Valve has announced that Russian developer Vasily Kravets was mistakenly denied an award under the HackerOne program. How edition of The Register, the studio will fix the discovered vulnerabilities and consider issuing an award to Kravets.
On August 7, 2019, security specialist Vasily Kravets published an article about Steam local privilege escalation vulnerabilities. This allows any malware to increase its influence on Windows. Before that, the developer notified Valve in advance, but the company did not respond. HackerOne specialists reported that there is no bounty for such errors. After the vulnerability was publicly disclosed, HackerOne sent him a notice to remove him from the bounty program.
It was later revealed that he was not the only person to discover the Steam vulnerability. Another specialist Matt Nelson said that he wrote about a similar problem and his application was also rejected.
Now Valve has declared that the incident that took place is a mistake and has reworked the principle of accepting bugs on Steam. According to the new set of rules, any vulnerability that allows malware to elevate its privileges through Steam will be investigated by developers.
Source: 3dnews.ru