zlacker

[return to "Steam "Offline" status leaks exact login timestamps (Valve: Won't Fix)"]
1. anonym+96[view] [source] 2026-01-20 23:25:15
>>xmrcat+(OP)
The first thing I have to point out is that this entire article is clearly LLM-generated from start to finish.

The second thing I have to point out is that bug bounty programs are inundated with garbage from people who don't know anything about programming and just blindly trust whatever the LLM says. We even have the 'author' reproducing this blind reinforcement in the article: "Tested Jan 2026. Confirmed working."

The third thing I have to point out is that the response from Valve is not actually shown. We, the reader, are treated to an LLM-generated paraphrasal of something they may or may not have actually said.

Is it possible this issue is real and that Valve responded the way they did? Perhaps, but the article alone leaves me extremely skeptical based on past experiences with LLM-generated bug bounty reports.

◧◩
2. xmrcat+89[view] [source] 2026-01-20 23:43:03
>>anonym+96
here you go https://i.ibb.co/39GRMySs/png.png
◧◩◪
3. gpm+n9[view] [source] 2026-01-20 23:45:11
>>xmrcat+89
Do I misunderstand that to be HackerOne staff - not Valve staff - marking it as "not a security vulnerability" - not "won't fix"?
◧◩◪◨
4. gruez+ob[view] [source] 2026-01-20 23:59:44
>>gpm+n9
You're right, but in this case I think some narrative liberty was justified, especially since Valve basically delegated triaging bug reports to HackerOne, but this relationship might not be immediately obvious to some readers. Suppose a nightclub contracts its bouncers from some security security firm. You get kicked out by the contract security guard. I think most people would think it's fair to characterize this situation as "the nightclub kicked me out" on a review or whatever.
◧◩◪◨⬒
5. gpm+Rd[view] [source] 2026-01-21 00:16:11
>>gruez+ob
It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports. It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
◧◩◪◨⬒⬓
6. gruez+Yf[view] [source] 2026-01-21 00:32:08
>>gpm+Rd
>It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports.

That was a typo on my side, should be "security".

>It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.

For all intents and purposes getting your report marked as "informative" or whatever is the same as your report being rejected. To claim otherwise is just playing word games, like "it's not a bug, it's a feature". That's not to say that the OP is objectively correct that it's a security issue, but for the purposes of this argument what OP wrote (ie. 'Valve: "WontFix"' and Valve closed it as "Informative.") is approximately correct. If you contact a company to report a bug, and that company routes it to some third party support contractor (microsoft does this, I think), and the support contractor replies "not a bug, won't fix", it's fair to characterize that as "[company] rejected my bug report!", even if the person who did it was some third party contractor.

◧◩◪◨⬒⬓⬔
7. anonym+zg[view] [source] 2026-01-21 00:37:19
>>gruez+Yf
> If you contact a company to report a bug, and that company routes it to some third party support contractor

That is not what happened, though. You can contact Valve/Steam directly. They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.

◧◩◪◨⬒⬓⬔⧯
8. gruez+Vk[view] [source] 2026-01-21 01:15:16
>>anonym+zg
>They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.

I don't know, the wording on their site suggests hackerone is the primary place to report security issues, not "if you want to get paid use hackerone, otherwise email us directly".

>For issues with Steam or with Valve hardware products, please visit HackerOne — https://hackerone.com/valve. Our guidelines for responsible disclosure are also available through that program.

https://www.valvesoftware.com/en/security

[go to top]