Valve tweaks bug bounty program after 'mistakenly' turning away researchers

Valve has expanded the scope of its HackerOne bug bounty program after a researcher was turned away for submitting a valid vulnerability found in Valve’s game distribution platform Steam.

That change to the program comes as part of a larger story covered by Ars Technica in which two researchers had their bug bounty submissions rejected by the HackerOne campaign, and in one case being told they were no longer able to submit future bugs following the rejection.

Following one of these rejections, Valve issued a statement to Ars acknowledging that the researcher was “incorrectly turned away” and that the idea that his report was classified as out of scope “was a mistake.”

“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam,” reads the statement.

The new update to Valve’s HackerOne program now states that those above issues do fall within the scope of the bounty program. Beyond that, Valve notes that it is reviewing the details of the situations with some researchers, likely those mentioned in Ars’ report, but will not comment on any specifics.