Valve has expanded a scheme in which it pays “ethical hackers” for discovering security flaws in Steam after it mistakenly dismissed a valid vulnerability reported by a researcher.
Researcher Vasily Kravets’s reports of a Steam vulnerability were dismissed because they were believed to be outside the scope of the scheme, and Kravets was told Valve’s security team would no longer receive his reports through the HackerOne bounty program. After Kravets made a second security flaw public this week, Valve patched both vulnerabilities and admitted its mistake.
“We are…aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake,” it told Ars Technica.
“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
“We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported.” The company did not comment on Kravets’s status in the program, saying only that it was “reviewing the details of each situation to determine the appropriate actions”.
Valve has paid out more than $675,000 in bounties to 263 security researchers through the program over the last two years, it added.
- Brazil auditor concerned about border security ‘flaws’ at 2016 Rio Olympics
- Jamaica agency admits sprinter’s test was flawed
- Rich Franklin says he was handcuffed and detained at LAX in case of mistaken identity
- Manchester clubs show more flaws
- Indians manager Terry Francona mistaken for Kevin Love autograph seeker
- Airport security mix-up sends NFL player to Utah school
- Duke Johnson mistakenly kicked out of Miami game
- Whew! Rams had their flaws but gutted out a win
- Gibbs mistakenly sent off as Gunners are crushed by Chelsea
- Angel Di Maria dismisses rumors of Manchester United exit