top | item 26762479

(no title)

mxscho | 4 years ago

According to a tweet that was also retweeted by the user @floesen_ who was mentioned in the original thread, the initial report 2 years ago was done using HackerOne but has probably not seen any helpful response from Valve [1]. There are also other reports of Valve not reacting to HackerOne reports appropriately [2].

It is currently unclear whether there is a publicly available PoC or any exploitation going on in the wild.

[1] https://twitter.com/AntiCheatPD/status/1380873722966503426

[2] https://twitter.com/killa/status/1380872852090540032

discuss

pricechild|4 years ago

> There are also other reports of Valve not reacting to HackerOne reports appropriately

I'll second that.

I discovered and reported a vulnerability with the Steam client's Bluetooth pairing process via hackerone.

The issue was confirmed but decided "out of scope" as apparently "within bluetooth range" runs afoul of the bug bounty's "require physical access" exclusion.

8 months later (I haven't exactly kept on top of this) they're still demanding I keep it confidential. I'll follow it up...

yjftsjthsd-h|4 years ago

Surely that's a contradiction? Either it's a security problem by their criteria, or it isn't; if it is, then they should pay up and fix it, if it isn't then they have no legitimate reason to care if you put full details on the front page of $MAJOR_NEWS_SITE.

ziml77|4 years ago

How can they demand that you keep it confidential if they've already declared it to be out-of-scope? People need to start releasing these exploits instead of being a slave because they'd no longer get any payouts from HackerOne. Once the exploits are public, I assure you that either Valve will scramble to fix them or people will start looking for safer alternatives.

veeti|4 years ago

Just release it. Maybe Valve will have to do something once folks start losing their precious CS:GO skins?

tgsovlerkhgsel|4 years ago

HackerOne also at least strongly discourages publishing your findings if the developers refuse to take action.

https://www.hackerone.com/disclosure-guidelines states that "After the Report has been closed, Public disclosure may be requested by either the Finder or the Security Team." - so if the report just doesn't get closed, you can't disclose through the platform, and https://www.hackerone.com/policies/code-of-conduct says "Disclosing report information without previous authorization is not permitted."

To me, that seems that you're not permitted to disclose the issue at all until the report has been closed and either 1) 30 days have passed and the security team hasn't requested an extension, or 2) "180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline".

Due to this, I refuse to report through HackerOne.

pityJuke|4 years ago

floesen has posted a screenshot of the open ticket back in December. [1]

[1]: https://twitter.com/floesen_/status/1337107178096881666