A top VLC contributor popular of open source media player VLC slammed bug bounties and "security-assholes" after delivering its biggest set of security fixes in its 18 year history, thanks largely to a European Commission-funded bug bounty.
VLC was among 14 open source projects to receive EU financial support to run a bug bounty program under the EC’s EU-FOSSA 2 initiative announced in January. The program was championed by Julia Reda, a member of the European Parliament from the German Pirate Party.
VLC version 3.0.7, released over the weekend, addresses one high severity security issue, 21 medium severity and 20 low severity issues, including a range of memory flaws such as buffer overflows, out-of-read violations and a stack buffer overflow.
The bug bounties offer prize pools of between €25,000 and €90,000 and target open source programs that are widely used within the EC. EU-FOSSA 2 also provides researchers with a 20 percent bonus prize if they also provide a security fix, which is intended to offset concerns that just finding the bug in the first instance doesn’t provide open source projects with the resources to fix the bug.
Jean-Baptiste Kempf, president of VideoLAN and a lead developer of VLC, said the extra large security update in version 3.0.7 was a direct result of the EC-funded bug bounty. Though he’s still not a clear cut fan of the idea of paying hackers to find bugs.
Nonetheless, the VLC bounty demonstrated the common open source problem created by vulnerabilities in software libraries or components, called ‘dependencies’, that are used within projects. The high severity issue in the VLC 3.0 branch was caused by the faad2 library, an open source MPEG-4 and MPEG-2 AAC decoder, which Kempf noted is “unmaintained, unfortunately”.
The medium security issues “should not be exploitable with ASLR, but are important anyway, because they can crash VLC,” he noted. ASLR or Address Space Layout Randomization is an operating system-level anti-exploitation technique.
Though the bug bounty allowed VLC to improve user security, Kempf acknowledges that he’s been critical of them “because they give money to find the issues, not to fix them.”
He still considers bug bounties are “mixed bag” for himself, but added that the project gave “extra bonuses” for researchers who delivered a fix too.
And he holds a pretty dim view of some of the “script kiddies” who participated in the bug bounty. On one hand, he admits it did attract real security talent, but it also drew “the usual security-asshole” as well .
“During this program, we've had a lot of different hackers, from the best to the worst technically: so many script-kiddies, and people telling us that the VLC source code was visible... but also people who had deep understanding of C, of the stack and of memory issues,” Kempf wrote.
“We've had people ranging from the usual security-asshole to some of the nicest guys ever, who cared deeply to help us. And when working with the nicest people, they often send patches to fix too.
“At the opposite, some reporters were more than distasteful, insulting, impatient, trying to get 2 times the bounty for the same bug, or even reporting the issues to other programs (Android one) to get more money.”
Due to the project’s relative inexperience in triage and assessing the impact of security bugs, Kempf said the project used another indicator to determine payments: the report’s niceness.
“The result of that, is that when you don't know how much to award for a security issue (is it medium or low?), you decide on the niceness of the reporter.”
Kempf said the best hacker VLC found through the program was "ele7enxxh" on HackerOne's third-party bug bounty platform. The hacker picked up €13,260 from VLC's EU-funded bug bounty.