Developers of the hugely popular open source media player VLC have released the largest patch of the project since it started in 2001 thanks to an EU-funded bug bounty program.
But despite the improvement in security provided by the bug bounties, VLC developers are ambivalent about the reward-based model they deal with “the usual security asshole”, “script kiddies” and scammers, according to the leader of the group behind VLC in Development .
VLC was one of 14 projects that received bug bounty support from the latest edition of the European Commission’s Free and Open Source Software Audit (FOSSA) project, announced in late 2018 by MEP Julia Reda of the German Pirate Party . The program supports open source projects that are widespread within the European Commission.
SEE: 10 tips for new cybersecurity professionals (free PDF)
So far the The program has attracted 309 bug reports from researchers, of which 130 were confirmed vulnerabilities. A total of 11 critical or fatal errors were discovered.
One of these fatal bugs was fixed in VLC version 3.0.7 released by VLC developers on Friday. It contains bug fixes for 33 security issues, one of which is a fatal bug in an MPEG decoder software library used by VLC. The library is no longer maintained.
This security-focused release is a good result for VLC users, and according to Jean-Baptiste Kempf, a senior developer at VLC and president of VideoLAN, which is responsible for VLC development, it was the largest security update the project has ever released.
VLC users should update to version 3.0.7 to avoid security risks from the bugs identified by the bug bounty.
Despite the benefits to VLC users of the EU-funded program, Kempf’s personal views on the value of bug bounty programs remain a “mixed bag”.
He describes himself as a “big critic” of bug bounties, mainly because the programs give money to security researchers or “random hackers”, but not the VLC project itself, which in the end is responsible for fixing the bug and distributing updates to the user is responsible.
Kempf said VLC gave “large extra bonuses for fixes deployed concurrently with problem discovery” to address the issue of internal resources required to deploy security fixes.
In fact, the bonus is part of the EU-FOSSA funding that specifically targets this resource issue. Researchers who find bugs can receive a 20 percent bonus on the base reward if they offer a solution.
In addition to his reservations about the incentive structure of bug bounties regarding open source projects, Kempf had some harsh words for the kind of researchers such programs attract. But also nice words for researchers like ele7enxxh, die Earned over € 13,000 ($ 14,700) from the VLC bug bounty of 13 valid security issues.
“We had a lot of different hackers, from the technically best to the worst: so many script kiddies and people telling us the VLC source code was visible … but also people who had a deep understanding of C, the stack and memory problems, “wrote Kempf.
“We had people from the usual security asshole to some of the nicest guys ever who really went out of their way to help us. And when they work with the nicest people, they often send patches to fix them too, ”he continued.
SEE: Can Russian hackers be stopped? So it can take 20 years (TechRepublic cover story) | Download the PDF version
Some of the reports were “beyond tasteless, offensive, impatient,” according to Kempf, and some hackers even tried to avoid bugs by reporting the same problem to VLC that they reported to Google’s better-funded Android bug bounty. which pays out millions of dollars every year.
But Kempf had an answer for the fraudulent reporters and a lesson for those who think only technical issues matter when reporting vulnerabilities through a bug bounty.
“The result is that when you don’t know how much to spend for a security problem (is it medium or low?)“You decide how nice the reporter is,” he wrote.