This is a rather strange story.
While a lot of the blame falls on HackerOne, who seemingly decided that Valve did not need to know about this exploit, responsibility definitely also falls on Vasily Kravets for seemingly not making any attempts at contacting Valve outside of the HackerOne bug bounty program. Valve has had means of reporting security issues long before they setup that bug-bounty program:
If the public security program is inapplicable to your situation, then you may instead send email describing the issue to
[email protected]. If you feel the need, please use our public key to encrypt your communications with us.
https://www.valvesoftware.com/el/security
But while this definitely needs to be fixed, it does requires that you run malicious code on your PC.
And if that happens then you are already boned, regardless of whether or not the program can perform a privilege escalation.
A malicious program running in user-space has access to everything that you have access to, including all the cookies that keep you logged in on websites, any credentials stored by software you use, and any (personal) documents, photos, and other files you have stored on your PC, and much more. An unprivileged piece of software can easily encrypt all your personal files and demand payment before unlocking them (aka. random-ware). An unprivileged malicious program can also do stuff like running bitcoin miners, spy on your browsing habits, and perform a slew of other nefarious actions.
And this applies to both Windows and Linux users.
