Valve Rejected Steam Researcher Reporting Google and Microsoft-Encountered Vulnerability
The maker of Steam admitted that it mistakenly rejected one researcher who reported two separate vulnerabilities similar to those Google, Microsoft and other source developers regularly put immediate attention to and fix immediately.
On Thursday, Valve Corporation, an American video game developer behind Steam and other gaming platforms, admitted that it made a mistake when it turned away a researcher who reported privilege escalation vulnerabilities. The statement came out after rants from white-hat hackers flooded in against the company.
Vasily Kravet, an independent researcher from Moscow who reports his discovered vulnerabilities to HackerOne, a vulnerability coordination and bug bounty platform, received an email days after he reported vulnerabilities like the one that Google and Microsoft encountered to the said bug-reporting services.
The email stated that Valve will no longer accommodate any vulnerability reports that he will send through the HackerOne reporting service. Valve declared that Kravet’s reported vulnerabilities show no potential of being fixed and that they were initially categorized as out of scope.
In an official statement, Valve admitted that the HackerOne program rules were misinterpreted which lead to the wrong categorizing of Kravet’s reported vulnerabilities. The Moscow researcher’s report revealed a Steam vulnerability that allows hackers to tunnel their way to privileged parts of an operating system. The said bug is accessible to hackers with toe-hold privileges on a specific target.
Valve assured that as a corrective measure it has updated the HackerOne program rules to ensure that issues such as Kravet’s reports will not be taken out of context and will be considered in scope.
Matt Nelson, a second independent researcher who went through the same mistaken rejection as Kravet’s back in June, stated how it is mind-blowing to him that Local Privilege Escalation is not given ample importance. He added that people who are supposed to be responsible for triaging vulnerability simply tag such reports as out of scope.
A Valve representative stated that vulnerability disclosure is an inherently murky process and they are and have always been, committed to protecting the interests of their hackers.
© Copyright IBTimes 2024. All rights reserved.
-
Ukraine, Israel, TikTok: The Massive Aid Package Before US Congress
-
Eiffel Tower Loses Sparkle For Parisians Ahead Of Olympics
-
Former Number One Momota Retires From International Badminton At 29
-
Why Insurance Prices Have Skyrocketed
-
World Bank Aiming To Connect 250 Mn Africans To Energy Grid By 2030
-
IMF Says Global Debt Levels Face 'Great Election Year' Risk
-
Divisions Among Colombia's FARC Dissidents Complicate Peace Talks
-
French Far Right Gets Youthful Vibe With 28-year-old Leader
-
US Fed's Powell Says Inflation Fight May Take 'Longer Than Expected'
-
Mideast-related Oil Price Spike Threatens 'Relatively Good' Economic Outlook: IMF Chief Economist
