A Russian bug bounty hunter has had it up until here (you can’t see but our hand is raised above our heads) with Valve after it refused to pay him a bounty for a bug he discovered in Steam.
The bounty hunter in question is Vasily Kravets and following what The Register describes as “a series of poor interactions” with Valve and HackerOne, he had his bounty denied.
“Not long ago I published an article about Steam vulnerability. I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection program,” wrote Kravets in a blog post we won’t be linking to as it contains details of the exploit.
Despite this, Kravets has discovered yet another elevation of privilege bug in Steam and rather than informing Valve, he has published details of the zero day flaw online.
Now, before you start quivering at the prospect of hackers now have tools to access your game library, the flaw requires existing local access to a machine and the ability to transfer files to a target machine. We’d argue that a ne’er-do-well having access to your PC is already a problem but we digress.
Should an attacker have access to a machine and follow Kravets instructions they could load malicious DLLs onto the machine and sow even more havoc than they already can.
Valve has yet to comment on this matter but given its history with Kravets its unlikely it will reward the bounty hunter for his efforts, especially now that he has published the details online for all to see.