No, VLC is its own thing however it uses libavcodec from the FFmpeg project for a large number of the codecs included in VLC. But VLC is far from being just an FFmpeg GUI.

Unnecessary journalist fluff around the source material from Mozilla.

In my opinion, the risk is vulnerabilities in their driver. Threat actors love a signed driver that runs at a level like this. Saw Genshin Impact’s driver in an incident one time.

Overcast looks like it’s got decent privacy on iOS.

Oops! I forgot to check the schedule.

Formal Verification doesn’t guarantee that the code is free of vulnerability, it just increases confidence in its security. It’s never perfect.

CVE-2023-35674 No real details published yet but Google discussed it in their September security bulletin.

PSA: Android just published a patch for a very similar vulnerability in their September Security release. You should update your Android devices ASAP.

It’s literally been 3 days since Android had a vulnerability of this exact nature: remote code execution with zero user interaction required (CVE-2023-35674).

Every piece of software has vulnerabilities lurking within. What matters is the velocity at which vendors address and resolve those vulnerabilities. Apple and Google are both exemplary at getting patches out quickly.