Introduction

This project has been sponsored by the European Commission as part of the EU-Free and Open Source Software Auditing (EU-FOSSA) project designed to improve the security of free software.

This program will be open for submissions for 8 weeks, though rewards may be processed beyond the 8 week period in order to allow for full evaluation of the impact of valid vulnerability reports.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.
• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Please provide detailed reports with reproducible steps demonstrating a plausible exploitation scenario.
• If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• The project maintainers have final decision on which issues constitute security vulnerabilities. We will respect their decision, and we ask that you do as well.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of staff or contractors

VLC & Goals

The main goal is to find important security issues, that cannot be found with other approaches like static analysis, dynamic analysis or fuzzing.

Scope

• Only the VLC main application and libVLC are in scope.
• All desktop platforms are in scope.
• For Android and iOS platforms, only the core modules are in scope (aka the C ones).
• Please see the Structured Scopes Section in the description as only certain parts of VLC are in scope.

Out of Scope

• VideoLAN infrastructure, websites, updaters, crash-reporters and forums are out of scope.

Description

VLC Core

• All vulnerabilities in the VLC core (libVLCcore, libVLC) are eligible for a bounty provided there is a plausible exploitation scenario. This means include/ lib/ src/ folders.

VLC Modules

One of the core concepts of VLC is its modularity. As such, much of its attack surface exists in its numerous modules. Particularly of interest are the various access libraries, demuxers, decoders, and filters. Those modules can depend on 3rd party libraries, but those libraries are out-of-scope (unless something major is found).

Vulnerabilities in VLC modules are eligible, providing:

• Module is enabled in a standard configuration
• Module is loaded with 'VLC_MODULE_SCORE > 0' see the set_capability line
• A plausible exploitation scenario exists

The modules of interest would be therefore likely to be of the following types:

• access (protocol handlers) modules/access folder (including the ones with 0 score)
• codec (decoders) modules/codec folder
• demux (demuxers, aka format support) modules/demux folder
• hardware (hardware decoders/filters) modules/hw folder
• packetizer (between demuxers and decoders) modules/packetizer folder
• text_renderers (text to image) modules/text_renderer folder
• stream_filters and stream_extractors modules/stream_filters and modules/stream_extractor folders
• services_discovery (network discovery) modules/service_discovery folder
• video_chroma (raw video format conversions) modules/video_chroma folder
• audio_converters (raw audio format conversions) modules/audio_filter/channel_mixer and * * modules/audio_filter/converters folders.
• Unlikely, but modules/logger/, modules/misc/xml/ could be targeted too.

This means gui, control, stream_output, access_output, visualization, mux, video_splitter, spu folders are out of scope of this program. This is true also of most video_filters and audio_filters, which have a priority of 0 anyway.

Of course, very high profile security issues in all modules could be reported through this program, but bounties are not guaranteed.

PoC details

The PoC must work on the master branch of vlc.git (HEAD), or the daily nightly build (4.0). The recommended versions to test are the 64bit editions of VLC. Stable versions or older nightly builds are explicitly out of scope. Vulnerabilities that have patches available publicly are not taken in account.

The PoC must work on the latest version of Windows, macOS, Linux, and the security features of the platform (ASLR, etc.) must not be disabled.

PoC that works only with ASLR disabled will be denoted in severity, but might be accepted.

Rewards

Critical severity bugs - €5000:

• Remote Code Execution

High severity bugs - €2500:

• Code Execution without user intervention

Medium severity bugs - €1000:

• Code Execution with user intervention
• High-impact Crashes
• Infinite loops

Low severity bugs - €250:

• Information leaks
• Crashes
• OOM

IMPORTANT: A crash in a format, even if that could be triggered over a network, will be considered a local crash/CE, unless it can be launched from a network resource (a browser, for example) in the default VLC configuration. Meaning, a playlist running a file over HTTP is not considered as RCE.

Format Bonus

Crashes in the common formats, like AVI, MP4, MKV and decoders/packetizer of H264, HEVC and AAC are more likely to be raised in severity and/or rewards. Crashes that apply to all inputs will receive the same treatment.

Bonus

There is a 20% bonus for including a fix in the report, when accepted by the maintainers.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep VLC and our users safe!

If you have any questions or concerns on this Challenge, please contact [email protected].