The apology was loaded with blame shifting and bragging about previous H1 payments, neither of these lead me to be more lenient with Valve.
The hacker is still banned from submitting bugs, for god's sake. Nor has he heard from Valve.
Edit: They even disputed the CVE, manually, removing any doubt that this wasnt an oopsie caused by a system.
> We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.
> Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
Valve seems to be pretty explicit about the fact that the issue was due to bad rules over what is and isn't in scope.
Un-banning the researcher is one HackerOne's end, isn't it?
I could perhaps forgive a misunderstanding over fringe-cases or a company that is new to the H1 platform. However, we are talking about a LPE in this case, with a company who has themselves bragged about their familiarity with the platform. I would expect that they would spend some time checking their scope for something like LPE's and making sure it is crystal clear.
>Un-banning the researcher is one HackerOne's end, isn't it?
I was under the impression that each corporation running a bounty is in charge of allowing or disallowing users to their specific bounty, not H1. But to be fair, I'm not positive of this.
I understand you may think I'm being hard on Valve, but given how many computers the Steam Client is installed on, the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them. They should be held to a higher standard than Ma and Pa's coffee shop.
They do not appear to be acting in good faith, but rather trying to put out a fire and sweep it under the rug.
Edit:
To pile on, here is an open letter sent to Valve in 2014. This is not a new pattern for Valve.
https://steamdb.info/blog/valve-security-open-letter/
An excerpt:
"This letter is collaboratively written by various members of Steam’s developer community regarding our concerns with Valve security behaviours, in particular Valve’s inconsistency in rewarding those who report bugs (occasionally punishing people), the speed at which Valve addresses bug reports (if at all), and the problems users face attempting to report bugs to Valve"
This doesn't make sense. For the number of clients that have their software installed on their computes, Valve is a tiny company (~360 employees). I work in a 1000+ person company and we have only a fraction of the number of installed clients. We also don't know the volume of reports Valve is handling, and the ratio of spurious reports to genuine reports.
The open letter you link to talks about how Valve doesn't even have a bug bounty program at all - so I'm not sure how this is supposed to serve as evidence that Valve's bug bounty program is poorly managed. If anything, it shows that the company listened to criticism and subsequently established a bug bounty program. This is still an overall positive delta, even if their bug bounty program is less than ideal. And when they do make a mistake, they responded constructively to public criticism. I'm really at a loss as to why I'm supposed to see Valve as the villain here.
