| I must not have written it clearly, sorry. Here is the only argument I've been trying to make: Valve has a history of bad security practices and bad responses to security researchers. We should be skeptical of this announcement, coming immediately after bad PR coverage, because Valve has a history of bad security practices and bad responses to security researchers. ---- In support of my main argument, which is that we should be skeptical of Valve's announcement because of their history, I made several supporting arguments. Just in my last comment, you chose # of clients. Some of the other examples I gave (you guessed it, in support of my main argument, which I shouldn't need to repeat again): >the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them. The letter, which again served in support of my main argument, showed a few examples of how their security culture has always been this way. Although since that time they have moved to H1, which I tried to point out doesn't really mean a whole lot when they were forced into it (and a reminder, we are looking at their pattern of bad behavior with security), the other issues raised include: Putting infractions against accounts that report bugs while rewarding others, and leaking sensitive information including passwords and not forcing a reset. From some of my past comments, in support of the main argument, I gave examples such as: Shifting blame in their post, not contacting the researcher this entire PR mess is about, not allowing that researcher to submit bugs, and disputing the CVE which requires additional manual review of the bug (and is additional confirmation that they both a) understand that it is an LPE and b) that they don't think it's serious.) I have done nothing but try to argue in good faith, I'm sorry you see it a different way. Valve needs to gain my trust after years and years of proving to be negligent with security. They seem to have yours explicitly. |