> Seems like the original vulnerability was in ffmpeg (vlc statically links to it). So in this case what should/can videolan do ?
I responded to the question. But to answer yours:
> Which one are you referring to?
Specifically the ffmpeg bug that Secunia reported that you claimed to fix, which wasn't quite correctly fixed, when you decided to go and stir up drama on the Internet and threaten Secunia with lawyers you don't have and can't afford.
That one.
And that it's fixed now is irrelevant. You made a dick move by threatening legal action without having anything to back it up and it's cost you a lot of goodwill no doubt by stirring it up.
You're missing a couple steps in your timeline, specifically that the bug was fixed before Secunia's public disclosure, then Secunia ignored said fix, then claimed it wasn't fixed but provided no proof, then ignored VLC for months while claiming them to be uncooperative. Only then do they stir up this drama in a final attempt to get Secunia to either back up their claims or acknowledge their mistakes.
> Seems like the original vulnerability was in ffmpeg (vlc statically links to it). So in this case what should/can videolan do ?
I responded to the question. But to answer yours:
> Which one are you referring to?
Specifically the ffmpeg bug that Secunia reported that you claimed to fix, which wasn't quite correctly fixed, when you decided to go and stir up drama on the Internet and threaten Secunia with lawyers you don't have and can't afford.
That one.
And that it's fixed now is irrelevant. You made a dick move by threatening legal action without having anything to back it up and it's cost you a lot of goodwill no doubt by stirring it up.