Last year, Valve began offering bounties to ethical hackers who could exploit security risks in their services. Through this system, the company has paid out over $675,000 in bounties since the program’s inception (with an average payout of $750) via HackerOne, a hacker-powered security site. Recently, however, Valve had dismissed the findings of one of their researchers, Vasily Kravets, going so far as to deny him the ability to submit further reports. The company has since rescinded its initial judgment and made a public statement admitting their mistake.
The initial report submitted through HackerOne to Valve by Kravets identified a security bug that “allowed hackers who already had a toe-hold on a vulnerable computer to burrow into privileged parts of an operating system,” according to an Ars Technica article. The report was originally classified as “out of scope,” and otherwise dismissed. According to the statement made by Valve, provided by Ars Technica, “We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.” Because of the misclassification, Valve had decided not to receive any more reports from Kravets.
“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam,” reads the statement. Valve has since revised its HackerOne rules “to explicitly state that these issues are in scope and should be reported.”
As far as Kravets goes, however, the statement did not clear much up, electing to simply state that each situation will be reviewed on a case-by-case basis before appropriate action is taken. “We aren’t going to discuss the details of each situation or the status of their accounts at this time.” Kravets posted a full write-up of the report and subsequent interactions with HackerOne for those interested in how it all went down from his perspective.