Count me not surprised.
A company that goes out of their way to dispute the CVE, to turn around a day after a PR firestorm, is not actually turning around. They are saving face.
The apology was loaded with blame shifting and bragging about previous H1 payments, neither of these lead me to be more lenient with Valve.
The hacker is still banned from submitting bugs, for god's sake. Nor has he heard from Valve.
Edit: They even disputed the CVE, manually, removing any doubt that this wasnt an oopsie caused by a system.
> We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.
> Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
Valve seems to be pretty explicit about the fact that the issue was due to bad rules over what is and isn't in scope.
Un-banning the researcher is one HackerOne's end, isn't it?
Valve is coasting on prior success. If discord or curse was done better steams market share would nosedive.
This is one of many mistakes that happen when you dont compete and innovate.
