
Valve says turning away researcher reporting Steam vulnerability was a mistake - ulysses
https://arstechnica.com/information-technology/2019/08/valve-says-turning-away-researcher-reporting-steam-vulnerability-was-a-mistake/
======
ziddoap
Shady thing happens -> Lucky enough for issue to go viral -> Company makes an
apology mainly bragging about how much they've paid out on H1 and playing some
blame game.

Count me not surprised.

A company that goes out of their way to dispute the CVE, to turn around a day
after a PR firestorm, is not actually turning around. They are saving face.

~~~
manfredo
Or, the systems in place didn't work as intended and Valve took steps to
rectify that. Sure it'd be better to get it right from the start, but people
and organizations are fallible and the best thing to do is to make things
right when they do fall.

~~~
ziddoap
This is not Valve's first time at the rodeo, and they aren't a small indie
company learning the ropes.

The apology was loaded with blame shifting and bragging about previous H1
payments, neither of these lead me to be more lenient with Valve.

The hacker is still banned from submitting bugs, for god's sake. Nor has he
heard from Valve.

Edit: They even disputed the CVE, manually, removing any doubt that this wasnt
an oopsie caused by a system.

~~~
manfredo
"system" doesn't refer to hackerone, but rather Valve's bug bounty program in
aggregate. It seems pretty clear to me that the root of this issue was failing
to understand the scope of the vulnerability, leading to erroneous dispute of
the CVE.

> We are also aware that the researcher who discovered the bugs was
> incorrectly turned away through our HackerOne bug bounty program, where his
> report was classified as out of scope. This was a mistake.

> Our HackerOne program rules were intended only to exclude reports of Steam
> being instructed to launch previously installed malware on a user’s machine
> as that local user. Instead, misinterpretation of the rules also led to the
> exclusion of a more serious attack that also performed local privilege
> escalation through Steam.

Valve seems to be pretty explicit about the fact that the issue was due to bad
rules over what is and isn't in scope.

Un-banning the researcher is one HackerOne's end, isn't it?

~~~
ziddoap
> _Valve seems to be pretty explicit about the fact that the issue was due to
> bad rules over what is and isn 't in scope._

I could perhaps forgive a misunderstanding over fringe-cases or a company that
is new to the H1 platform. However, we are talking about a LPE in this case,
with a company who has themselves bragged about their familiarity with the
platform. I would expect that they would spend some time checking their scope
for something like LPE's and making sure it is crystal clear.

> _Un-banning the researcher is one HackerOne 's end, isn't it?_

I was under the impression that each corporation running a bounty is in charge
of allowing or disallowing users to their specific bounty, not H1. But to be
fair, I'm not positive of this.

I understand you may think I'm being hard on Valve, but given how many
computers the Steam Client is installed on, the age and size of the company,
their familiarity with H1, their past responses to situations like this, not
attempting to get in touch with the researcher they said it was a mistake to
turn away (and there was a 2nd researcher turned away), and the half-hearted
response - I simply can't understand making excuses for them. They should be
held to a higher standard than Ma and Pa's coffee shop.

They do not appear to be acting in good faith, but rather trying to put out a
fire and sweep it under the rug.

Edit:

To pile on, here is an open letter sent to Valve in 2014. This is not a new
pattern for Valve.

[https://steamdb.info/blog/valve-security-open-
letter/](https://steamdb.info/blog/valve-security-open-letter/)

An excerpt:

 _" This letter is collaboratively written by various members of Steam’s
developer community regarding our concerns with Valve security behaviours, in
particular Valve’s inconsistency in rewarding those who report bugs
(occasionally punishing people), the speed at which Valve addresses bug
reports (if at all), and the problems users face attempting to report bugs to
Valve"_

~~~
manfredo
> I understand you may think I'm being hard on Valve, but given how many
> computers the Steam Client is installed on, the age and size of the company,
> their familiarity with H1, their past responses to situations like this, not
> attempting to get in touch with the researcher they said it was a mistake to
> turn away (and there was a 2nd researcher turned away), and the half-hearted
> response - I simply can't understand making excuses for them. They should be
> held to a higher standard than Ma and Pa's coffee shop.

This doesn't make sense. For the number of clients that have their software
installed on their computes, Valve is a tiny company (~360 employees). I work
in a 1000+ person company and we have only a fraction of the number of
installed clients. We also don't know the volume of reports Valve is handling,
and the ratio of spurious reports to genuine reports.

The open letter you link to talks about how Valve doesn't even have a bug
bounty program at all - so I'm not sure how this is supposed to serve as
evidence that Valve's bug bounty program is poorly managed. If anything, it
shows that the company listened to criticism and subsequently established a
bug bounty program. This is still an overall positive delta, even if their bug
bounty program is less than ideal. And when they do make a mistake, they
responded constructively to public criticism. I'm really at a loss as to why
I'm supposed to see Valve as the villain here.

~~~
ziddoap
You cherry-pick a one-off example (# of clients) and ignore the rest. Feel
free to remove that one if you don't think it is pertinent, and address the
remainder of my comment.

You also cherry-picked the letter. Yes, 5 years after a history and pattern of
security negligence, they are now able to repeat that pattern on H1. Hurray,
positive delta.

Even if all issues have been addressed, the fact that it has happened in the
past (many times) means that Valve deserves skepticism going forward. You a
big fan of Facebook now that they deleted those cleartext passwords? They are
cool now and anything else that comes to light must just be an oopsie,
deserving of no scrutiny? Or are you skeptical because Facebook has a proven
pattern of dishonesty? The same thing applies to Valve. They have a proven
pattern.

