Steam Windows Client Local Privilege Escalation 0day

Found on Amonitoring on Thursday, 08 August 2019
Browse Software

45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.

This article was ready for publication by July 30 (this date was chosen due to 45 days deadline since initial vulnerability report was sent). So, two weeks after my message, which was sent on July 20, a person appears, who tells me that my report was marked as not applicable, they closed the discussion and wouldn’t offer any explanation to me. Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report.

Ff it is a vulnerability, Steam should acknowledge it, fix it and rewards the guy. If it is not a vulnerability, then there cannot be any harm done by the discloser, because, well, it is not a bug.