Recently SteamDB published an open letter to Valve from members of Steam’s developer community concerned with some of the company’s security practices. The letter signed by 16 individuals from the Steam developer community complained that Valve does not offer rewards or bounties to security researchers who discover exploits.
"Regardless of bounties, not having a clear page describing how to report security bugs to Valve, and receive acknowledgement that reports have been received, is harmful to Valve’s customers," the open letter reads. "The top result when searching for ‘Steam bug report’ on Google is a Steam Powered Users Forum section for the video game DogFighter – demonstrating that users who wish to report bugs responsibly have difficulty finding an avenue to do so."
Valve apparently read the letter and responded on its security page, saying that it takes security issues that affect Steam very seriously.
"We take security very seriously, and your email prompted us to evaluate our current procedures," the company said in a statement. "In light of that we have recently created a new security web page which explains our process for receiving and responding to security reports. We believe our process is robust but we understand that we haven’t been completely transparent about the process and that has created some confusion. We hope that the above page helps to add clarity and discoverability."
Valve went on to say that only some teams within the company – for example, the Team Fortress 2 team – have decided to offer small rewards for certain valuable reports. At the moment, Valve isn’t planning to establish a formal bug-bounty program.
Valve's response did not address a claim in the letter that it took the company 24 hours to patch its servers to address the notorious Heartbleed vulnerability.
The letter claims that the delay was "unacceptable," and the Valve still hasn’t said what data may have been compromised.
"The security page is a step into the right direction, but some points are left unanswered," the authors of the letter said following Valve’s response. "We will continue to communicate with Valve."