Videolan should fix the bug. Secunia should report the bug to ffmpeg. If the bug's fixed by a later version of ffmpeg then great, use a later version. If it's not, fix the bug, wait for ffmpeg to have a fixed update and off you go.
To give you a similar example, have a look at this post about the impact of vulnerabilities in third party libraries on commercial forensic products[1].
I would suspect that expert witnesses relying on this could have a case argued against them in court regarding the integrity of the application data and their processes if they're not prepared.
> Seems like the original vulnerability was in ffmpeg (vlc statically links to it). So in this case what should/can videolan do ?
I responded to the question. But to answer yours:
> Which one are you referring to?
Specifically the ffmpeg bug that Secunia reported that you claimed to fix, which wasn't quite correctly fixed, when you decided to go and stir up drama on the Internet and threaten Secunia with lawyers you don't have and can't afford.
That one.
And that it's fixed now is irrelevant. You made a dick move by threatening legal action without having anything to back it up and it's cost you a lot of goodwill no doubt by stirring it up.
You're missing a couple steps in your timeline, specifically that the bug was fixed before Secunia's public disclosure, then Secunia ignored said fix, then claimed it wasn't fixed but provided no proof, then ignored VLC for months while claiming them to be uncooperative. Only then do they stir up this drama in a final attempt to get Secunia to either back up their claims or acknowledge their mistakes.
To give you a similar example, have a look at this post about the impact of vulnerabilities in third party libraries on commercial forensic products[1].
I would suspect that expert witnesses relying on this could have a case argued against them in court regarding the integrity of the application data and their processes if they're not prepared.
[1] - https://www.cert.org/blogs/certcc/2013/07/forensics_software...