back to article Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty

A security bod angry at Valve's handling of bug reports has disclosed a zero-day vulnerability affecting the games giant's flagship Steam app. Russia-based bug-hunter Vasily Kravets said that he was releasing details of the flaw, an elevation-of-privilege hole, after a series of poor interactions with Valve led to him getting …

Page:

  1. Anonymous Coward
    Anonymous Coward

    As if by magic ....

    only yesterday I commented on the shitfest waiting to happen once you turn what should be a paid job -i.e. bug hunting - into a lottery after the Microsoft bug bounty initiative.

    1. Anonymous Coward
      Anonymous Coward

      Re: after the Microsoft bug bounty initiative.

      Sweet! I knew those bastards would be to blame for Valve not paying a bug hunter.

      It's like people have MS Tourettes round here. Doesn't matter who or what is being discussed some AC will moan on about it being MS' fault.

      1. Anonymous Coward
        Anonymous Coward

        Re: after the Microsoft bug bounty initiative.

        Microsoft ate my hamster.

        1. SotarrTheWizard

          Re: after the Microsoft bug bounty initiative.

          Hey! My mother was a hamster, and my father smelled of elderberries !!

          Now, go taunt Microsoft a second time !!1

        2. Zarno
          Coat

          Re: after Microsoft ate my hamster

          But did they microwave it first?

          Mine's the one with the copy of Maniac Mansion in the pocket...

          1. Nolveys Silver badge

            Re: after Microsoft ate my hamster

            But did they microwave it first?

            It was necessary to microwave it after it was frozen for 200 years.

        3. Kabukiwookie Silver badge

          Re: after the Microsoft bug bounty initiative.

          My hamster can take care of itself, I always tell it to go for the eyes.

          1. Anonymous Coward
            Anonymous Coward

            Re: after the Microsoft bug bounty initiative.

            > I always tell it to go for the eyes.

            Minsk, is that you?

            1. Ken Shabby Bronze badge
              Childcatcher

              Re: after the Microsoft bug bounty initiative.

              Basil.

              1. Anonymous Coward
                Anonymous Coward

                Re: after the Microsoft bug bounty initiative.

                For reference: https://www.youtube.com/watch?v=X8lLruVR2zQ

      2. Anonymous Coward
        Anonymous Coward

        Re: after the Microsoft bug bounty initiative.

        We'll miss you and your awesome comprehension skills when the schools go back. Good luck in your first year in high school !

      3. Anonymous Coward
        Anonymous Coward

        Re: after the Microsoft bug bounty initiative.

        Doesn't matter who or what is being discussed some AC will moan on about it being MS' fault.

        That's because it usually is. No need to moan either, the bare facts are usually enough.

        1. Anonymous Coward
          Anonymous Coward

          Re: No need to moan either, the bare facts are usually enough.

          Seriously, you're prepared to argue that Valve not paying this bounty is because of MS?

          Go on then, "bare facts" me up!

          1. Anonymous Coward
            Anonymous Coward

            Re: No need to moan either, the bare facts are usually enough.

            No. They argued the *trend* not MS. The *trend* of not paying for work is a problem, not MS.

            Though they may have been wrong in their other posts, this one was ok. A broken clock, twice a day, and all that.

            1. Anonymous Coward
              Anonymous Coward

              Re: No. They argued the *trend* not MS

              No, they claimed that ms was responsible for the trend, blaming MS for valve's behaviour.

              1. Anonymous Coward
                Anonymous Coward

                Re: No. They argued the *trend* not MS

                Sounds like blaming Valve for Windows' behaviour...

          2. Anonymous Coward
            Anonymous Coward

            Re: No need to moan either, the bare facts are usually enough.

            Note the word "usually".

            Also, I think that may have been tongue in cheek - your statement is likely to draw those with a sense of dark humour to prod a bit. I would not get too excited - just prod right back :)

          3. Anonymous Coward
            Anonymous Coward

            Re: No need to moan either, the bare facts are usually enough.

            Seriously, you're prepared to argue that Valve not paying this bounty is because of MS?

            Go on then, "bare facts" me up!

            Grin, it's just too easy to get some people excited these days. I need another 111 downvotes to hit the 10k, though, so expect more :).

            1. Michael Wojcik Silver badge

              Re: No need to moan either, the bare facts are usually enough.

              Ah, yes. "Oh, that was unpopular. Guess I'll pretend I was being deliberately provocative."

              That rhetorical cringe was feeble and tired on Usenet thirty years ago. Grow up.

        2. Azerty

          Re: after the Microsoft bug bounty initiative.

          Seems like lately the microsoft pr army has landed at ElReg. They don't know humor, just downvoting and preaching the religion.

          1. sabroni Silver badge

            Re: the Microsoft pr army, they don't know humour

            Search the forums for "year of the Linux desktop".

