Valve's response is at the bottom of this post. Click to jump.
To whom it may concern,
This letter is collaboratively written by various members of Steam’s developer community regarding our concerns with Valve security behaviours, in particular Valve’s inconsistency in rewarding those who report bugs (occasionally punishing people), the speed at which Valve addresses bug reports (if at all), and the problems users face attempting to report bugs to Valve.
Valve does not have a bug bounty program, but bugs do exist in Valve’s products – just like any other pieces of software. Users, whether casual gamers or developers such as ourselves, occasionally come across these bugs, and we want to report them to ensure Valve’s products and customers are secure. There has been an observable trend over the past few months with individuals receiving rare economy items as a reward for reporting bugs (particularly bugs with a heavy impact on the virtual economies within Steam); this trend has been noticed and is commonly referred to when individuals users of Steam ask how to report bugs – it is being interpreted as a bug-bounty program. We believe this practise – granting economy items as compensation – is harmful to Valve’s products and reputation as a company, as this practise encourages casual gamers (the audience of Steam’s virtual economies) to find and report bugs which are often either questionable or entirely fabricated in hope to get a rare economy item, and we believe this practise dissuades experienced security researchers to pay any real attention to Valve’s products – as they would receive no compensation for their work.
Many other companies offer well defined bug-bounty programs which pay from hundreds to thousands of dollars to security researchers who find bugs. For example, Facebook offers a $500 minimum reward, and Google’s rewards range from $100 to $20,000. For a company that is “more profitable [per employee] than Google and Apple” and has a wide variety of products (video-games, Steamworks & associated economy functionality, developer-tools, operating systems, living-room hardware) to not have a clearly defined bug-bounty program, but which arbitrarily grants virtual items in lieu (if at all), seems both reckless and insulting to experienced security researchers.
Regardless of bounties, not having a clear page describing how to report security bugs to Valve, and receive acknowledgement that reports have been received, is harmful to Valve’s customers; the top result when searching for “Steam bug report” on Google is a Steam Powered Users Forum section for the video game DogFighter – demonstrating that users who wish to report bugs responsibly have difficulty finding an avenue to do so.
There is also an issue of double-standards to be raised here. A few members of the developer community, and no doubt members of the community at large, have received infractions against their accounts for the discovery and disclosure of bugs – a subset of which are similar to those that have been rewarded with economy items. This is further damaging, as it introduces uncertainty with regards to the fate of individuals who come across bugs: are they going to be punished or rewarded?
In recent months a critical bug was found within OpenSSL, Heartbleed; this bug was huge – it affected a lot of the working web at the time it was published (it probably still affects a significant number of websites), and it allowed malicious users to easily read the memory of systems which were vulnerable to it. Unfortunately for Valve, the details on the Heartbleed bug were published when half of the company was in Hawaii; because of this, we believe it took approximately 24 hours for Valve to patch their servers (the bug was first mentioned, along with a patch to OpenSSL, on April 7th at 10:27 PDT – though it did take a few hours for news of Heartbleed to spread; our own IRC logs indicate reports of Steam being patched around 10:28 PDT on April 8th). We believe this delay in action is unacceptable for a company like Valve – whose systems process sensitive data for millions of customers and partners.
During this time we caught the occasional mention that Valve’s servers were indeed leaking sensitive information (such as partner session IDs, logins and cleartext passwords), however upon patching the bug Valve did not mandate a password reset. As a result, an unknown user changed a different app’s name up to three days after the servers were patched – proving that Steam Partner credentials were indeed exposed and abused during Heartbleed. We understand Valve mandated password resets for some Steam partner users, however we’ve had reports from many other Steam partners that their passwords had not been reset – leaving potentially compromised partner accounts accessible to this day. Additionally, Valve have never made an announcement to partners or customers with regards to what data may have been exposed via Heartbleed. We believe Valve’s response to Heartbleed was and remains unsatisfactory.
Unfortunately, these sentiments are not new – we’ve each had our concerns with regards to the security of Valve’s products for years, but we were never inclined to make any real effort to raise our concerns until the recent incident of a Steamworks developer receiving a Steam Community ban in relation to a bug report. Although we’ve mentioned the partner site and Heartbleed as a specific example of a failure from Valve, it’s worth clarifying that our comments are not limited to the partner site – we believe Valve’s behaviour put all of their products at risk.
