[manfredo]

> I understand you may think I'm being hard on Valve, but given how many computers the Steam Client is installed on, the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them. They should be held to a higher standard than Ma and Pa's coffee shop.

This doesn't make sense. For the number of clients that have their software installed on their computes, Valve is a tiny company (~360 employees). I work in a 1000+ person company and we have only a fraction of the number of installed clients. We also don't know the volume of reports Valve is handling, and the ratio of spurious reports to genuine reports.

The open letter you link to talks about how Valve doesn't even have a bug bounty program at all - so I'm not sure how this is supposed to serve as evidence that Valve's bug bounty program is poorly managed. If anything, it shows that the company listened to criticism and subsequently established a bug bounty program. This is still an overall positive delta, even if their bug bounty program is less than ideal. And when they do make a mistake, they responded constructively to public criticism. I'm really at a loss as to why I'm supposed to see Valve as the villain here.

[ziddoap]

You cherry-pick a one-off example (# of clients) and ignore the rest. Feel free to remove that one if you don't think it is pertinent, and address the remainder of my comment.

You also cherry-picked the letter. Yes, 5 years after a history and pattern of security negligence, they are now able to repeat that pattern on H1. Hurray, positive delta.

Even if all issues have been addressed, the fact that it has happened in the past (many times) means that Valve deserves skepticism going forward. You a big fan of Facebook now that they deleted those cleartext passwords? They are cool now and anything else that comes to light must just be an oopsie, deserving of no scrutiny? Or are you skeptical because Facebook has a proven pattern of dishonesty? The same thing applies to Valve. They have a proven pattern.

>they responded constructively to public criticism Uhh, you'll have to link me to a constructive response of public criticism.

Since you cherry-picked one issue from the letter (which should still prove to show the pattern of bad behavior that, at the very least, used to exist), I will put a few others here:

>A few members of the developer community, and no doubt members of the community at large, have received infractions against their accounts for the discovery and disclosure of bugs – a subset of which are similar to those that have been rewarded with economy items.

>During this time we caught the occasional mention that Valve’s servers were indeed leaking sensitive information (such as partner session IDs, logins and cleartext passwords), however upon patching the bug Valve did not mandate a password reset.

>As a result, an unknown user changed a different app’s name up to three days after the servers were patched[4] – proving that Steam Partner credentials were indeed exposed and abused during Heartbleed.

I see bad security practices piled on bad practices piled onto a culture that spurns security.

>I'm really at a loss as to why I'm supposed to see Valve as the villain here.

I'm not telling you to look at them as a villain. I'm saying that perhaps, given a proven history of bad practices, it would be good to look at this situation with a skeptical eye (they are trying to save face, nothing else) rather than shrug it off as an "Oops! Haha, we didn't scope our bounty quite right!".

Obviously we don't see eye to eye on the subject.

I'll keep looking at Valve, with their repeated security blunders, with skepticism. Feel free to continue to chalk it all up to an oops.

Remember the whole "Trust takes a lifetime to build, and a second to destroy"? That's the heart of where I am coming from.

[manfredo]

> You cherry-pick a one-off example (# of clients) and ignore the rest. Feel free to remove that one if you don't think it is pertinent, and address the remainder of my comment.

> You also cherry-picked the letter. Yes, 5 years after a history and pattern of security negligence, they are now able to repeat that pattern on H1. Hurray, positive delta.

Those were the only two arguments you made to support your claim that Valve's bug bounty program is not as good as it should be. You're accusing me of "cherry picking" because I responded the only two arguments you made. This is just laughable, and it eliminated the rest of my doubt as to whether or not you're participating in this conversation in good faith.

Let's recap your previous comment: Your first paragraph didn't make an argument, it was sharing your opinion that you think Valve's management of their bug bounty isn't up to par and that highlighting the fact that they have paid out hundreds of bounties amounts to "bragging". Your second paragraph is where you make the first actual argument, the claim that we should be able to hold them to a higher standard because of the ratio of their client install count and employees. And you added the link to the letter in an edit below that.

I respond to both of the claims you made (the client vs. employee count, and the letter) and now you're saying that I'm "cherry picking" because I'm responding to the two arguments that you brought up.

[ziddoap]

I must not have written it clearly, sorry.

Here is the only argument I've been trying to make:

Valve has a history of bad security practices and bad responses to security researchers. We should be skeptical of this announcement, coming immediately after bad PR coverage, because Valve has a history of bad security practices and bad responses to security researchers.

----

In support of my main argument, which is that we should be skeptical of Valve's announcement because of their history, I made several supporting arguments.

Just in my last comment, you chose # of clients. Some of the other examples I gave (you guessed it, in support of my main argument, which I shouldn't need to repeat again):

>the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them.

The letter, which again served in support of my main argument, showed a few examples of how their security culture has always been this way. Although since that time they have moved to H1, which I tried to point out doesn't really mean a whole lot when they were forced into it (and a reminder, we are looking at their pattern of bad behavior with security), the other issues raised include: Putting infractions against accounts that report bugs while rewarding others, and leaking sensitive information including passwords and not forcing a reset.

From some of my past comments, in support of the main argument, I gave examples such as: Shifting blame in their post, not contacting the researcher this entire PR mess is about, not allowing that researcher to submit bugs, and disputing the CVE which requires additional manual review of the bug (and is additional confirmation that they both a) understand that it is an LPE and b) that they don't think it's serious.)

I have done nothing but try to argue in good faith, I'm sorry you see it a different way.

Valve needs to gain my trust after years and years of proving to be negligent with security. They seem to have yours explicitly.