←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0.2s | source
Show context
JamesBarney ◴[11 Nov 25 19:11 UTC] No.45891454[source]
I get the idea of publicly disclosing security issues to large well funded companies that need to be incentivized to fix them. But I think open source has a good argument that in terms of risk reward tradeoff, publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.
replies(5): >>45891546 #>>45891615 #>>45892029 #>>45892122 #>>45898765 #
1. Ygg2 ◴[11 Nov 25 19:22 UTC] No.45891615[source]
> publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.

Not publicly disclosing it also carries risk. Library users get wrong impression that library has no vulnerabilities, while numerous bugs are reported but don't appear due to FOSS policy.