Valve admits it mistakenly dismissed Steam security flaw

(Image credit: Valve)

Valve has expanded a scheme in which it pays "ethical hackers" for discovering security flaws in Steam after it mistakenly dismissed a valid vulnerability reported by a researcher.

Researcher Vasily Kravets's reports of a Steam vulnerability were dismissed because they were believed to be outside the scope of the scheme, and Kravets was told Valve's security team would no longer receive his reports through the HackerOne bounty program. After Kravets made a second security flaw public this week, Valve patched both vulnerabilities and admitted its mistake.

"We are...aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake," it told Ars Technica.

"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.

"We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported." The company did not comment on Kravets's status in the program, saying only that it was "reviewing the details of each situation to determine the appropriate actions".

Valve has paid out more than $675,000 in bounties to 263 security researchers through the program over the last two years, it added.

TOPICS
Samuel Horti

Samuel Horti is a long-time freelance writer for PC Gamer based in the UK, who loves RPGs and making long lists of games he'll never have time to play. 

Latest in Platforms
Screenshot of Children of Clay showing a mysterious clay model
Five new Steam games you probably missed (March 10, 2025)
discord
Brace yourself for Discord to get worse: Reports swirl that the company is in talks with bankers about opening itself up to shareholders
The Spy from Team Fortress 2 holds up a folder with an accusatory expression.
Steam users react ecstatically to update that lets them access their heaving game notes via the web, also it fixes Monster Hunter Wilds video recording
HasanAbi
Twitch streamer Hasan Piker suspended after saying Republicans would 'kill Rick Scott' if they really cared about Medicare fraud
Screenshot from Faceminer showing a PC desktop with several windows open
Five new Steam games you probably missed (March 3, 2025)
PORTSMOUTH, UNITED KINGDOM - OCTOBER 20: A man smokes a cigarette while he looks at a smart phone screen on October 20, 2024 in Portsmouth, England. (Photo by Matt Cardy/Getty Images)
Meta says sorry for turning Instagram into a horror show of violence, gore, dead bodies, and other graphic content that 'should not have been recommended'
Latest in News
Crying laughing emoji with disturbing realistic elements for REPO
REPO's first update will add a new map and a 'duck bucket' so we can finally give that pesky quacker a time out
Man facing camera
The Day Before studio reportedly sues Russian website for calling infamous disaster-game a 'scam'
Will Poulter holding a CD ROM
'What are most games about? Killing': Black Mirror Season 7 includes a follow-up to 2018 interactive film Bandersnatch
Casper Van Dien in Starship Troopers
Sony, which is making a Helldivers 2 movie, is also making a new Starship Troopers movie, but it's not based on the Starship Troopers movie we already have
Assassin's Creed meets PUBG
Ubisoft is reportedly talking to Tencent about creating a new business entity to manage Assassin's Creed and other big games
Resident Evil Village - Lady Dimitrescu
'It really truly changed my life in every possible way': Lady Dimitrescu actor says her Resident Evil Village role was just as transformative for her as it was for roughly half the internet in 2021