SoylentNews is people
SoylentNews
from the oops,-what-I-meant-to-say-was... dept.
Submitted via IRC for SoyCow1984
Valve says turning away researcher reporting Steam vulnerability was a mistake
In an attempt to quell a controversy that has raised the ire of white-hat hackers, the maker of the Steam online game platform said on Thursday it made a mistake when it turned away a researcher who recently reported two separate vulnerabilities.
In its statement, Valve Corporation references HackerOne, the reporting service that helps thousands of companies receive and respond to vulnerabilities in their software or hardware. The company also writes:
We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.
Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user's machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.
In regards to the specific researchers, we are reviewing the details of each situation to determine the appropriate actions. We aren't going to discuss the details of each situation or the status of their accounts at this time.
Valve's new HackerOne program rules specifically provide that "any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope."
The statement and the policy change from Valve came two days after security researcher Vasily Kravets, an independent researcher from Moscow, received an email telling him that Valve's security team would no longer receive his vulnerability reports through the HackerOne bug-reporting service. Valve turned Kravets away after he reported a Steam vulnerability that allowed hackers who already had a toe-hold on a vulnerable computer to burrow into privileged parts of an operating system. Valve initially told Kravets such vulnerabilities were out of scope and gave no indication that the one Kravets reported would be fixed. that allowed hackers who already had a toe-hold on a vulnerable computer to burrow into privileged parts of an operating system. Valve initially told Kravets such vulnerabilities were out of scope and gave no indication that the one Kravets reported would be fixed.
Valve's response rankled hackers and security professionals because so-called privilege-escalation vulnerabilities are something that Google, Microsoft, and mature open source developers routinely and readily fix in their products. Valve's contention that a demonstrated flaw of this type wasn't a legitimate vulnerability ran counter to long-standing security norms. As criticism mounted, Valve quietly issued a patch, but researchers found that it could be bypassed. To make matters worse, Kravets on Tuesday publicly disclosed a new privilege escalation vulnerability in Steam. Valve's Thursday statement said both vulnerabilities reported by Kravets have now been fixed.
(Score: 5, Insightful) by Revek on Friday August 23 2019, @07:53PM (5 children)
How is turning away someone who is helping to secure your product even remotely advisable?
This page was generated by a Swarm of Roaming Elephants
(Score: 2, Insightful) by Anonymous Coward on Friday August 23 2019, @08:15PM (1 child)
Fuckups happen. I work at a company that once screwed up a vulnerability disclosure. We were switching between outside groups handling our bug bounty program. (There are a few companies like HackerOne. After a merger, several of our business units were standardising that sort of thing.) A hacker properly filed a totally valid bug report on the old one, and then we switched vendors and screwed up and never followed up with the report on the system we no longer used. A few months later, after the sane embargo period passed without us having fixed the bug, they started reporting it to our customers and we got a bunch of angry phone calls.
We were super embarrassed, and a few managers were angry enough to talk about trying to sue the researcher for maybe technically having slightly violated a rule on the bug bounty system if you squinted hard enough. Thankfully, we never did anything insane like sue the researcher. But yeah, there are humans in the loop on these things, and that means fuckups are going to happen. Things will get misclassified. Subtleties will get missed. People will lose track of tickets, or misread disclosures, etc. Pobody's Nerfect. You have a ton of crap coming in to those disclosure systems, and some of it is more serious than others. Some of of it just dumb nonsense that people file to try and get a bug bounty when nothing is really wrong, and a human has to sort through all of it to find the gems.
Valve ack'd the mistake, so this is about as well as you can expect things to work in the real world.
(Score: 2, Interesting) by Anonymous Coward on Friday August 23 2019, @09:58PM
I can't give Valve or HackerNone the benefit of the doubt on this one. They turned the same researcher away on two separate vulnerability reports. If it had happened once, I could maybe give them a pass (though their rejection overflowed with many much weak sauce). But the same guy twice, especially after his first report tuned out to be a serious vulnerability? Sorry, but no.
It's true there are humans involved. But in this case there were stupid, arrogant humans who turned him away the first time while also telling him he could not disclose the vulnerability they said wasn't a vulnerability. HackerNone can't have it both ways. And since they officially represent Valve on these matters, and are still representing Valve after these events, Valve is just as much to blame.
(Score: 1) by nitehawk214 on Friday August 23 2019, @08:18PM
The manager was looking to cover their own ass. Though I can't imagine how they wouldn't think this would eventually become public.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by ikanreed on Friday August 23 2019, @08:54PM (1 child)
How often does someone come to you making a generous offer out of nowhere for your own good and your "Am I being scammed?" instinct doesn't immediately kick in?
(Score: 4, Touché) by Anonymous Coward on Friday August 23 2019, @09:37PM
Probably often enough if you have a BUG BOUNTY PROGRAM.