Another core problem, we believe, is that Valve does not offer any adequate avenues for individuals to report bugs, nor sufficiently or consistently compensates individuals for reporting bugs. Our experience using the [email protected] contact address suggests only one Valve employee appears to read and respond to these e-mails – which isn’t practical when major bugs (such as Heartbleed) are disclosed and urgent attention is required. We’ve had to resort to contacting Valve employees directly, often employees whose work is unrelated to the problems we’re reporting, over instant messaging services in order to ensure somebody at Valve is aware and can pass along the report to whomever can deal with it; while this often works out, it introduces various opportunities for the report to become misunderstood or lost en route to somebody’s desk.
The community at large has also had problems figuring out how to report bugs. It’s not uncommon for users of the TF2 subreddit to ask how to report a bug to Valve responsibly. Most often the response is to email a specific set of employees at Valve, commonly those who are active in the various community mailing lists whose email addresses are therefore known. One service we’d recommend Valve take a look at and consider using, to alleviate many of the concerns we’ve raised in this letter, is HackerOne. This service is used by many reputable companies (Yahoo, Twitter, CloudFlare, and more) to manage their bug bounty programs, by making it easy for users to report bugs and optionally reward researchers who find bugs.
In conclusion, we believe Valve are putting themselves, their customers, and their partners at risk by not having a well defined bug bounty policy; not having any clear instructions on how users can report bugs; and not being transparent with the various parties involved when serious bugs arise. We’re all fans of Valve, and our ultimate goal is not to be an inconvenience, but to help make Valve’s products and customers more secure. We hope Valve understands our concerns and can rectify them within the coming months.
Rob Jackson (Official Team Fortress Wiki)
Martin Benjamins (SteamDB)
Pavel D. (SteamDB)
Jesús Higueras (Galactic Cafe)
Alexander Corn (FirePowered LLC)
James Doran (GetDotaStats)
Etienne Perot (Official Team Fortress Wiki)
Bence Nagy (Official Team Fortress Wiki)
Anthony Garcia (Official Team Fortress Wiki, OPTF2)
Ben Williams (Official Team Fortress Wiki, Robotic Boogaloo Web Developer)
John Drinkwater (Concerned Citizen)
Mickey William Fischer (Concerned Citizen)
Richard S. (Bazaar.tf, backpack.tf)
Mohammed Moussa (Official Team Fortress Wiki)
Devin Watson (Concerned Citizen)
Colin Stevens (Official Team Fortress Wiki)
 Facebook’s bug-bounty policy https://www.facebook.com/whitehat
 Google’s bug bounty policy https://www.google.com/about/appsecurity/reward-program/
 The time at which OpenSSL published a Heartbleed security advisory to their website, according to http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html
 See the following SteamDB history sections:
- April 09, 2014 – 00:51:07 UTC – “Changed name Call of Duty: Black Ops II › Valve please reset partner logins because heartbleed” – http://steamdb.info/app/202970/history/
- April 10, 2014 – 01:53:47 UTC – “Changed name South Park™: The Stick of Truth™ › Valve please reset all partner logins because heartbleed” – http://steamdb.info/app/213670/history/
- April 11, 2014 – 01:00:09 UTC – “Changed name Dino D-Day › Valve seriously... reset partner logins” – http://steamdb.info/app/70000/history/
- A screenshot showing the SteamDB database entries for each of the above changes: http://steamdb.info/static/img/blog/47/heartbleed.png
 Various Reddit threads, examples include:
Valve's response was received on July 17th at 20:28 UTC.
Pavel et al, thank you for your concern for Steam and Valve. We take security very seriously, and your email prompted us to evaluate our current procedures. In light of that we have recently created a new security web page which explains our process for receiving and responding to security reports (http://www.valvesoftware.com/security). We believe our process is robust but we understand that we haven’t been completely transparent about the process and that has created some confusion. We hope that the above page helps to add clarity and discoverability.
Each team at Valve has slightly different requirements and goals when working on security reports, for Steam we have chosen to thankfully accept reports but otherwise offer no formal incentives. Other teams, in particular the Team Fortress 2 team, have slightly different processes and have chosen to offer small rewards for certain valuable reports. We don’t plan on establishing any formal bug bounty programs for any of our products at this time.
It is our policy to not ban or admonish users due to responsible research and disclosure of security issues. Our intent is always to make it safe and easy for researchers to report issues, but we do need to protect users from cases where abuse of the system that negatively affects others is occurring. In cases where we determine someone to be causing harm we may take action to prevent further abuse. We expect partners and security researchers to be careful and responsible in both their research and disclosure of issues and when that happens we work closely with them and encourage their work.
All of us at Valve
The security page is a step into the right direction, but some points are left unanswered. We will continue to communicate with Valve. This post will be updated with future communication regarding this subject.