Secunia vs VLC - Whose vulnerability is it anyway?

A first exchange via Twitter in May. A dispute has erupted between Secunia and the developers of the VLC media player. In December 2012, Secunia released a security advisory for the VLC media player. The developers of the player responded by releasing a patch. However, Secunia says that the patch didn't fix the vulnerability, and that it is still contained in the current version, 2.0.7, of VLC. Now, the security firm has criticised the VLC developers in a blog post, saying that the developers had questioned the validity of the security advisory and threatened Secunia with legal action on 21 May 2013. The VLC developers have responded.

However, the developers currently still disagree about how to rate the security hole. Jean-Baptiste Kempf wrote a personal blog post to defend himself against Secunia's statements. He spent hours debating with other users on Reddit. Kempf explained that the security hole was closed very quickly, but that Secunia refused to update the advisory.

"Unpatched" - the VLC developers say that this entry is incorrect. VLC developer TypX, on the other hand, responded to Secunia's postings in a conciliatory and apologetic manner. The developer confirmed that a bug did exist but added that, in his view, the disclosure was "technically wrong".

TypX said that the vulnerability was fixed in the developer version 2.1.0 of VLC, but that the changes hadn't been't implemented in the series 2.0.x versions – including 2.0.7. The developer writes that various factors had prevented him from doing so, and that the issue had then simply slipped from his mind. TypX apologised to VLC users for his oversight. He also apologised on behalf of his colleagues, whom he had failed to keep informed.

(djwm)