Oh, Valve… Pushing away security researchers is definitely not a good look on you. A couple of weeks ago, a researcher named Vasily Kravets AKA Felix, found a privilege escalation vulnerability that could allow an attacker to gain control over Windows machines with Steam installed. Kravets found that he could use symbolic links to make a Windows machine launch services or executables with full privileges, leading to the potential for machine takeovers. Steam is a video gaming client that allows users to purchase, play, and build communities around games. Over 90 million users are currently active with Steam clients, with over a billion registered users. Valve, the company behind Steam, received Kravets’ report through their bug bounty program at HackerOne but denied it, saying the flaw was not applicable because it required physical access. Later, Kravets decided to drop it publicly as a zero day out of disagreement with the company 45 days after he disclosed the problem. Valve then published a patch, but the researcher said that too could be bypassed.

Last week, Kravets disclosed that he was actually banned from submitting any more bugs to Valve’s bug bounty program on Hacker One, though he continued to have access to the rest of the website’s disclosure clients. Kravets posted a blog on his own website detailing a second privilege escalation vulnerability in Steam, since he’s unable to disclose it through the bug bounty program. This one is due to Steam’s folder permissions, which are insecure, along with the branch of registry and insufficient verification processes for the self updating feature of the gaming client resulting in the vulnerability.

According to Kravets, an attacker would not need physical access. At the time of his posts, he had not heard from Valve but other security researchers came out against Valve’s very strict guidelines for reporting bugs, specifically stating that if a vulnerability doesn’t fall into one of their bug bounty categories, that they simply would not even look into it.

Days later, due to public scrutiny, Valve apologized. In emails to journalists, Valve stated that turning away the security researcher was incorrect and a mistake. Valve shifted blame to HackerOne’s team, saying they misinterpreted Valve’s bug bounty program specs and considered Kravets research to be out of scope, while it indeed was within the scope of the program. Valve is updating their bug bounty program to be more descriptive and is reviewing Kravet’s ban in their program. As of the day of reporting, he is still banned.

I can agree with other security researchers when stating that banning and keeping bug bounty programs so strict only causes harm to those that use the software from said companies, and causes rifts between companies and researchers that practice ethical security disclosure. I hope that this outcome serves as an example to other companies who have bug bounty programs.

Content

Files