Biggest security update ever for VLC: thanks to security ‘assholes’ and ‘nice guys’ for finding bugs

A top VLC contributor popular of open source media player VLC slammed bug bounties and “security-assholes” after delivering its biggest set of security fixes in its 18 year history, thanks largely to a European Commission-funded bug bounty. 

VLC was among 14 open source projects to receive EU financial support to run a bug bounty program under the EC’s EU-FOSSA 2 initiative announced in January. The program was championed by Julia Reda, a member of the European Parliament from the German Pirate Party.   

VLC version 3.0.7, released over the weekend, addresses one high severity security issue, 21 medium severity and 20 low severity issues, including a range of memory flaws such as buffer overflows, out-of-read violations and a stack buffer overflow.

The bug bounties offer prize pools of between €25,000 and €90,000 and target open source programs that are widely used within the EC. EU-FOSSA 2 also provides researchers with a 20 percent bonus prize if they also provide a security fix, which is intended to offset concerns that just finding the bug in the first instance doesn’t provide open source projects with the resources to fix the bug.   

Jean-Baptiste Kempf, president of VideoLAN and a lead developer of VLC, said the extra large security update in version 3.0.7 was a direct result of the EC-funded bug bounty. Though he’s still not a clear cut fan of the idea of paying hackers to find bugs.