One year ago, fan-made Steam database website SteamDB wrote an open letter to Valve Corp about problems with the way the Washington-based game company approached security on Steam. Now, the authors of the letter, which include members of the Steam gaming community, have revisited their original complaints, commending Valve for the changes it has made while also pointing out some of the areas in which it can still improve.

“Our purpose with this post is twofold,” wrote the letter’s authors. “We want to provide a coordinated piece of feedback to Valve specifically with regards to security. We also want to provide the wider developer, partner, & gamer communities with information about Valve’s advancements and present shortcomings, so those parties can take the available and appropriate steps necessary to protect themselves and their products.”

While the authors commend Valve for implementing a better tool for reporting vulnerabilities, they still criticize the lack of a “bug bounty” to incentivize the community to search for and report bugs and security vulnerabilities. Shortly before the letter was published, Valve released details about a Team Fortress 2 cosmetic item that would be given to users who reported bugs, but the letter’s authors say such an item does not live up to the types of incentives they believe are needed for Steam.

“We think that even a coherent economy item incentive program would be a lot better than having no incentive program at all – Valve have proven that rare economy items do hold a lot of value to some customers, after all,” the authors wrote. “The primary problem with economy item rewards, however, is that they alienate researchers who do not play the game for which the economy item rewards are offered – as far as we are aware, current economy item rewards are all unusual hats in Team Fortress 2; not very enticing for users who do not play Team Fortress 2.”

The authors of the letter did note other improvements, however, most notably the implementation of two-factor authentication, account phone numbers, and trade confirmation e-mails. They also pointed to Valve’s success in reducing the amount of bots running phishing scams on Steam.

“Valve have made a great number of improvements with regards to the security of their products and customers over the last year, both in response to the points raised in our open letter and of their own volition,” the letter concludes.

“We still think Valve need to review their stance on incentives for reporting vulnerabilities, and we’re not quite sure how things stand with regards to Valve’s internal communication and communication with partners – the one example we have above, where we believe Valve failed to adequately communicate a security vulnerability, doesn’t give us enough data to make an objective observation on this point. Beyond those two points, we are happy with the work Valve has put in to security over the past year, and are excited to see what will happen in the coming year.”

Photo by Tim Dorr