This project has been sponsored by the European Commission as part of the EU- Free and Open Source Software Auditing (EU-FOSSA) project designed to improve the security of free software.
This program will be open for submissions for 8 weeks, though rewards may be processed beyond the 8 week period in order to allow for full evaluation of the impact of valid vulnerability reports.
While researching, we'd like to ask you to refrain from:
The main goal is to find important security issues, that cannot be found with other approaches like static analysis, dynamic analysis or fuzzing.
One of the core concepts of VLC is its modularity. As such, much of its attack surface exists in its numerous modules. Particularly of interest are the various access libraries, demuxers, decoders, and filters. Those modules can depend on 3rd party libraries, but those libraries are out-of-scope (unless something major is found).
Vulnerabilities in VLC modules are eligible, providing:
The modules of interest would be therefore likely to be of the following types:
This means gui, control, stream_output, access_output, visualization, mux, video_splitter, spu folders are out of scope of this program. This is true also of most video_filters and audio_filters, which have a priority of 0 anyway.
Of course, very high profile security issues in all modules could be reported through this program, but bounties are not guaranteed.
The PoC must work on the master branch of vlc.git (HEAD), or the daily nightly build (4.0). The recommended versions to test are the 64bit editions of VLC. Stable versions or older nightly builds are explicitly out of scope. Vulnerabilities that have patches available publicly are not taken in account.
The PoC must work on the latest version of Windows, macOS, Linux, and the security features of the platform (ASLR, etc.) must not be disabled.
PoC that works only with ASLR disabled will be denoted in severity, but might be accepted.
IMPORTANT: A crash in a format, even if that could be triggered over a network, will be considered a local crash/CE, unless it can be launched from a network resource (a browser, for example) in the default VLC configuration. Meaning, a playlist running a file over HTTP is not considered as RCE.
Crashes in the common formats, like AVI, MP4, MKV and decoders/packetizer of H264, HEVC and AAC are more likely to be raised in severity and/or rewards. Crashes that apply to all inputs will receive the same treatment.
There is a 20% bonus for including a fix in the report, when accepted by the maintainers.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep VLC and our users safe!
If you have any questions or concerns on this Challenge, please contact tpm- firstname.lastname@example.org.