Earlier this week an independent security researcher Vasily Kravets published details of a security flaw in Valve’s Steam software.
While this isn’t usually how things go, Kravets had tried to report the vulnerabilities to Valve using HackerOne but his reports were rejected. He was subsequently banned from submitting reports to Valve through the platform.
At the time, Kravets was told that the bug he discovered was not in scope for Valve’s bug bounty programme. Given that the vulnerability allowed escalation of privilege attacks to take place should an attacker already have control of a machine.
As Ars Technica points out, this response did not go over well with the infosec community where escalation of privilege vulnerabilities are routinely dealt with.
Now Valve has said that turning Kravets away was a mistake.
“We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake,” Valve said in a statement.
“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.”
The firm said that it has updated its HackerOne rules to include escalation of privilege flaws and highlighted that these should be reported.
However, Kravets remains unable to submit reports to Valve through HackerOne. Whether or not publicly disclosing and detailing the vulnerability has stoked the ire of HackerOne is unclear.[Image – CC 0 Pixabay]