Hello, welcome to the Friday, August 23rd, 2019 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I'll start out with a story that has sort of been developing all weekend.

That's about, well, how Valve kind of misstepped in bug bounties.

Valve is the company behind the popular online gaming platform, Steam, and Steam is offering

a bug bounty via the Hacker One platform.

Vasily Kravitz is a researcher that recently found a privilege escalation flaw in

Steam and reported it via the Hackerman platform, of course expecting a reward. What instead happened

was that Valve told him that the privilege escalation flaws are really sort of out of scope for Steam.

So he shouldn't expect any bug bounty for this particular flaw.

And that's sort of where some arguing apparently started between cravets and Valve,

which resulted in cravets being kicked out of the Buck Bounty Program.

It's of course always a difficult decision here to accurately identify the value of particular

vulnerabilities and has happened before that the reporter of a vulnerability and the company

that owns the product don't necessarily agree on the severity.

To put us a little bit in perspective, Steam is really a platform to run code. As a developer,

you can develop a game that runs within this Steam, essentially virtual machine, and with that,

your game can run on whatever platform is supported by Steam, which virtual machine, and with that, your game can run on whatever platform is

supported by Steam, which of course, no sort of increases the reach of a particular game.

But this makes it really difficult for Steam to actually prevent pervage escalation flaws,

in particular since some components in Steam run as administrator

so they have full low level access to things like graphics drivers and the like, which of course

...