←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 5 comments | 01 Nov 25 20:59 UTC | HN request time: 0.803s | source
1. socalgal2 ◴[01 Nov 25 23:14 UTC] No.45786362[source]
Because not disclosing an actual bug that could affect users would somehow be good?
replies(1): >>45789836 #
2. galaxy_gas ◴[01 Nov 25 23:50 UTC] No.45786595[source]
The one nice thing is Google had submit a real bug at least.

The human idiot "researchers" will send paragraph long automatically generated extortion threats over not sending HSTS header

3. jsnell ◴[02 Nov 25 01:52 UTC] No.45787220[source]
So, this is the report they complained about: https://issuetracker.google.com/issues/440183164

I don't know how a vulnerability report could be much better than that. It is a real vulnerability. The report includes a detailed analysis of where the vulnerability is. The bug has been validated, and the report includes exact reproduction instructions.

How is that a bullshit bug report?

replies(1): >>45789823 #
4. anon_oss ◴[02 Nov 25 12:28 UTC] No.45789823[source]
Fair enough, I hadn't seen the bug report and assumed it was the usual AI slop.
5. anon_oss ◴[02 Nov 25 12:30 UTC] No.45789836[source]
Sorry, I just needed to vent. I see now that Google's AI bug report isn't as bad as I'd assumed.

They should have included a patch though and they should have contacted ffmpeg team first before spamming them with dozens of issues all at once.