Valve closes zero-day leak in Steam again and adjusts bug bounty rules

Spread the love

Valve has patched a zero-day vulnerability in the Steam client for the second time. The company is changing the rules for its bug bounty program after the reporter of the leak was banned from the HackerOne program.

The vulnerability was fixed in a beta of the Steam client for Windows that Valve released Thursday. This includes fixes for the local privilege escalation or lpe vulnerabilities that were made public earlier this week, according to Valve. Last week, the game company also had to patch the Steam client because of such a vulnerability. Both leaks were found by Russian hacker and researcher Vasily Kravets.

He released the details about the vulnerabilities after his report to the HackerOne program that Valve has for reporting vulnerabilities was rejected. He was even banned there. HackerOne coordinates the responsible finding and reporting of leaks by hackers for companies. The company informed Kravets that its first report of an LPE was outside the scope of Valve’s program because a successful attack requires physical access to a victim’s system or requires the attacker to place files anywhere on the file system.

According to Kravets, it is wrong for Valve to exclude reports of escalation or privilege vulnerabilities, precisely because the Steam client is a launcher for running third-party software, with risks that come with it.

Valve now reports to ZDNet that the rejection of the lpe notifications is due to a misunderstanding: “The rules for our HackerOne program were intended to only exclude notifications where Steam is instructed to open already installed malware as a local user on a user’s machines.” Valve has since revised the scope of the program to make it clear that privilege escalation attacks with malware via Steam without administrator rights are within its scope. The company also reports that Kravets’ ban was a mistake.

You might also like