An open letter to Valve has been published, signed by many leading security specialists and game developers, calling out Valve on what they see as a disorganised and woeful approach to security regarding the reporting of bugs, the fixing of them and the rewarding of those people who make the bugs known to Valve.

The three main cores of the letter are addressed one by one, with the letter questioning Valve’s lack of a ‘bug bounty’ program that made sense. While they did note of some reportees receiving rewards of virtual items, the events were not frequent enough to give them hope and in some cases they note that reportees might even have come off worse for making the bugs known. They pointed out the worry that gamers could fabricate bugs in hope of reward and also pointed towards the bug bounty programs of other websites and media such as Google’s which offer rewards from $100 to $2000 for the reporting of a bug. The idea of being rewarded in virtual items was not considered to be enough of a draw for those security experts that could be trusted to seek out harmful coding bugs, as they wouldn’t see it as worth looking for little to no reward.

The lack of a clear space to report bugs to was also questioned, as well as Valve’s speed in tackling them and closing exploits. They used the well-known Heartbleed bug as an example, citing that it took up to 24 hours for Valve to patch and even then they didn’t put out a mass password change request to users or provide much information to gamers using their products. The letter says that there was evidence of data being leaked from Valve while the patching was going on, so they find Valve’s fixing of the exploit to be unsatisfactory.

Valve responded quickly, acknowledging the problems outlined in the open letter and saying that it has made them do a review of their security procedures. They pointed to a recently created site (http://www.valvesoftware.com/security) as the place to report bugs to and said that they believed their security measures were “robust but we understand that we haven’t been completely transparent about the process and that has created some confusion”.

They did say that there were no plans to put in place any formal bug bounty program, although separate Valve teams such as the Team Fortress 2 one can and often will offer in-game items as an incentive for players to report bugs to them. They also denied ‘punishing’ those people who reported bugs to them, only taking measures to prevent such bug reveals becoming damaging to the community.