
VLC threatens to sue Secunia over full disclosure - D3c4ff
https://secunia.com/blog/372/
======
Maxious
VLC/Jean-Baptiste Kempf rebuttal: [http://www.jbkempf.com/blog/post/2013/More-
lies-from-Secunia](http://www.jbkempf.com/blog/post/2013/More-lies-from-
Secunia)

Comments on rebuttal ask "why don't they provide you with working exploit? (in
example EIP = 0x41414141)"

So someone claims they did attaching an example mkv file?
[http://seclists.org/fulldisclosure/2013/Jul/71](http://seclists.org/fulldisclosure/2013/Jul/71)
[https://twitter.com/coolkaveh/status/354716804783943680](https://twitter.com/coolkaveh/status/354716804783943680)

~~~
mariusmg
That screenshots doesn't really prove anything. I mean....i can't even tell is
it's the latest vlc version.

Anyway....interesting debate about statically linked libraries. Seems like the
original vulnerability was in ffmpeg (vlc statically links to it). So in this
case what should/can videolan do ?

~~~
maaaats
One can argue that for a user it doesn't matter if it's ffmpeg, VLC or
something else that's buggy. A user is installing VLC, has probably no
knowledge of what ffmpeg is, and it's the use of VLC that exposes the user to
the security bug.

As such, it's VLC responsibility to not ship a product that may harm a user's
computer, even if the error is not in their code.

~~~
jbk
All the known vulnerabilities have been fixed. Which one are you referring to?

~~~
maaaats
None in particular, just the general concept that you are responsible for all
the parts in the end product, even if not made by you.

~~~
jbk
Oh, yes, we agree on that. Which is why we patched FFmpeg for the SWF issue.

------
janerik
Discussion here:
[https://news.ycombinator.com/item?id=6015509](https://news.ycombinator.com/item?id=6015509)

Also see the response from VLC: [http://www.jbkempf.com/blog/post/2013/More-
lies-from-Secunia](http://www.jbkempf.com/blog/post/2013/More-lies-from-
Secunia)

------
Tobu
> VLC threatens to sue Secunia over full disclosure

Not full disclosure at all, just security claims that no one can back up.

------
lucb1e
As far as I knew VLC is an open-source project. It completely replaced any
other media players I used as it worked great and was free. I believed they
finally made a great open-source media player. Now they're threatening to sue
some company. What the hell, where do they even get the resources? And why do
they need to sue anyone anyway? I'm not sure I like VLC as much anymore...

~~~
Rantenki
As it is an open source project, and they obviously have some internal
communications issues at VLC, it is likely that you would get a different
response and opinion about this depending on who at VLC you talked to. They
don't have a traditional legal/PR/management structure, so they're naturally
going to be more chaotic when dealing with things.

This isn't necessarily a bad thing, they're probably more resilient as well
due to that loosely coupled structure, it just means that sometimes you get
inconsistent communications, sometimes about important topics. It would be a
mistake to think that VLC has some underlying dislike of vulnerability reports
or an aversion to fixing known bugs, and I would be really surprised if
counsel has been retained (or has vetted) this 'plan' to sue.

------
anExcitedBeast
Surprisingly childish behavior from both companies. Stop trying to embarrass
each other and spend thirty minutes on the phone like adults.

~~~
parfe
VideoLAN nor VLC are companies.

~~~
anExcitedBeast
True, thanks.

------
callesgg
Secunia has in my eyes never been a particly nice company. This just seams
silly.

------
erikb
Well maybe VLC did something wrong or not. How can we say that simply from
that article. The only things I can see for sure are (A) that Secunia failed
to communicate their issues to VLC and (B) that Secunia seems to consider
their own policies as god given laws which all other companies must abide to
as well. Both points don't seem all too convincing.

------
tzs
This is a dup (with a / appended to the URL) from yesterday, which already had
discussion:

[https://news.ycombinator.com/item?id=6015509](https://news.ycombinator.com/item?id=6015509)

------
theboss
Well VLC does have a case for libel if they were to take secunia to court.
Would be interesting to see.

------
jokoon
why should secunia feel so insulted ?

why shouldn't secunia work with him about the exploit ?

------
kwestro
To Secunia. Law 101. Don't talk about incidents when you're being sued. Wide
open grounds for incrimination.

------
jezfromfuture
More lies..

~~~
brazzy
From whom? To me, Secunia seems to be acting much more mature and in good
faith here.

~~~
jbk
[https://news.ycombinator.com/item?id=6019172](https://news.ycombinator.com/item?id=6019172)

------
Glyptodon
If this is an ffmpeg bug why is VLC in the middle?

~~~
jbk
Because VLC uses ffmpeg for some codec modules.

~~~
vinhboy
Thank you for working on VLC. It's a great software.

But I have to ask, why it is so important to VLC, or you, that secunia take
down their advisory? Does it really affect VLC negatively?

~~~
jbk
That is a great question.

Because we receive a LOT of emails, from PSI users and from clueless users
telling us that our software is insecure. This is a lot of support load and
takes quite a bit of time.

------
ExpiredLink
Seems to be a clever marketing campaign by Secunia. Exploit an OS project to
promote your own company. Make noise. Clever!

