Zeroday in Steam has been made public after dispute over bug bounty program

A security researcher has made a zero day in Steam public. He did this out of dissatisfaction with Valve’s policy on responsible disclosure. The hacker had previously been removed from the HackerOne program.

It concerns a local privilege escalation in the Steam client for Windows, Russian hacker and researcher Vasily Kravets writes in a blog. The exploit allows other apps to gain admin rights in Windows through the Steam app. It is the second zero day that the hacker has announced in two weeks.

Kravets discovered another local privilege escalation two weeks ago. He reported this to Valve through HackerOne, a company that coordinates responsible disclosure reports between companies and hackers. However, according to Valve, the leak was not large enough to claim a reward. When Kravets subsequently published details about the vulnerability, he was removed from the HackerOne program. By publishing it, he would have violated the rules of the program.

Kravets has now discovered a second leak. This also concerns an LPE, where an attacker must first have physical access to a machine. That’s where the problem lies, according to Valve. In the scope of the bug bounty program on HackerOne, Valve says LPEs do fall under the reward criteria, but that only applies to attacks involving malware or compromised software. In this case, where an attacker has to physically sit on the machine, the leak is out of scope, Valve says. The same goes for attacks that require a user to place files in random places in the OS, although Krevats denies that the latter is necessary to exploit this vulnerability.

Valve has repaired the previous leak in Steam, after a lot of negative media attention about it. Well says another security researcher that he can bypass the fix. The game company has not yet commented on the current leak.