            1. Huw D Silver badge

              Re: the Microsoft pr army, they don't know humour

              Also, "This time next year we'll be millionares, Rodney" ;)

          2. Anonymous Coward
            Anonymous Coward

            @ Seems like lately the microsoft pr army has landed at ElReg

            and now you know where the bug bounty was moved to.

            PR guys loyality can be bought wholesale where bughunters often have annoying quantites of integrity, something that MS never prized.

          3. Anonymous Coward
            Anonymous Coward

            Re: after the Microsoft bug bounty initiative.

            If you think that after more than 30 years, still blaming everything on MS is humour, then boy do I have news for you.

            You probably still use "M$" too.

            1. Anonymous Coward
              Anonymous Coward

              Re: after the Microsoft bug bounty initiative.

              You probably still use "M$" too.

              Nah, that's too easy and boring. Also doesn't quite get any of the antsy reactions.

              Don't worry, it wears off. Once I have the downvotes I was after I'll stop poking fun at Microsoft for a while - I want their PR people feel safe first :).

          4. Anonymous Coward
            Anonymous Coward

            Re: after the Microsoft bug bounty initiative.

            Seems like lately the microsoft pr army has landed at ElReg. They don't know humor, just downvoting and preaching the religion.

            Finally someone who gets it, I had almost given up hope. That's all I have been doing - merely offsetting the Microsoft PR army - but some people have (a) no sense of humour and (b) take this as personal affronts which I frankly find hilarious.

            That said, I don't actually like to troll that much (I'm more for the occasional good natured prod), but Microsofties appear to be so extraordinarily sensitive that its kinda hard to fight the temptation.

            Oh, by the way, please go ahead and downvote. I'm trying to win a bet :).

  2. lglethal Silver badge
    Stop

    From my understanding...

    it takes a hell of a lot to get yourself banned from HackerOne. That implies there's more to this story then is being told. At the very least I have to assume he was extremely abusive to the staff there.

    Bug Bounties are always hit and miss for payouts. What one person considers a critical flaw another considers unimportant. Getting abusive for having your claims denied is unacceptable either way. Releasing the code into the wild after having it denied is also a complete d&ck move. It just shows you dont actually care about the security of your fellow netizens, you're just there for the potential payout...

    1. Evil Harry

      Re: From my understanding...

      Agree with you but would have thought that the small time bug hunters were only there for money in the first place? They have to eat after all :)

      1. lglethal Silver badge
        Go

        Re: From my understanding...

        Of course people are in it for the money. Thats not in question. But releasing the code into the Wild doesnt get you paid either, but it DOES put everyone else in danger. So I reiterate its a d&ck move.

        It also seems pretty dodgy to me, that he found this bug in Steam AFTER he had already been banned from Steam's Bug Bounty Program. If you've already been told they wont pay you for anything you find, why would you spend time hunting for bugs in their program? the only reason I can come up with is malicious intent.

        1. Paul Crawford Silver badge
          Trollface

          Re: From my understanding...

          Why is it a dick move? After all Valve are quite clear it is not a vulnerability that matters.

        2. Donn Bly

          Re: From my understanding...

          People are in danger whether he releases it or not. Would you prefer to be in danger and NOT know about, or be in danger with the knowledge that you are in danger? I would at least prefer to know.

          You also assume that he looked for the bug AFTER he had been banned. It is a far more likely scenario that he found both bugs at the same time, They are, after all, variants on each other.

          Additionally, in a previous post you decried that he was just "into it for the payout" and didn't care about his fellow net citizens. Now, however, you just equated searching for bugs without expectation of payout as "malicious intent".

          If hunting for bugs with expectation of payout is bad, and hunting for bugs without expectation of payout is bad, then by your definitions ALL bug hunting is bad.

          He tried responsible disclosure first -- they told him that they were not interested and banned him.

          1. Mark 85 Silver badge

            Re: From my understanding...

            People are in danger whether he releases it or not.

            I'm not so sure about this particular bug. If someone has physical access to your PC/laptop, then maybe. However, if you walk into where your computer is located and there's a guy wearing a hoodie with a bunch of 1's and 0's floating around him, then yes, you have a real problem.

            1. CrazyOldCatMan Silver badge

              Re: From my understanding...

              If someone has physical access to your PC/laptop, then maybe

              Or (as the guy says) some malicious person/company/state releases a 'free' game that uses these exploits to root your windows box..

              1. chuBb.

                Re: From my understanding...

                Or a lan party...

                Physical access usually means in this context connected to same switch/subnet/lan, has no need to transit a firewall, or c$ is open and accessable , not physical access is required as the device is air gapped, accessible only through 5 vault doors and 100m under ground

        3. Anonymous Coward
          Anonymous Coward

          Re: From my understanding...

          If people just walked away silently when valve reject valid bugs, then they'll continue to reject them..

          blackmail? maybe, but if valve says it's not an issue, then surely they won't mind?

