|
|
|
|
|
|
by manfredo
2499 days ago
|
|
|
> You cherry-pick a one-off example (# of clients) and ignore the rest. Feel free to remove that one if you don't think it is pertinent, and address the remainder of my comment. > You also cherry-picked the letter. Yes, 5 years after a history and pattern of security negligence, they are now able to repeat that pattern on H1. Hurray, positive delta. Those were the only two arguments you made to support your claim that Valve's bug bounty program is not as good as it should be. You're accusing me of "cherry picking" because I responded the only two arguments you made. This is just laughable, and it eliminated the rest of my doubt as to whether or not you're participating in this conversation in good faith. Let's recap your previous comment: Your first paragraph didn't make an argument, it was sharing your opinion that you think Valve's management of their bug bounty isn't up to par and that highlighting the fact that they have paid out hundreds of bounties amounts to "bragging". Your second paragraph is where you make the first actual argument, the claim that we should be able to hold them to a higher standard because of the ratio of their client install count and employees. And you added the link to the letter in an edit below that. I respond to both of the claims you made (the client vs. employee count, and the letter) and now you're saying that I'm "cherry picking" because I'm responding to the two arguments that you brought up. |
|
|
Here is the only argument I've been trying to make:
Valve has a history of bad security practices and bad responses to security researchers. We should be skeptical of this announcement, coming immediately after bad PR coverage, because Valve has a history of bad security practices and bad responses to security researchers.
----
In support of my main argument, which is that we should be skeptical of Valve's announcement because of their history, I made several supporting arguments.
Just in my last comment, you chose # of clients. Some of the other examples I gave (you guessed it, in support of my main argument, which I shouldn't need to repeat again):
>the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them.
The letter, which again served in support of my main argument, showed a few examples of how their security culture has always been this way. Although since that time they have moved to H1, which I tried to point out doesn't really mean a whole lot when they were forced into it (and a reminder, we are looking at their pattern of bad behavior with security), the other issues raised include: Putting infractions against accounts that report bugs while rewarding others, and leaking sensitive information including passwords and not forcing a reset.
From some of my past comments, in support of the main argument, I gave examples such as: Shifting blame in their post, not contacting the researcher this entire PR mess is about, not allowing that researcher to submit bugs, and disputing the CVE which requires additional manual review of the bug (and is additional confirmation that they both a) understand that it is an LPE and b) that they don't think it's serious.)
I have done nothing but try to argue in good faith, I'm sorry you see it a different way.
Valve needs to gain my trust after years and years of proving to be negligent with security. They seem to have yours explicitly.