Even corporate drones will change their ways given enough incentive. Steam Patches LPE Vulnerabilities in Beta Version Update. (Just for clarity: Valve is a corporation. Steam is a product they produce.)
Valve didn’t think that Local Privilege Escalation problems were actually problems. They didn’t see them as problems that they needed to fix or pay-for, and certainly not problems that anyone should publicize. (Everyone else thinks they’re a problem. OWASP lists them as number 5 out of 10, and Microsoft patches a bunch of them every month.) Two researchers had problems locked, after Valve said “Not a problem.” So why stop people from reporting a non-problem? One of the 2 was banned, so he just released his 2nd zero day into the wild, complete with Proof of Concept code. (That makes it easier for the hackers to exploit.)
So after getting roasted for about 2 days, Valve finally said “Uncle.”
They started by releasing a “fix.” Turns out their fix needs a fix, but they are trying. (Very trying.)
Valve also admitted their mistake to dismiss the bug reports and decided to update their HackerOne policy, to reflect that LPE vulnerabilities would now fall into the scope of its bug bounty program.
There is nothing like getting hammered in the press for a few days, to get the attention of even the folks in Mahogany Row.
In the words of John McClane from Die Hard, “Welcome to the party, Pal!”