    2. tcmonkey

      Re: From my understanding...

      Maybe true, but he wasn’t banned from HackerOne, just from Valve’s part of it. That’s not quite the same thing, and may well have been the result of someone at Valve thinking he was irritating.

      Unrelated note, what is it that Valve actually DO these days, other than sitting on a vast pile of money made off of other people’s hard work?

      1. Dan 55 Silver badge

        Re: From my understanding...

        Or, since they've removed all semblance of quality controls, not hard work (asset flipping).

      2. ArrZarr Silver badge
        Coat

        Re: From my understanding...

        They probably occasionally go swimming in their giant money pool.

        Hell, I wouldn't be surprised if they got into the rocketry business. Maybe they could do something about the components that failed on the pad launch abort test for Dragon 2.

        1. Ochib Silver badge

          Re: From my understanding...

          If Kerbal has taught me anything, it aways needs more struts

          1. Crisp Silver badge
            Boffin

            Re: more struts

            And moar boosters.

        2. amanfromMars 1 Silver badge

          Re: From my understanding...

          They probably occasionally go swimming in their giant money pool. .... ArrZarr

          They always go Deep See Diving for giant grant money pools, ArrZarr.

          Titans such as develop and maintain this type of Internetional Security Program ........ Leading AI with JEDI Projects in Overall Remote Command and Total Virtualised Control.

          A Veritable King Solomon's Mines of a Bonanza to Value According to Practical Ethereal Worth.

        3. chuBb.

          Re: From my understanding...

          Perhaps they could get into the rocket test site business, call it rocket arena....

      3. Kabukiwookie Silver badge

        Re: From my understanding...

        what is it that Valve actually DO these days

        HL episode 3 should be coming out any day now.

      4. Graham Dawson

        Re: From my understanding...

        >what is it that Valve actually DO these days

        They make hats.

        1. Richard 12 Silver badge
          Angel

          Re: From my understanding...

          But not real ones

      5. Zoopy

        Re: From my understanding...

        > Unrelated note, what is it that Valve actually DO these days, other than sitting on a vast pile of money made off of other people’s hard work?

        They develop Proton, which is tremendously valuable to me.

    3. Donn Bly

      Re: From my understanding...

      Releasing the code into the wild after having it denied is also a complete d&ck move.

      Perhaps, but in context I would disagree.

      If I found a bug in your product, report it, and you deny it - what should the next step be?

      I see three options for the hunter:

      1) Do nothing. Let the bug remain and leave everyone using it still open.

      2) Release it to the wild like he did. At least people know now about it.

      3) Sell it on the black market making sure that the bad guys know first.

      If I release it into the wild then maybe next time someone will listen if I try to report bugs.

      After all, if the bug isn't serious enough to be paid for finding it then it follows that releasing it into the wild shouldn't cause any serious problems, right?

      Also, if he was only there for the potential payout he would have just sold it on the dark net. The fact that he didn't shows that he DOES care about the users - just not about the company that rejected him.

      1. Anonymous Coward
        Anonymous Coward

        Re: From my understanding...

        This. I've been involved in bug bounties for the past 7 years on all sorts of platforms including Bugcrowd and HackerOne. The issue that this researcher ran into is quite common, and you're always left in weird limbo land. It basically goes like this:

        a) submit but, and it's classed as 'won't fix' or 'out of scope' or <insert reason>

        b) you ask if you can go into public disclosure - because of various NDA's and t's and c's attached to many 'private' programs you can't...

        So basically you're sitting on something which is a known vulnerability and impactful but for whatever reason they've decided it isn't an issue, but you can't release it. This is where ethics take hold and everyone has a different opinion.

        Personally I've never released vulnerabilities into the wild like this. It also means I know dozens of companies that have vulnerabilities in their products and they know it, and I know it, but that's it. It's now their problem, not mine. Spin that Karmic wheel and watch it goooo!

        1. John Brown (no body) Silver badge

          Re: From my understanding...

          "Personally I've never released vulnerabilities into the wild like this. It also means I know dozens of companies that have vulnerabilities in their products and they know it, and I know it, but that's it. It's now their problem, not mine. Spin that Karmic wheel and watch it goooo!"

          An ethical dilemma? Balancing the risk of loss to possibly millions of people against the legal "fiction" of some likely overly onerous NDA that might not even be a legal document if it's untested in court?

        2. Updraft102 Silver badge

          Re: From my understanding...

          If news about the vulnerability gets released, the company will be forced by customers (who may not "understand" that it doesn't matter) to fix it, but if he just sits on it like Valve wants, the vulnerability remains, and if he discovered it, that means it is discoverable, so eventually someone else will, if they haven't already. Keeping quiet makes sure the people who don't know they are vulnerable remain that way, while speaking out at the very least fixes the "don't know" bit, if not also the "vulnerable" bit.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019