Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove VLC from the repo #12

Open
macdrai opened this issue Apr 15, 2021 · 3 comments
Open

Remove VLC from the repo #12

macdrai opened this issue Apr 15, 2021 · 3 comments

Comments

@macdrai
Copy link

macdrai commented Apr 15, 2021

As much as I appreciate you compiling and shaming companies that threaten researchers, it is clear that the research team at Secunia were mostly interested to prop their brand than actually researching and helping the open source project.

I understand that lawyering up is not the most optimal solution, but here, it is clearly a case where they are not actually pointing out a vulnerability, just trying to get a nice trophy and holding on to it as long as possible.
@attritionorg
Copy link
Collaborator

"If you do not correct yourself in the next 24hours, we will therefore take judicial action."

That is a clear legal threat. Unfortunately the email that contains that is not well-written overall and it is difficult to figure out the actual full dialog between Secunia and VLC. Without that, we can only really go off what is available.

I'm not sure what the "nice trophy" refers to. Secunia, during that time period, had a group of researchers that routinely disclosed vulnerabilities in a wide variety of products and released advisories covering that information. If memory serves, they coordinated disclosure many times so it wasn't a policy to blindside vendors or only post advisories for attention, although that is certainly a side benefit after the fact for any company doing research.

@sickcodes
Copy link
Collaborator

Looking at the vulnerability, it seems legitimate, https://web.archive.org/web/20161231113619/http://secunia.com/advisories/51464/

Release Date: 2012-12-12 Last Update: 2015-02-06 Views: 27,627
Secunia Advisory SA51464
Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system

https://trac.videolan.org/vlc/ticket/7860

VLC threatening legal action against, claiming this tweet was, "screenshot by a lawyer," https://twitter.com/Secunia/status/336497866308743169

I can see they ended up fixing it,

"If you do not correct yourself in the next 24hours, we will therefore take judicial action."

A lot has changed since 2013-05-22, namely the volume of vulnerability reports, so I think this should stay and reflects an older past-paced way of dealing with bugs. Threatening someone with legal action, while they could be on holidays, for example, is weird and should stay in the repo for sure.

If you agree, @macdrai, feel free to close of the issue, I'll add the missing links too

@sickcodes
Copy link
Collaborator

1238522

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@macdrai @attritionorg @sickcodes