FFmpeg Bug Bounty Program

About our project

FFmpeg is the leading multimedia framework, able to decode, encode, transcode, mux, demux, stream, filter and play pretty much anything that humans and machines have created. It supports the most obscure ancient formats up to the cutting edge. No matter if they were designed by some standards committee, the community or a corporation. It is also highly portable: FFmpeg compiles, runs, and passes our testing infrastructure FATE across Linux, Mac OS X, Microsoft Windows, the BSDs, Solaris, etc. under a wide variety of build environments, machine architectures, and configurations.

About the scope

This program is limited to a specific list of assets :

• All of our tools including :
  • ffmpeg is a command line toolbox to manipulate, convert and stream multimedia content.
  • ffplay is a minimalistic multimedia player.
  • ffprobe is a simple analysis tool to inspect multimedia content.
• Our main libraries
  • libavcodec provides implementation of a wider range of codecs.
  • libavformat implements streaming protocols, container formats and basic I/O access.
  • libavutil includes hashers, decompressors and miscellaneous utility functions.
  • libavfilter provides means to alter decoded audio and video through a directed graph of connected filters.
  • libavdevice provides an abstraction to access capture and playback devices.
  • libswresample implements audio mixing and resampling routines.
  • libswscale implements color conversion and scaling routines.

Your tests must be limited to our latest stable version of the different component or the latest master/main branch on GitHub. Reports about other assets won't be eligible for reward.

Documentation

You may find our project documentation here.

Packaged versions may be found here, mind that to be eligible for reward your report must be reproductible against our GitHub repository's version.

Program rules

About report's content

To be eligible, your reports must include the hereafter information :

• General description of the issue
• Details about the impacted function and specific conditions to be met, including the vulnerable code snippet
• Impacted version
• A step by step proof of concept allowing to reliably reproduce the issue, including network exploitation
• A video of the PoC, demonstrating the full exploitation
• Recommendations and fix suggestions

A detailed template will be provided automatically when submitting a report, please stick to it. This will help us ensure a smooth and swift processing of your reports.

Mind that reports that do not follow the template’s guidelines won’t be eligible for reward. Abuse may lead to further sanctions (e.g. spamming or repeated submission of invalid reports).

All reports must include screenshots, video(s), logs and evidence, that show the full exploitation on your end. Providing us with a script to run ourselves will be deemed insufficient. Reports that fail to present required evidence, will likely be rejected.

Testing Policy, Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Denial of service (DoS) attacks on our applications, servers, networks or infrastructure are strictly forbidden
• All reports must be validated manually, submission from automated tools won't be considered and may lead to sanctions (code analysis tools, AI, …)
• Targeting other users' instances is forbidden, only test against your own
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• Same with secrets, keys and credentials
• No vulnerability disclosure, full, partial or otherwise, is allowed without prior agreement from us
• Please avoid submitting security issues on our repositories before reporting it to this program, your report might be considered as a duplicate if a related submission already exists on our repositories
• The following topics won’t be considered as a valid finding eligible for reward nonetheless, you’re welcome to suggest improvements about it through our repositories but not our bug bounty program :
  • Code improvements/code quality issues without security impact
  • Insecure default/basic configurations
  • Mistakes or lack of precision in our documentation

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability
• You must not break any of the testing policy rules listed above
• You must not be a former or current employee nor a maintainer of our project or one of its contractors
• The vulnerability must be a qualifying vulnerability
• The report must contain the following elements:
  • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and the company, and remediation advice on fixing the vulnerability
  • Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
  • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
• Identical vulnerabilities present in different versions will be considered as a single issue/will warrant a single reward
• Multiple vulnerabilities caused by one underlying issue will be considered as a single issue/will warrant a single reward

Reward amounts are based on:

• Reward grid of the report's scope
• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis