Hack and Take the Cash !

717 bounties in database

Reward

100 $

VLC



Policy



Appendix 1: Program Policy



Please note, this is the suggested starting policy language for the program. Based on responses from the community of bug hunters, changes may be made throughout the testing period. All changes are tracked via the platform, and may be viewed by anyone on the policy page. For an example of the tracked changes functionality, please visit: https://hackerone.com/security/policy_versions?change=3559261

Introduction



The European Parliament has approved budget to improve the EU’s IT infrastructure by extending the free software security audit programme (FOSSA) and by including a bug bounty approach in the programme.

The Commission intends to conduct a small-scale "bug bounty" activity on open-source software with companies already operating in the market. The scope of this action is to:
run a small-scale "bug bounty" activity for an open source software project or library for a period of up to two months maximum;
the purpose of the procedure is to provide the European institutions with open source software projects or libraries that have been properly screened for potential vulnerabilities;
the process must be fully open to all potential bug hunters while staying in-line with the existing Terms of Service of the bug bounty platform;
Additional detail on the project’s creation and process can be found here.
The open source software and libraries chosen for this initial program are described in the Scope section below. This program will be open for submissions for 6 weeks, though rewards may be processed beyond the 6 week period in order to allow for full evaluation of the impact of valid vulnerability reports.

Eligibility & Disclosure Policy



* Follow HackerOne's disclosure guidelines.
* Please provide detailed reports with reproducible steps demonstrating a plausible remote exploitation scenario. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
* The project maintainers have final decision on which issues constitute security vulnerabilities. We will respect their decision, and we ask that you do as well.

VLC & Goals



VLC is a quite large software, very widely used; therefore, because this is the first bounty program on VLC, we will limit the scope.

The main goal is to find important security issues, that cannot be found with other approaches like static analysis, dynamic analysis or fuzzing.

Scope



* Please see the Structured Scopes Section below.
* Only certain parts of VLC are in scope.
* All desktop platforms are concerned by this program.
* We're not interested in vulnz in our web site, but encourage you to look for vulns in the VLC app. Download @ https://wiki.videolan.org/Hacker_Guide/Core/

Description



VLC Core

* All vulnerabilities in the VLC core (libVLCcore, libVLC) are eligible for a bounty provided there is a plausible exploitation scenario. This means include/ lib/ src/ folders.

VLC Modules

* One of the core concepts of VLC is its modularity. As such, much of its attack surface exists in its numerous modules. Particularly of interest are the various access libraries, demuxers, decoders, and filters. Those modules can depend on 3rd party libraries, but those libraries are out-of-scope (unless something major is found).

Vulnerabilities in VLC modules are eligible, providing:

* Module is enabled in a standard configuration
* Module is loaded with VLC_MODULE_SCORE > 0
* A plausible exploitation scenario exists

The modules of interest would be therefore likely to be of the following types:

* access (protocol handlers) modules/access folder
* codec (decoders) modules/codec folder
* demux (demuxers, aka format support) modules/demux folder
* hardware (hardware decoders/filters) modules/hw folder
* packetizer (between demuxers and decoders) modules/packetizer folder
* textrenderers (text to image) `modules/textrendererfolder
* stream_filters and stream_extractorsmodules/streamfiltersandmodules/streamextractorfolders
* services_discovery (network discovery)modules/servicediscovery` folder
* videochroma (raw video format conversions) modules/video_chroma folder
* audioconverters (raw audio format conversions) `modules/audiofilter/channelmixerandmodules/audiofilter/converters` folders.

Unlikely, but modules/logger/, modules/misc/xml/ could be targeted too.

This means gui, control, stream_output, access_output, visualization, mux, video_splitter, spu folders are explicitly out of scope of this program. This is true also of most video_filters and audio_filters, who have a priority of 0 anyway.

Of course, very high profile security issues in all modules could be reported through this program, but bounties are not guaranteed.

PoC details

The PoC must work on the master branch of vlc.git, or the daily nightly build. The recommended versions to test are the 64bit editions of VLC. Stable versions or older nightly builds are explicitly out of scope.

The PoC must work on the latest version of Windows, macOS, Linux, and the security features of the platform (ASLR, etc..) must not be disabled.

Rewards



Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.

Bounty Table

| SEVERITY | CVSS SCORE | REWARD |
|---------- |------------ |-------- |
| Critical | 9.0 - 10.0 | *$2000   |
| High      | 7.0 - 8.9   | *$750    |
| Medium    | 4.0 - 6.9   | *$300    |
| Low       | 0.1 - 3.9   | *$100    |

Critical severity bugs - minimum $2000:



* Remote Code Execution

High severity bugs - minimum $750:



* Code Execution without user intervention

Medium severity bugs - minimum $300:



* Code Execution with user intervention
* High-impact Crashes
* Infinite loops

Low severity bugs - minimum $100:



* Information leaks
* Crashes
* OOM

Extra information about Bounties



Depending on the cases, the severity can be raised to a higher severity.

Crashes in the common formats, like AVI, MP4, MKV and decoders/packetizer of H264, HEVC and AAC are more likely to be raised in severity and/or rewards. Crashes that apply to all inputs will have the same treatment.

A crash in a format, even if that could be triggered over a network, will be considered as a local crash/CE, unless it can be launched from a network resource (a browser, for example) in the default VLC configuration.

Very important and clever bugs could be rewarded some extra payment in BTC (Up to 0.1).

Swags



If you want some VLC swag (t-shirts, stickers), don't hesitate to ask.

EUFOSSA Directory Page:



The European Parliament has approved budget to improve the EU’s IT infrastructure by extending the free software security audit programme (FOSSA) and by including a bug bounty approach in the programme.

The Commission intends to conduct a small-scale "bug bounty" activity on open-source software with companies already operating in the market. The scope of this action is to:

* Run a small-scale "bug bounty" activity for open source software project or library for a period of up to two months maximum;
* The purpose of the procedure is to provide the European institutions with open source software projects or libraries that have been properly screened for potential vulnerabilities;
* The process must be fully open to all potential bug hunters, while staying in-line with the existing Terms of Service of the bug bounty platform.

About the Program



The VLC program is Public



All Hackers are encouraged to participate in our program.

Our bounty policy



Qualified security vulnerabilities will be rewarded based on severity and impact, to be determined by the VLC security team. Rewards may range from $100 up to $3,000. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at VLC sole discretion.


 

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2016