> _they responded constructively to public criticism_ Uhh, you'll have to link
> me to a constructive response of public criticism.

Since you cherry-picked one issue from the letter (which should still prove to
show the pattern of bad behavior that, at the very least, used to exist), I
will put a few others here:

> _A few members of the developer community, and no doubt members of the
> community at large, have received infractions against their accounts for the
> discovery and disclosure of bugs – a subset of which are similar to those
> that have been rewarded with economy items._

> _During this time we caught the occasional mention that Valve’s servers were
> indeed leaking sensitive information (such as partner session IDs, logins
> and cleartext passwords), however upon patching the bug Valve did not
> mandate a password reset._

> _As a result, an unknown user changed a different app’s name up to three
> days after the servers were patched[4] – proving that Steam Partner
> credentials were indeed exposed and abused during Heartbleed._

I see bad security practices piled on bad practices piled onto a culture that
spurns security.

> _I 'm really at a loss as to why I'm supposed to see Valve as the villain
> here._

I'm not telling you to look at them as a villain. I'm saying that perhaps,
given a proven history of bad practices, it would be good to look at this
situation with a skeptical eye (they are trying to save face, nothing else)
rather than shrug it off as an "Oops! Haha, we didn't scope our bounty quite
right!".

Obviously we don't see eye to eye on the subject.

I'll keep looking at Valve, with their repeated security blunders, with
skepticism. Feel free to continue to chalk it all up to an oops.

Remember the whole "Trust takes a lifetime to build, and a second to destroy"?
That's the heart of where I am coming from.

~~~
manfredo
> You cherry-pick a one-off example (# of clients) and ignore the rest. Feel
> free to remove that one if you don't think it is pertinent, and address the
> remainder of my comment.

> You also cherry-picked the letter. Yes, 5 years after a history and pattern
> of security negligence, they are now able to repeat that pattern on H1.
> Hurray, positive delta.

Those were the only two arguments you made to support your claim that Valve's
bug bounty program is not as good as it should be. You're accusing me of
"cherry picking" because I responded the only two arguments you made. This is
just laughable, and it eliminated the rest of my doubt as to whether or not
you're participating in this conversation in good faith.

Let's recap your previous comment: Your first paragraph didn't make an
argument, it was sharing your opinion that you think Valve's management of
their bug bounty isn't up to par and that highlighting the fact that they
_have_ paid out hundreds of bounties amounts to "bragging". Your second
paragraph is where you make the first actual argument, the claim that we
should be able to hold them to a higher standard because of the ratio of their
client install count and employees. And you added the link to the letter in an
edit below that.

I respond to both of the claims you made (the client vs. employee count, and
the letter) and now you're saying that I'm "cherry picking" because I'm
responding to the two arguments that _you brought up_.

~~~
ziddoap
I must not have written it clearly, sorry.

Here is the only argument I've been trying to make:

Valve has a history of bad security practices and bad responses to security
researchers. We should be skeptical of this announcement, coming immediately
after bad PR coverage, because Valve has a history of bad security practices
and bad responses to security researchers.

\----

In support of my main argument, which is that we should be skeptical of
Valve's announcement because of their history, I made several supporting
arguments.

Just in my last comment, you chose # of clients. Some of the other examples I
gave (you guessed it, in support of my main argument, which I shouldn't need
to repeat again):

> _the age and size of the company, their familiarity with H1, their past
> responses to situations like this, not attempting to get in touch with the
> researcher they said it was a mistake to turn away (and there was a 2nd
> researcher turned away), and the half-hearted response - I simply can 't
> understand making excuses for them._

The letter, which again served in support of my main argument, showed a few
examples of how their security culture has always been this way. Although
_since_ that time they have moved to H1, which I tried to point out doesn't
really mean a whole lot when they were forced into it (and a reminder, we are
looking at their pattern of bad behavior with security), the other issues
raised include: Putting infractions against accounts that report bugs while
rewarding others, and leaking sensitive information including passwords and
not forcing a reset.

From some of my past comments, in support of the main argument, I gave
examples such as: Shifting blame in their post, not contacting the researcher
this entire PR mess is about, not allowing that researcher to submit bugs, and
disputing the CVE which requires additional manual review of the bug (and is
additional confirmation that they both a) understand that it is an LPE and b)
that they don't think it's serious.)

I have done nothing but try to argue in good faith, I'm sorry you see it a
different way.

Valve needs to gain my trust after years and years of proving to be negligent
with security. They seem to have yours explicitly.

------
devwastaken
Valves been on the down for years. Last minute chat app trying to mimic
discord/curse, and introducing laughable vulnerabilities. VR gear more
expensive and less relevant than competitors, no advancement on the tech that
worked (steam controller, steam streaming box). Better mods through other
sites and curse client. No more valve games, holding onto a dead engine.

Valve is coasting on prior success. If discord or curse was done better steams
market share would nosedive.

This is one of many mistakes that happen when you dont compete and innovate.

~~~
tehwebguy
Curse & Discord wouldn’t even exist if Steam had evolved properly. They had
game store + friends list + chat integrated like 15 years ago, big miss IMO.

------
tracker1
Well, maybe future serious bugs in valve/steam software should just go to
open/public disclosure until they've actually paid out for the two bugs they
denied previously.

