Hacker
Engineering student at the Steria Hacking Challenge in 2013 THOMAS SAMSON/AFP/Getty Images

The maker of Steam admitted that it mistakenly rejected one researcher who reported two separate vulnerabilities similar to those Google, Microsoft and other source developers regularly put immediate attention to and fix immediately.

On Thursday, Valve Corporation, an American video game developer behind Steam and other gaming platforms, admitted that it made a mistake when it turned away a researcher who reported privilege escalation vulnerabilities. The statement came out after rants from white-hat hackers flooded in against the company.

Vasily Kravet, an independent researcher from Moscow who reports his discovered vulnerabilities to HackerOne, a vulnerability coordination and bug bounty platform, received an email days after he reported vulnerabilities like the one that Google and Microsoft encountered to the said bug-reporting services.

The email stated that Valve will no longer accommodate any vulnerability reports that he will send through the HackerOne reporting service. Valve declared that Kravet’s reported vulnerabilities show no potential of being fixed and that they were initially categorized as out of scope.

In an official statement, Valve admitted that the HackerOne program rules were misinterpreted which lead to the wrong categorizing of Kravet’s reported vulnerabilities. The Moscow researcher’s report revealed a Steam vulnerability that allows hackers to tunnel their way to privileged parts of an operating system. The said bug is accessible to hackers with toe-hold privileges on a specific target.

Valve assured that as a corrective measure it has updated the HackerOne program rules to ensure that issues such as Kravet’s reports will not be taken out of context and will be considered in scope.

Matt Nelson, a second independent researcher who went through the same mistaken rejection as Kravet’s back in June, stated how it is mind-blowing to him that Local Privilege Escalation is not given ample importance. He added that people who are supposed to be responsible for triaging vulnerability simply tag such reports as out of scope.

A Valve representative stated that vulnerability disclosure is an inherently murky process and they are and have always been, committed to protecting the interests of their hackers.