Second Steam Flaw Revealed

On Tuesday, he disclosed a second elevation of privilege flaw on Steam.  By this point Valve had removed him from its bug bounty program. “Valve keeps failing,” he complained.

Vale had not offered a public comment at the time of this writing. Both flaws required an attacker to have access to the target machine. Consequently, neither are deemed critical.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.