Earlier this week, SteamDB published an open letter to Valve from various members of Steam’s developer community concerned with some of the company’s security practices.
Their primary concern is that unlike other big companies like Facebook and Google, which offer hundreds and even thousands of dollars in rewards to security researchers who discover exploits, Valve doesn’t have an official “bug-bounty” program. People who do discover security flaws and want to do the right thing and report them are not sure where to turn, and usually don’t get rewarded. If they do, it’s in the form of rare, in-game economy items like Team Fortress 2 hats.
“Regardless of bounties, not having a clear page describing how to report security bugs to Valve, and receive acknowledgement that reports have been received, is harmful to Valve’s customers,” The open letter reads, “the top result when searching for ‘Steam bug report’ on Google is a Steam Powered Users Forum section for the video game DogFighter – demonstrating that users who wish to report bugs responsibly have difficulty finding an avenue to do so.”
Valve responded to the letter the same day it was published. “We take security very seriously, and your email prompted us to evaluate our current procedures,” it said. “In light of that we have recently created a new security web page which explains our process for receiving and responding to security reports (http://www.valvesoftware.com/security). We believe our process is robust but we understand that we haven’t been completely transparent about the process and that has created some confusion. We hope that the above page helps to add clarity and discoverability.”
It also explained that only some teams within Valve, namely the Team Fortress 2 team, have chosen to offer small rewards for certain valuable reports. At the moment, Valve isn’t planning to establish a formal bug-bounty program.
Valve’s response also ignored the open letter’s claim that it took the company 24 hours to patch its servers to address the notorious Heartbleed vulnerability. The letter claims that the delay was “unacceptable,” and the Valve still hasn’t said what data may have been compromised.
“The security page is a step into the right direction, but some points are left unanswered,” the authors of the letter said following Valve’s response. “We will continue to communicate with Valve.”
What do you think people who report security flaws should get in return? Let us know in the comments below.