Basically the community of developers who work with Steam and Steamworks was angry with Valve because their security support was ... very bad
Lack of information, no support, there was even a case in which a developer was banned after having reported an issue, so the situation was (is?) tragic and shameful:
http://steamdb.info/blog/47/
It's important to notice that for people who are not in the security scene, it's possible to have some problems with both the reporting and the evaluation of the reports because they are not used to communicate as expected. So a good bug in a wrong report may cause a wrong response. Moreover with games it's easy to make confusion, so it may be a fault of Valve or maybe not or maybe a partial fault.
Personally I have no complains regarding their response (in terms of time and details) to my bug reports.
In response to that letter, and by coincidence after two of my reports (one of which not reported to them before the release), Valve decided to open a web page with PGP key and information about how to report Steam-related security issues:
http://www.valvesoftware.com/security
No bug bounty, so all you will get is a "thanks" and your name in the changelog or in the hall-of-fame, just like happened many years ago before all the big social networks started to introduce bug bounties.
I reported, report and will report to Valve the security issues affecting "some" parts of Steam because I'm paid to do that.
For stuff that is not covered by my job I will continue with full-disclosure as I usually do, so without contacting the vendor before the public release.