Valve says turning away researcher reporting Steam vulnerability was a mistake
arstechnica.comShady thing happens -> Lucky enough for issue to go viral -> Company makes an apology mainly bragging about how much they've paid out on H1 and playing some blame game.
Count me not surprised.
A company that goes out of their way to dispute the CVE, to turn around a day after a PR firestorm, is not actually turning around. They are saving face.
Or, the systems in place didn't work as intended and Valve took steps to rectify that. Sure it'd be better to get it right from the start, but people and organizations are fallible and the best thing to do is to make things right when they do fall.
This is not Valve's first time at the rodeo, and they aren't a small indie company learning the ropes.
The apology was loaded with blame shifting and bragging about previous H1 payments, neither of these lead me to be more lenient with Valve.
The hacker is still banned from submitting bugs, for god's sake. Nor has he heard from Valve.
Edit: They even disputed the CVE, manually, removing any doubt that this wasnt an oopsie caused by a system.
"system" doesn't refer to hackerone, but rather Valve's bug bounty program in aggregate. It seems pretty clear to me that the root of this issue was failing to understand the scope of the vulnerability, leading to erroneous dispute of the CVE.
> We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.
> Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
Valve seems to be pretty explicit about the fact that the issue was due to bad rules over what is and isn't in scope.
Un-banning the researcher is one HackerOne's end, isn't it?
>Valve seems to be pretty explicit about the fact that the issue was due to bad rules over what is and isn't in scope.
I could perhaps forgive a misunderstanding over fringe-cases or a company that is new to the H1 platform. However, we are talking about a LPE in this case, with a company who has themselves bragged about their familiarity with the platform. I would expect that they would spend some time checking their scope for something like LPE's and making sure it is crystal clear.
>Un-banning the researcher is one HackerOne's end, isn't it?
I was under the impression that each corporation running a bounty is in charge of allowing or disallowing users to their specific bounty, not H1. But to be fair, I'm not positive of this.
I understand you may think I'm being hard on Valve, but given how many computers the Steam Client is installed on, the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them. They should be held to a higher standard than Ma and Pa's coffee shop.
They do not appear to be acting in good faith, but rather trying to put out a fire and sweep it under the rug.
Edit:
To pile on, here is an open letter sent to Valve in 2014. This is not a new pattern for Valve.
https://steamdb.info/blog/valve-security-open-letter/
An excerpt:
"This letter is collaboratively written by various members of Steam’s developer community regarding our concerns with Valve security behaviours, in particular Valve’s inconsistency in rewarding those who report bugs (occasionally punishing people), the speed at which Valve addresses bug reports (if at all), and the problems users face attempting to report bugs to Valve"
> I understand you may think I'm being hard on Valve, but given how many computers the Steam Client is installed on, the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them. They should be held to a higher standard than Ma and Pa's coffee shop.
This doesn't make sense. For the number of clients that have their software installed on their computes, Valve is a tiny company (~360 employees). I work in a 1000+ person company and we have only a fraction of the number of installed clients. We also don't know the volume of reports Valve is handling, and the ratio of spurious reports to genuine reports.
The open letter you link to talks about how Valve doesn't even have a bug bounty program at all - so I'm not sure how this is supposed to serve as evidence that Valve's bug bounty program is poorly managed. If anything, it shows that the company listened to criticism and subsequently established a bug bounty program. This is still an overall positive delta, even if their bug bounty program is less than ideal. And when they do make a mistake, they responded constructively to public criticism. I'm really at a loss as to why I'm supposed to see Valve as the villain here.
You cherry-pick a one-off example (# of clients) and ignore the rest. Feel free to remove that one if you don't think it is pertinent, and address the remainder of my comment.
You also cherry-picked the letter. Yes, 5 years after a history and pattern of security negligence, they are now able to repeat that pattern on H1. Hurray, positive delta.
Even if all issues have been addressed, the fact that it has happened in the past (many times) means that Valve deserves skepticism going forward. You a big fan of Facebook now that they deleted those cleartext passwords? They are cool now and anything else that comes to light must just be an oopsie, deserving of no scrutiny? Or are you skeptical because Facebook has a proven pattern of dishonesty? The same thing applies to Valve. They have a proven pattern.
>they responded constructively to public criticism Uhh, you'll have to link me to a constructive response of public criticism.
