Print this page
Published in News

Developers complain about Valve security and get a reply

by on21 July 2014 1597 times

Network and application security are big deals and big business these days. It seems that a day does not pass that you hear about a new breach, exploit, hack or something. This sad state has prompted a few companies to actually look outside their organizations for help and offer bug bounties to individual researchers that find holes in applications and hardware. These bounties can be quite the incentive to get people to tear into your application looking for exploits, but even more important than rewards is having a clear method to report problems and a team that actually responds to them when they are found.

This is a problem that many developers have with Valve. They feel that getting in touch with the game development company is a monumental task and it should not be. They also complained that Valve does not offer any sort of reward for the bugs found with the exception of hats for Team Fortress. In an open letter to Valve a group of developers spelled out their complaints: some valid, some not so much.

The complaint that there are no bug bounties is a little much when you think about it. There really are very few companies that offer money for reported bugs and exploits. Worrying about not getting any money or compensation for finding a bug is a little petty to be honest.

On the opposite side of the scale is the claim that there is no clear method to report bugs or security issues. This one really is huge as it prevents people from actually telling Valve about problems in their system. Yes you can email them, but there is often no response to reported issues so that is still not an effective way to communicate. Valve needs to make sure that there is a clearly defined method for reporting security issues with their applications and software. Not doing this is a very foolish way to operate.

This leads me to one of my favorite claims from the devs and one that (in my opinion) is almost ludicrous. The developers claim that Valve’s response to Hearbleed took too long. According to them Valve took 24 hours to patch their servers and this is simply not acceptable. To those developers I would like to point out that the vulnerability was found over two years ago and it took OpenSSL that length of time to fix. Vavle’s 24 hour response was a fraction of the multi-week time frame for many vendors and services. On top of that there more than half of affected web servers have not been patched. To make a big issue about a 24 hour patch time is a little much.

In response to this open letter Valve did publish what looks like a new policy. In it they include an email address that developers and researchers should use to submit bugs and other security issues. Valve is saying they will acknowledge all reports and follow up on them. Alternately they offer a form of encryption for sensitive communication if needed. It is certainly a start, but we are sure that more can be done and needs to be.

Tell us what you think in our Forum

Last modified on 21 July 2014
Rate this item
(0 votes)