So what I'm hearing is...
best to have two bugs ready when you report one to Steam?
Games giant Valve is attempting to make nice with the infosec bod who disclosed zero-day exploits for vulnerabilities in Steam after the corporation refused to pay out bug bounties for the flaws. On Thursday, Valve said it would patch both of the holes discovered by bug-hunter Vasily Kravets, and will consider reinstating …
Well it's simple then : publish the content of the exchange and show everyone what happened. Because there's a good chance that somebody started to be insulting and the other someone didn't appreciate and shot back. So publishing the exchange will settle the matter.
Then Twitter can get outraged again and we'll know if we need to bang on Valve to reverse the decision or not.
But of course, that won't happen, because it would be a breach of confidentiality or something. Too bad.
The second security flaw report, it seems, along with condemnation from infosec professionals online, was enough to get Valve's attention. Shortly after news broke of the second bug disclosure, the multibillion-dollar biz issued the press (including El Reg) a statement reversing its decision.
Typical, get some bad publicity and then u-turn and fix the issue.
This sounds like a mid-level bureaucrat enforcing their fiefdom ("this is how these rules should be interpreted!") without actually understanding what was intended. And then someone higher up face-palmed and put them in their place. At least, I hope that's what's happened. And if it is, then it's the same the world over.
Actually, it sounds more like an [outsourced?] helpdesk bod, possibly trained in taking notes but no in-depth security skills, took the call and made the 'decision'.... a 'decision' arrived at by following a script/flow-chart thta led a box marked 'not a flaw'.
Of course, the flowchart was probably designed by a PH clueless mid-level manager wanting to make his mark :)
I'd say fair enough... Mr. Hax (not real name) found exploitable holes, submitted and was snubbed. Well, at that point, he did the "responsible" thing and Valve claim they are not interested in these exploits since they failed to pay the bounties per their participation in the bounty program. No problem, Mr. Hax is free to disclose them however he wants at that point since Valve have already (by failing to pay) claimed they don't view these exploits as exploits.
Biting the hand that feeds IT © 1998–2021