It would probably also be a shame when floesen_ got sued for an NDA violation and had to spend tens of thousands of dollars in civil court explaining that they got hacked and it's not their fault.
Someone would have to do the suing though. Who would that be? It could be either Valve, or HackerOne.
HackerOne is almost certainly smarter than doing that because this would immediately ruin their reputation as a bug reporting platform (and expose that they're complicit in suppressing disclosure). They're much more likely to just ban the H1 account or issue some limited penalty.
Valve could potentially try, but the risk here also seems minimal: They also have a reputation to uphold, are experienced enough to know that suing security researchers paints a really bad picture and would draw attention to their vulnerabilities, and especially if their software is full of holes, this would almost certainly cause many people to disclose information about those.
HackerOne is almost certainly smarter than doing that because this would immediately ruin their reputation as a bug reporting platform (and expose that they're complicit in suppressing disclosure). They're much more likely to just ban the H1 account or issue some limited penalty.
Valve could potentially try, but the risk here also seems minimal: They also have a reputation to uphold, are experienced enough to know that suing security researchers paints a really bad picture and would draw attention to their vulnerabilities, and especially if their software is full of holes, this would almost certainly cause many people to disclose information about those.