Project

General

Profile

Security concerns, and how to report them

Added by John Lindgren 3 months ago

Someone recently asked (via email) whether we have a bug bounty program for security risks. I don't usually respond to emails from strangers, but this is a question worth answering.

The answer is No. There is no bug bounty program of any kind. Development of Audacious is not funded by any organization; it is performed by a few volunteers in their free time.

And just to be abundantly clear:

USE AUDACIOUS AT YOUR OWN RISK.

DO NOT RUN AUDACIOUS ON CRITICAL INFRASTRUCTURE.

Audacious is not "secure" software. There is a plugin (Song Change) that, by design, executes arbitrary shell commands at times of your choosing. If an attacker can control Audacious on your machine, that person has access to the full capabilities of the user account running Audacious.

Additionally, the code has never been audited for security risks. The quality of the code in some of the older plugins is abysmal according to modern standards of "safe" programming. Opening files or streams from untrusted sources in Audacious should be considered just as much of a risk as opening a macro-enabled Word document from that same source.


It is ultimately YOUR responsibility to judge whether the benefits of running Audacious on your computer(s) outweigh the risks.

If you do find a bug -- any bug, whether it could be a security concern or not -- please report it, and we will do our best to fix it as time allows.

Enjoy Audacious.