Bug bounty drives VLC's biggest patch but attracts 'a-holes, scriptkiddies, scammers'

A top developer of open-source media player VLC and critic of bug bounties shares lessons learned.
Written by Liam Tung, Contributing Writer

Developers of the hugely popular open-source media player, VLC, have released the project's biggest patch since launching in 2001, thanks to an EU-funded bug-bounty program. 

But despite improving security through the bug bounties, VLC developers are ambivalent about the reward-based model, which left them dealing with "the usual security-asshole", "script-kiddies" and scammers, according to the head of the group behind VLC development.

VLC was one of 14 projects to receive bug-bounty support from the European Commission's latest edition of the Free and Open Source Software Audit (FOSSA) project, announced by EU Member of Parliament Julia Reda from the German Pirate Party in late 2018. The program supports open-source projects that are widely used within the European Commission. 

SEE: 10 tips for new cybersecurity pros (free PDF)

So far the program has attracted 309 bug reports from researchers, 130 of which were confirmed security vulnerabilities. A total of 11 critical or high-severity bugs have been discovered. 

One of those high-severity bugs was fixed in VLC version 3.0.7, released on Friday by VLC developers. It contains fixes for 33 security issues, one of which is a high-severity flaw in an MPEG decoder software library used by VLC. The library is no longer maintained.    

That security-focused release is a good result for VLC users and, according to Jean-Baptiste Kempf, a lead developer of VLC and president of VideoLAN, which is responsible for VLC development, it was the biggest security update the project has ever released

VLC users should update to version 3.0.7 to avoid security risks from the bugs identified through the bug bounty.    

Despite the benefit to VLC users from the EU-funded scheme, Kempf's personal views about the value of bug-bounty programs remains a "mixed bag". 

He describes himself as a "big critic" of bug bounties, primarily because the programs give money to security researchers or "random hackers" but not the VLC project itself, which in the end is responsible for fixing the bug and distributing updates to users. 

Kempf said VLC "gave large extra-bonuses for fixes provided at the same time as issues were found" to address the problem of in-house resources required to deliver security fixes. 

Actually, the bonus is part of EU FOSSA funding designed specifically to address this resource issue. Researchers who find bugs can get a 20 percent bonus on the base reward if they provide a fix

Besides his reservations about the incentive structure of bug bounties with respect to open-source projects, Kempf had some harsh words for the type of researcher such programs attract. But also kind words for researchers like ele7enxxh, who earned over €13,000 ($14,700) from the VLC bug bounty from 13 valid security issues. 

"We've had a lot of different hackers, from the best to the worst technically: so many script-kiddies, and people telling us that the VLC source code was visible... but also people who had a deep understanding of C, of the stack and of memory issues," wrote Kempf. 

"We've had people ranging from the usual security-asshole to some of the nicest guys ever, who cared deeply to help us. And when working with the nicest people, they often send patches to fix too," he continued. 

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | Download the PDF version

Some of the reports, according to Kempf, were "more than distasteful, insulting, impatient" and some hackers even tried to double-dip on bugs by reporting the same issue to VLC as they had reported to Google's better-funded Android bug bounty, which pays out millions of dollars every year

But Kempf did have an answer to the scammy reporters and a lesson for those who think only technical issues matter when reporting vulnerabilities through a bug bounty.

"The result of that is that when you don't know how much to award for a security issue (is it medium or low?), you decide on the niceness of the reporter," he wrote. 

More on security bug bounties

Editorial standards