Valve


reports in last 90 days

36

disclosed resolved issues

0

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium Arbitrary file creation with semi-controlled content (leads to DoS, EoP and others) at Steam Windows Client

Path Traversal xi-tauw Time to triage: 1 Days and 3 hours


Time to close: 7 Days and 9 hours
Resolved

Critical Getting all the CD keys of any game

Improper Access Control - Generic moskowsky Time to triage: 0 Days and 8 hours


Time to close: 3 Days and 7 hours
Resolved

Medium Malformed map detailed texture files in GoldSrc games lead to Remote Code Execution

Stack Overflow nyancat0131 Time to triage: 10 Days and 5 hours


Time to close: 39 Days and 0 hours
Resolved

High Malformed playlist.txt in GoldSrc games leads to Access Violation & arbitrary code execution

Stack Overflow nyancat0131 Time to triage: 10 Days and 22 hours


Time to close: 39 Days and 0 hours
Resolved

Critical Unchecked weapon id in WeaponList message parser on client leads to RCE

Array Index Underflow nyancat0131 Time to triage: 14 Days and 11 hours


Time to close: 18 Days and 21 hours
Resolved

Critical XSS in steam react chat client

Cross-site Scripting (XSS) - Stored zemnmez Issue was not triaged


Time to close: 21 Days and 7 hours
Resolved

Critical RCE on Steam Client via buffer overflow in Server Info

Classic Buffer Overflow vinnievan Time to triage: 0 Days and 8 hours


Time to close: 77 Days and 16 hours
Resolved

High ISteamAssets gives partners control over unrelated community market transactions

Improper Access Control - Generic njbooher Time to triage: 2 Days and 3 hours


Time to close: 1 Days and 22 hours
Resolved

Critical XSS in steam react chat client

Cross-site Scripting (XSS) - Stored zemnmez Issue was not triaged


Time to close: 21 Days and 7 hours
Resolved

Medium code injection, steam chat client

Code Injection zemnmez Time to triage: 12 Days and 20 hours


Time to close: 4 Days and 0 hours
Resolved

Medium Stored XSS in the guide's GameplayVersion (www.dota2.com)

Cross-site Scripting (XSS) - Stored mvc Time to triage: 0 Days and 18 hours


Time to close: 1 Days and 3 hours
Resolved

Low CSRF | Ban or unban users in broadcast's chat

Cross-Site Request Forgery (CSRF) romesful Time to triage: 4 Days and 5 hours


Time to close: 14 Days and 6 hours
Resolved

Medium XSS @ store.steampowered.com via agecheck path name

Cross-site Scripting (XSS) - Reflected tvmpt Time to triage: 1 Days and 17 hours


Time to close: 10 Days and 19 hours
Resolved

Medium Reflected XSS on help.steampowered.com

Cross-site Scripting (XSS) - Reflected xpaw Time to triage: 0 Days and 0 hours


Time to close: 3 Days and 15 hours
Resolved

Low Comment restriction in subsection "Workshop" of domain "steamcommunity.com" can be bypassed using IDOR

Insecure Direct Object Reference (IDOR) ronak_9889 Time to triage: 1 Days and 10 hours


Time to close: 47 Days and 2 hours
Resolved

High [help.steampowered.com] Account takeover bruteforcing SteamGuard

Business Logic Errors natetheriver Time to triage: 8 Days and 9 hours


Time to close: 7 Days and 23 hours
Resolved

Medium unlock self-lock by brute force

Brute Force man_shum Time to triage: 1 Days and 19 hours


Time to close: 2 Days and 2 hours
Resolved

Low Deleting other people's comments on ModeratorMessages

Improper Authentication - Generic milkgames Time to triage: 5 Days and 2 hours


Time to close: 111 Days and 0 hours
Resolved

Critical Getting all the CD keys of any game

Improper Access Control - Generic moskowsky Time to triage: 0 Days and 8 hours


Time to close: 3 Days and 7 hours
Resolved

High Malformed Skybox .TGA in Half-Life (GoldSRC) leads to Access Violation

Classic Buffer Overflow chippy Time to triage: 80 Days and 8 hours


Time to close: 23 Days and 14 hours
Resolved

Medium Buffer overflows in demo parsing

Classic Buffer Overflow yalter Time to triage: 4 Days and 22 hours


Time to close: 101 Days and 7 hours
Resolved

Critical SQL Injection in report_xml.php through countryFilter[] parameter

SQL Injection moskowsky Time to triage: 0 Days and 5 hours


Time to close: 7 Days and 4 hours
Resolved

Critical Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution

Classic Buffer Overflow chippy Time to triage: 1 Days and 16 hours


Time to close: 58 Days and 6 hours
Resolved

Medium ImageMagick GIF coder vulnerability leading to memory disclosure

Information Disclosure alyssa_herrera Time to triage: 0 Days and 0 hours


Time to close: 133 Days and 7 hours
Resolved

Low Suspended users can bypass UGC upload ban

Improper Access Control - Generic delite Time to triage: 9 Days and 9 hours


Time to close: 7 Days and 3 hours
Resolved