Open macdrai opened 3 years ago
"If you do not correct yourself in the next 24hours, we will therefore take judicial action."
That is a clear legal threat. Unfortunately the email that contains that is not well-written overall and it is difficult to figure out the actual full dialog between Secunia and VLC. Without that, we can only really go off what is available.
I'm not sure what the "nice trophy" refers to. Secunia, during that time period, had a group of researchers that routinely disclosed vulnerabilities in a wide variety of products and released advisories covering that information. If memory serves, they coordinated disclosure many times so it wasn't a policy to blindside vendors or only post advisories for attention, although that is certainly a side benefit after the fact for any company doing research.
Looking at the vulnerability, it seems legitimate, https://web.archive.org/web/20161231113619/http://secunia.com/advisories/51464/
Release Date: 2012-12-12 Last Update: 2015-02-06 Views: 27,627 Secunia Advisory SA51464 Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system
https://trac.videolan.org/vlc/ticket/7860
VLC threatening legal action against, claiming this tweet was, "screenshot by a lawyer," https://twitter.com/Secunia/status/336497866308743169
I can see they ended up fixing it,
"If you do not correct yourself in the next 24hours, we will therefore take judicial action."
A lot has changed since 2013-05-22, namely the volume of vulnerability reports, so I think this should stay and reflects an older past-paced way of dealing with bugs. Threatening someone with legal action, while they could be on holidays, for example, is weird and should stay in the repo for sure.
If you agree, @macdrai, feel free to close of the issue, I'll add the missing links too
As much as I appreciate you compiling and shaming companies that threaten researchers, it is clear that the research team at Secunia were mostly interested to prop their brand than actually researching and helping the open source project.
I understand that lawyering up is not the most optimal solution, but here, it is clearly a case where they are not actually pointing out a vulnerability, just trying to get a nice trophy and holding on to it as long as possible.