Hello everyone,
I'm Derek from OSTIF and we are an org that helps open source projects with their security, for free. We have a long track record and a lot of experience under our belts working on everything from huge projects like Git to smaller projects like VeraCrypt. We publish all of our work on our website so feel free to Google us and look at our catalog. (I won't post URLs for fear of the mighty spambot hammer.)
I've used VLC for my entire adult life. It was my first (or maybe second if we are counting winzip) open source project that I ever encountered and it opened up my idea to the idea of free and open source software. It's always had a special place in my heart and i've always wanted to contribute back.
I feel privileged to be in that position now.
OSTIF has secured the resources to work on helping VLC improve its security posture. We've had some trouble reaching out through the VideoLAN org and Github so I thought I'd try here.
We have a plan with what we'd like to help with based on our expertise and what we think that VLC could benefit from the most. The highlights are:
1. Taking a look at how VLC is built and distributed and looking for improvements to help VLC resist tampering with builds when they are built/shipped.
2. Taking a look at how we can improve testing in VLC to help with memory safety in meaningful ways (building out more fuzz testing).
I want to make sure that we have the support of the community for these ideas and that we can work together to make even safer for all of us. We are more than happy to take feedback and input as to what we can do to help VLC shine for many years more.
I will check this post frequently as the work begins soon. I can also be reached via my org email which includes all of the letters of my first name + shift 2 + our domain. (I hate AI spam)
I hope this is really helpful for VideoLAN and VLC!
OSTIF security assistance beginning soon
Forum rules
Please read the forum's rules carefully before posting. This forum should not be used to post VLC usage related questions.
Please read the forum's rules carefully before posting. This forum should not be used to post VLC usage related questions.
Re: OSTIF security assistance beginning soon
Hi all,
I'm one of the security experts that OSTIF is working with to help on VLC's security posture. My team and I (at Trail of Bits) will be looking at the components that Derek mentioned above over the coming weeks.
I'd be more than happy to liaise with maintainers to ensure the VLC project gets the most out of our time -- we have a lot of experience doing these kinds of reviews, but it always helps to have the codebase's own experts tell us where they think we should maximize our attention/scrutiny.
(I'm happy to talk here or over email or whatever else! My email is william - at - trailofbits - dot - com.)
I'm one of the security experts that OSTIF is working with to help on VLC's security posture. My team and I (at Trail of Bits) will be looking at the components that Derek mentioned above over the coming weeks.
I'd be more than happy to liaise with maintainers to ensure the VLC project gets the most out of our time -- we have a lot of experience doing these kinds of reviews, but it always helps to have the codebase's own experts tell us where they think we should maximize our attention/scrutiny.
(I'm happy to talk here or over email or whatever else! My email is william - at - trailofbits - dot - com.)
-
OSTIFDerek
- New Cone
- Posts: 2
- Joined: 18 Feb 2025 17:17
Re: OSTIF security assistance beginning soon
The work has started as of today. We'd love to hear any feedback or input about our proposed help and if it fits in with what VLC needs. We can definitely work with any input that the community has.
If we don't hear anything back we will proceed with building out the tooling and evaluating the build system, and we will submit them as MRs through regular git channels.
Our biggest worry on our end is that we will build out these new tools, get a bunch of security findings and ultimately dump them on the project to resolve which is what we want to avoid. We want to make sure that the community and VideoLAN has the resources needed to address the findings and we can assist with finding funding and engineers to help with this if needed. Please reach out to me if possible so that we can make our work helpful and not disruptive.
If we don't hear anything back we will proceed with building out the tooling and evaluating the build system, and we will submit them as MRs through regular git channels.
Our biggest worry on our end is that we will build out these new tools, get a bunch of security findings and ultimately dump them on the project to resolve which is what we want to avoid. We want to make sure that the community and VideoLAN has the resources needed to address the findings and we can assist with finding funding and engineers to help with this if needed. Please reach out to me if possible so that we can make our work helpful and not disruptive.
Return to “Contribute and help the VideoLAN project”
Who is online
Users browsing this forum: No registered users and 61 guests