(no title)

And the rest of us have the right to tell Valve, as their paying customers, we're very disappointed in their behavior and find it unacceptable.

I expect them to take security flaws seriously if they want my continued patronage - and that includes EoPs.

File your comment under "missing the point".

Telling a security researcher "we're not going to fix this but please keep it secret" is not a viable strategy, ever.

In the end, the researcher went public (as nearly all will, in that same situation), Valve got a hit to their reputation in the tech press, and they ended up having to (attempt and fail to) fix it anyway. Entirely predictable, and Valve looks really stupid here.

Banning people from your bug bounty problem for following the generally-accepted rules for security disclosures is certainly with in their right, but so what? It's not a winning strategy for any company.

They do, and the obvious and inevitable outcome of that is that Twitter is now their bug bounty program for some researchers.

What's the point of stating these obvious tautologies? Yes, they have that right, he has the right to post on Twitter, someone has the right to post that on HN, we have the right to call Valve out, you have the right to defend Valve, we have the right to reply to your defence, and so on ad inf.

All true and utterly worthless to point out.

Did you read his first report? In scope or not, their right or not, how is a ban without proper dialogue (threats don't fall in that category) the reasonable reaction here? That's not how you interact with a pretty tight knit community, even if you're the one sitting on the pile of money.

Yep, and we have every right to laugh at their stupidity.

We're not discussing the legality of the move.