Since you cherry-picked one issue from the letter (which should still prove to show the pattern of bad behavior that, at the very least, used to exist), I will put a few others here:
>A few members of the developer community, and no doubt members of the community at large, have received infractions against their accounts for the discovery and disclosure of bugs – a subset of which are similar to those that have been rewarded with economy items.
>During this time we caught the occasional mention that Valve’s servers were indeed leaking sensitive information (such as partner session IDs, logins and cleartext passwords), however upon patching the bug Valve did not mandate a password reset.
>As a result, an unknown user changed a different app’s name up to three days after the servers were patched[4] – proving that Steam Partner credentials were indeed exposed and abused during Heartbleed.
I see bad security practices piled on bad practices piled onto a culture that spurns security.
>I'm really at a loss as to why I'm supposed to see Valve as the villain here.
I'm not telling you to look at them as a villain. I'm saying that perhaps, given a proven history of bad practices, it would be good to look at this situation with a skeptical eye (they are trying to save face, nothing else) rather than shrug it off as an "Oops! Haha, we didn't scope our bounty quite right!".
Obviously we don't see eye to eye on the subject.
I'll keep looking at Valve, with their repeated security blunders, with skepticism. Feel free to continue to chalk it all up to an oops.
Remember the whole "Trust takes a lifetime to build, and a second to destroy"? That's the heart of where I am coming from.
> You cherry-pick a one-off example (# of clients) and ignore the rest. Feel free to remove that one if you don't think it is pertinent, and address the remainder of my comment.
> You also cherry-picked the letter. Yes, 5 years after a history and pattern of security negligence, they are now able to repeat that pattern on H1. Hurray, positive delta.
Those were the only two arguments you made to support your claim that Valve's bug bounty program is not as good as it should be. You're accusing me of "cherry picking" because I responded the only two arguments you made. This is just laughable, and it eliminated the rest of my doubt as to whether or not you're participating in this conversation in good faith.
Let's recap your previous comment: Your first paragraph didn't make an argument, it was sharing your opinion that you think Valve's management of their bug bounty isn't up to par and that highlighting the fact that they have paid out hundreds of bounties amounts to "bragging". Your second paragraph is where you make the first actual argument, the claim that we should be able to hold them to a higher standard because of the ratio of their client install count and employees. And you added the link to the letter in an edit below that.
I respond to both of the claims you made (the client vs. employee count, and the letter) and now you're saying that I'm "cherry picking" because I'm responding to the two arguments that you brought up.
I must not have written it clearly, sorry.
Here is the only argument I've been trying to make:
Valve has a history of bad security practices and bad responses to security researchers. We should be skeptical of this announcement, coming immediately after bad PR coverage, because Valve has a history of bad security practices and bad responses to security researchers.
----
In support of my main argument, which is that we should be skeptical of Valve's announcement because of their history, I made several supporting arguments.
Just in my last comment, you chose # of clients. Some of the other examples I gave (you guessed it, in support of my main argument, which I shouldn't need to repeat again):
>the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them.
The letter, which again served in support of my main argument, showed a few examples of how their security culture has always been this way. Although since that time they have moved to H1, which I tried to point out doesn't really mean a whole lot when they were forced into it (and a reminder, we are looking at their pattern of bad behavior with security), the other issues raised include: Putting infractions against accounts that report bugs while rewarding others, and leaking sensitive information including passwords and not forcing a reset.
From some of my past comments, in support of the main argument, I gave examples such as: Shifting blame in their post, not contacting the researcher this entire PR mess is about, not allowing that researcher to submit bugs, and disputing the CVE which requires additional manual review of the bug (and is additional confirmation that they both a) understand that it is an LPE and b) that they don't think it's serious.)
I have done nothing but try to argue in good faith, I'm sorry you see it a different way.
Valve needs to gain my trust after years and years of proving to be negligent with security. They seem to have yours explicitly.
Valves been on the down for years. Last minute chat app trying to mimic discord/curse, and introducing laughable vulnerabilities. VR gear more expensive and less relevant than competitors, no advancement on the tech that worked (steam controller, steam streaming box). Better mods through other sites and curse client. No more valve games, holding onto a dead engine.
Valve is coasting on prior success. If discord or curse was done better steams market share would nosedive.
This is one of many mistakes that happen when you dont compete and innovate.
Curse & Discord wouldn’t even exist if Steam had evolved properly. They had game store + friends list + chat integrated like 15 years ago, big miss IMO.
Well, maybe future serious bugs in valve/steam software should just go to open/public disclosure until they've actually paid out for the two bugs they denied previously.