As it is an open source project, and they obviously have some internal communications issues at VLC, it is likely that you would get a different response and opinion about this depending on who at VLC you talked to. They don't have a traditional legal/PR/management structure, so they're naturally going to be more chaotic when dealing with things.
This isn't necessarily a bad thing, they're probably more resilient as well due to that loosely coupled structure, it just means that sometimes you get inconsistent communications, sometimes about important topics. It would be a mistake to think that VLC has some underlying dislike of vulnerability reports or an aversion to fixing known bugs, and I would be really surprised if counsel has been retained (or has vetted) this 'plan' to sue.
This isn't necessarily a bad thing, they're probably more resilient as well due to that loosely coupled structure, it just means that sometimes you get inconsistent communications, sometimes about important topics. It would be a mistake to think that VLC has some underlying dislike of vulnerability reports or an aversion to fixing known bugs, and I would be really surprised if counsel has been retained (or has vetted) this 'plan' to sue.