FFmpeg dealing with a security researcher

(twitter.com)

104 points trollied | 1 comments | 01 Nov 25 20:59 UTC | HN request time: 0.21s | source

Show context

PaulKeeble ◴[01 Nov 25 21:46 UTC] No.45785696[source]▶

"Just send patches" is I think the main point. Rather than just reporting security bugs these big organisations ought to start seeing the point of open source being that can and should be contributing if they value the project and need this fixed because its a pretty obscure problem generated by AI.

replies(4): >>45785935 #>>45786972 #>>45788047 #>>45789281 #

bawolff ◴[02 Nov 25 05:34 UTC] No.45788047[source]▶

>>45785696 #

I think that is a little entitled. They should be happy google isn't just straight up emailing full-disclisure.

The person who makes the software has the duty to fix the security issues in their own code, nobody else, no matter how big they are.

replies(9): >>45788126 #>>45788148 #>>45788195 #>>45788490 #>>45789829 #>>45791054 #>>45791689 #>>45792479 #>>45792591 #

waste_monk ◴[02 Nov 25 06:21 UTC] No.45788195[source]▶

>>45788047 #

>I think that is a little entitled. They should be happy google isn't just straight up emailing full-disclisure.

Google has literally billions of dollars in profits (in part because they use FFmpeg in a bunch of commercial products like Youtube and Chrome), and one of the largest software workforces in the world, including expertise on secure software and vulnerability remediation.

If anyone can afford to contribute back a fix instead of just raising a report, and has the ethical responsibility to do so, it's Google.

replies(2): >>45792609 #>>45793231 #

1. bawolff ◴[02 Nov 25 20:39 UTC] No.45793231[source]▶

>>45788195 #

Security vulnerability finding is a contribution. On the open market the type of service google is providing here would cost hundreds of thousands of dollars if not millions.

↑