A  bug-hunter revealed details of two flaws with gaming platform Steam. Parent company Valve angered him by refusing to pay him a bounty (via the Register).

No Bug Bounty Paid

Vasily Kravets originally revealed details of an elevation of privilege error earlier this month. “It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges,” Kravets noted.

However, he said his report was marked “n/a” on June 16 because: “Attacks that require the ability to drop files in arbitrary locations on the user’s filesystem.” Mr. Kravets said he received a similar response from HackerOne.

He explained:

I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne.

Frustrated, he made the flaw public.

Second Steam Flaw Revealed

On Tuesday, he disclosed a second elevation of privilege flaw on Steam.  By this point Valve had removed him from its bug bounty program. “Valve keeps failing,” he complained.

Vale had not offered a public comment at the time of this writing. Both flaws required an attacker to have access to the target machine. Consequently, neither are deemed critical.

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments