A bug-hunter revealed details of two flaws with gaming platform Steam. Parent company Valve angered him by refusing to pay him a bounty (via the Register).
No Bug Bounty Paid
Vasily Kravets originally revealed details of an elevation of privilege error earlier this month. “It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges,” Kravets noted.
However, he said his report was marked “n/a” on June 16 because: “Attacks that require the ability to drop files in arbitrary locations on the user’s filesystem.” Mr. Kravets said he received a similar response from HackerOne.
He explained:
I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne.
Frustrated, he made the flaw public.
Second Steam Flaw Revealed
On Tuesday, he disclosed a second elevation of privilege flaw on Steam. By this point Valve had removed him from its bug bounty program. “Valve keeps failing,” he complained.
Vale had not offered a public comment at the time of this writing. Both flaws required an attacker to have access to the target machine. Consequently, neither are deemed critical.