Severity
According to our scale, we have had 33 valid security issues fixed thanks to this program:
- 2 high security issues, (only one was present in 3.0.x),
- 21 medium security issues,
- 10 low security issues.
The 2 more important issues are an Out-of-Bound Write and a Stack Buffer Overflow.
the Out-of-Bound Write is not in the VLC codebase, but in a dependency of VLC, the faad2 library, unmaintained, unfortunately.
the Stack Buffer Overflow is a VLC 4.0-only issue in the new RIST module, and is therefore not impacting actual release of VLC.
The medium security issues are mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. Those issues should not be exploitable with ASLR, but are important anyway, because they can crash VLC.
The low security issues are mostly integer overflow, division by zero, and other out-of-band reads with no actual impact. Those issues are not exploitable.
The best hacker on the program was https://hackerone.com/ele7enxxh.
Opinion about bug bounties
What follows is my personal opinion about those bug bounties programs, and is not VideoLAN’s point-of-view.
Usefulness
If you’ve listened to some of my talks or spoke to me (I’m sorry for you), you know I’m a bit critic of those programs, because they give money to find the issues, not to fix them.
What about you give money to VLC instead of random hackers?
Well, security is important, so this is cool for our users, but still this is a mixed bag, for me.
So, in order to mitigate that, we gave large extra-bonuses for fixes provided at the same time as issues were found, to improve this problem.
Hackers
During this program, we’ve had a lot of different hackers, from the best to the worst technically: so many script-kiddies, and people telling us that the VLC source code was visible… but also people who had deep understanding of C, of the stack and of memory issues.
But I would like to focus a bit more on the type of reporter we’ve seen.
We’ve had people ranging from the usual security-asshole to some of the nicest guys ever, who cared deeply to help us. And when working with the nicest people, they often send patches to fix too.
At the opposite, some reporters were more than distasteful, insulting, impatient, trying to get 2 times the bounty for the same bug, or even reporting the issues to other programs (Android one) to get more money.
The result of that, is that when you don’t know how much to award for a security issue (is it medium or low?), you decide on the niceness of the reporter :)
Thanks
In the end, I’d like to thank the European Commission, Julia Reda, the nice hackers and the people from the team who fixed all those bugs!