Hacker Drops Steam Zero Day After Being Banned From Valve Bug Bounty Program
upstart writes:
Submitted via IRC for SoyCow2718
Hacker Drops Steam Zero Day After Being Banned From Valve Bug Bounty Program
Security researcher Vasily Kravets publicly dropped a zero-day for the Steam game platform last week after saying he was banned from parent company Valve's bug bounty program.
Kravets, who is a security researcher for the R&D department at Advanced Monitoring in Moscow, said that the trouble began in May, when he reported a security bug in the Steam gaming platform through HackerOne. HackerOne handles the bug bounty program for Valve and for a number of other companies. Valve said banning him was a mistake.
Kravets said that he was prevented from using the HackerOne bug reporting service after Valve rejected his findings, telling him that the problem would not be fixed. When he found another similar bug and was unable to report it through HackerOne, he decided to release the report publicly. This caused an uproar because it's rare for security researchers to publish detailed hacking notes publicly before the vulnerability is fixed.
"I clearly realized that something was broken in that process. It is obvious that nothing was going to change," Kravets said in a Twitter message, "moreover [HackerOne] noticed my last message in the thread (before public disclosure) only two weeks after I post the message. There is nothing other left [sic] than make report public."
The vulnerabilities that Kravets found in the Steam software allowed local privilege escalation from within Steam as described in his blog entry. According to communications between Kravets, Valve, and HackerOne, it appears that Valve didn't consider such privilege escalation to be a security problem, despite its potential as a pathway for malware to infect an operating system, in this case Windows.
"Then I found another vulnerability. I asked [HackerOne] what should I do? I didn't want repeat of the story. After 5 days I was banned and had no other choice than public report one more time," Kravets explained.
For its part, Valve has acknowledged that refusing to accept the bug report was a mistake.
Read more of this story at SoylentNews.