According to Jean-Baptiste Kempf, president of VLC-maker VideoLan, the number of fixes in the latest version of VLC is due to the EU-FOSSA bug bounty program, funded by the European Commission.
VideoLan had the luck of benefiting from the European bug bounty program because it was a non profit organization and had earlier stated that it was unable to fund such a program of its own.
The bug bounty program discovered 2 high security issue, 21 medium and 10 low security issues (33 in total) that were fixed in VLC v2.0.7.
Kempf said that the bug bounty program had "people ranging from the usual security-*sshole to some of the nicest guys ever, who cared deeply to help." He, however, slammed bug bounty programs with reason that they gave money to "security *ss holes" who discovered the bugs and don't sponsor the fix.
Here's an excerpt of what he said:
"If you've listened to some of my talks or spoke to me (I'm sorry for you), you know I'm a bit critic of those programs, because they give money to find the issues, not to fix them.
"'What about you give money to VLC instead of random hackers?"
"Well, Security is important, so this is cool for our users, but still this is a mixed bag, for me.
"So, in order to mitigate that, we gave large extra-bonuses for fixes provided at the same time as issues were found, to improve this problem."
The high severity issue in the VLC 3.0 branch was caused by the faad2 library, an open source MPEG-4 and MPEG-2 AAC decoder, which Kempf said that it was "unmaintained unfortunately."
Kempf noted that the medium issues "should not be exploited with ASLR, but are import anyway, because they can crash VLC." ASLR which is simply known as Address Space Layout Randomization is an operating system-level anti-exploitation technique.
Heres the report:
According to our scale, we have had 33 valid security issues fixed thanks to this program:
- 2 high security issues, (only one was present in 3.0.x),
- 21 medium security issues,
- 10 low security issues.
The 2 more important issues are an Out-of-Bound Write and a Stack Buffer Overflow.
the Out-of-Bound Write is not in the VLC codebase, but in a dependency of VLC, the faad2 library, unmaintained, unfortunately.
the Stack Buffer Overflow is a VLC 4.0-only issue in the new RIST module, and is therefore not impacting actual release of VLC.
The medium security issues are mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. Those issues should not be exploitable with ASLR, but are important anyway, because they can crash VLC.
The low security issues are mostly integer overflow, division by zero, and other out-of-band reads with no actual impact. Those issues are not exploitable.
The best hacker on the program was https://hackerone.com/ele7enxxh.