I could perhaps forgive a misunderstanding over fringe-cases or a company that is new to the H1 platform. However, we are talking about a LPE in this case, with a company who has themselves bragged about their familiarity with the platform. I would expect that they would spend some time checking their scope for something like LPE's and making sure it is crystal clear.

>Un-banning the researcher is one HackerOne's end, isn't it?

I was under the impression that each corporation running a bounty is in charge of allowing or disallowing users to their specific bounty, not H1. But to be fair, I'm not positive of this.

I understand you may think I'm being hard on Valve, but given how many computers the Steam Client is installed on, the age and size of the company, their familiarity with H1, their past responses to situations like this, not attempting to get in touch with the researcher they said it was a mistake to turn away (and there was a 2nd researcher turned away), and the half-hearted response - I simply can't understand making excuses for them. They should be held to a higher standard than Ma and Pa's coffee shop.

They do not appear to be acting in good faith, but rather trying to put out a fire and sweep it under the rug.

Edit:

To pile on, here is an open letter sent to Valve in 2014. This is not a new pattern for Valve.

https://steamdb.info/blog/valve-security-open-letter/

An excerpt:

"This letter is collaboratively written by various members of Steam’s developer community regarding our concerns with Valve security behaviours, in particular Valve’s inconsistency in rewarding those who report bugs (occasionally punishing people), the speed at which Valve addresses bug reports (if at all), and the problems users face attempting to report bugs to Valve"