You're right, but in this case I think some narrative liberty was justified, especially since Valve basically delegated triaging bug reports to HackerOne, but this relationship might not be immediately obvious to some readers. Suppose a nightclub contracts its bouncers from some security security firm. You get kicked out by the contract security guard. I think most people would think it's fair to characterize this situation as "the nightclub kicked me out" on a review or whatever.
It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports. It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
>It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports.
That was a typo on my side, should be "security".
>It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
For all intents and purposes getting your report marked as "informative" or whatever is the same as your report being rejected. To claim otherwise is just playing word games, like "it's not a bug, it's a feature". That's not to say that the OP is objectively correct that it's a security issue, but for the purposes of this argument what OP wrote (ie. 'Valve: "WontFix"' and Valve closed it as "Informative.") is approximately correct. If you contact a company to report a bug, and that company routes it to some third party support contractor (microsoft does this, I think), and the support contractor replies "not a bug, won't fix", it's fair to characterize that as "[company] rejected my bug report!", even if the person who did it was some third party contractor.
> If you contact a company to report a bug, and that company routes it to some third party support contractor
That is not what happened, though. You can contact Valve/Steam directly. They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
>They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
I don't know, the wording on their site suggests hackerone is the primary place to report security issues, not "if you want to get paid use hackerone, otherwise email us directly".
>For issues with Steam or with Valve hardware products, please visit HackerOne — https://hackerone.com/valve. Our guidelines for responsible disclosure are also available through that program.
No, you are correct, that is a HackerOne employee filtering the report before someone at Valve looks at it, a lot of companies have this set up and it's not great.
I would be surprised if responsible Valve staff would agree that this is not something they should fix at some point.
It's still on Valve though. They chose to delegate this and H1 basically becomes their voice here. I wish it was made more clear, but I don't think it's wrong.
That sounds to me like they're acknowledging that the feature doesn't work as advertised ("may not align with user expectations"), but also that it was reported as a exploit/security vulnerability, while it's actually a privacy leak. Maybe HackerOne isn't the right channel for reporting those issues?
