back to article Steam cleaned of zero-day security holes after Valve turned off by bug bounty snub outrage

Games giant Valve is attempting to make nice with the infosec bod who disclosed zero-day exploits for vulnerabilities in Steam after the corporation refused to pay out bug bounties for the flaws. On Thursday, Valve said it would patch both of the holes discovered by bug-hunter Vasily Kravets, and will consider reinstating …

  1. Claptrap314 Silver badge

    So what I'm hearing is...

    best to have two bugs ready when you report one to Steam?

  2. don't you hate it when you lose your account Silver badge

    Disgusting

    No half life 3!!!@!!

    1. Pascal Monett Silver badge

      Re: Disgusting

      again !

  3. Pascal Monett Silver badge

    "there was an exchange that resulted in him being banned"

    Well it's simple then : publish the content of the exchange and show everyone what happened. Because there's a good chance that somebody started to be insulting and the other someone didn't appreciate and shot back. So publishing the exchange will settle the matter.

    Then Twitter can get outraged again and we'll know if we need to bang on Valve to reverse the decision or not.

    But of course, that won't happen, because it would be a breach of confidentiality or something. Too bad.

  4. David Austin

    Would not expect any less from Valve

    I love the boys from Seattle, but they do have a talent for reacting too late to developing situations, and shooting themselves in the foot over something trivial to fix.

    1. Captain Scarlet

      Re: Would not expect any less from Valve

      Like the Morokai "Mini Game" in the Dota 2 Ti event (By that I mean it was a rush rehashed event with a lovely bug where Lifestealer could infest the Morokai and sell its very expensive items).

  5. adam payne

    The second security flaw report, it seems, along with condemnation from infosec professionals online, was enough to get Valve's attention. Shortly after news broke of the second bug disclosure, the multibillion-dollar biz issued the press (including El Reg) a statement reversing its decision.

    Typical, get some bad publicity and then u-turn and fix the issue.

  6. Brewster's Angle Grinder Silver badge
    Facepalm

    This sounds like a mid-level bureaucrat enforcing their fiefdom ("this is how these rules should be interpreted!") without actually understanding what was intended. And then someone higher up face-palmed and put them in their place. At least, I hope that's what's happened. And if it is, then it's the same the world over.

    1. Michael Wojcik Silver badge

      It sounds to me like a good reason not to use HackerOne to run your bug disclosure program. Frankly, having been a PSIRT member myself, I'd be very leery of using HackerOne.

  7. ShortLegs

    Actually, it sounds more like an [outsourced?] helpdesk bod, possibly trained in taking notes but no in-depth security skills, took the call and made the 'decision'.... a 'decision' arrived at by following a script/flow-chart thta led a box marked 'not a flaw'.

    Of course, the flowchart was probably designed by a PH clueless mid-level manager wanting to make his mark :)

  8. Henry Wertz 1 Gold badge

    Fair enough

    I'd say fair enough... Mr. Hax (not real name) found exploitable holes, submitted and was snubbed. Well, at that point, he did the "responsible" thing and Valve claim they are not interested in these exploits since they failed to pay the bounties per their participation in the bounty program. No problem, Mr. Hax is free to disclose them however he wants at that point since Valve have already (by failing to pay) claimed they don't view these exploits as exploits.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021