Latest media player release includes more security fixes than ever

More than 30 security issues have been fixed in VLC, the popular open source media player, with developers praising an EU-funded bug bounty program for helping produce its most secure update yet.

VLC media player, created by the software non-profit VideoLAN, was found to have 33 vulnerabilities within various versions, including two that were considered critical.

An out-of-bounds write was one of the severe vulnerabilities found to affect all VLC versions, and a stack buffer overflow was also discovered in VLC 4.0.

Less severe vulnerabilities consisted of out-of-band reads, heap overflows, NULL-dereference, and use-after-free bugs.

An updated version, VLC 3.0.7, has since been released for users to download.

“This release is a bit special, because it has more security issues fixed than any other version of VLC,” Jean-Baptiste Kempf, one of the lead developers of VLC, said in a blog post (non-HTTPS link) on Friday.

“This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the FOSSA program.”

The Free and Open Source Software Audit (EU-FOSSA) project was created in 2014 to help improve the security and accessibility of crucial internet technologies such as OpenSSL.

In January, the European Commission began funding 15 bug bounty programs for open source software projects, determined by an EU-led inventory and a public vote on which projects are the most accessed by users across the web.

VLC served as the EU’s initial test bed in 2017, with a total bounty budget of €60,000 ($67,8500) hosted via HackerOne.

Since then, 15 bug bounty programs have launched for open source software projects such as Apache Tomcat and KeePass password manager.

FileZilla was the final open source platform to join the initiative, offering up €5,000 ($5,700) for critical flaws such as remote code execution.

Offering a personal take on bug bounties in 2019, Kempf highlighted some of the difficulties of awarding cash prizes based on the type of security issue.

He said: “During this program, we’ve had a lot of different hackers, from the best to the worst technically – so many script-kiddies, and people telling us that the VLC source code was visible... but also people who had deep understanding of C, of the stack, and of memory issues.

“The result of that is that when you don’t know how much to award for a security issue (is it medium or low?), you decide [based] on the niceness of the reporter.”

The EU-FOSSA bug bounty project is due to end in 2020, according to the contracts listed for each software project.



RELATED EU primes open source bug bounty effort