←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 4 comments | 11 Nov 25 18:32 UTC | HN request time: 0.747s | source
Show context
JamesBarney ◴[11 Nov 25 19:11 UTC] No.45891454[source]
I get the idea of publicly disclosing security issues to large well funded companies that need to be incentivized to fix them. But I think open source has a good argument that in terms of risk reward tradeoff, publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.
replies(5): >>45891546 #>>45891615 #>>45892029 #>>45892122 #>>45898765 #
Msurrow ◴[11 Nov 25 19:17 UTC] No.45891546[source]
In addition to your point, it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days. The security issue should certainly be disclosed - when its responsible to do so.

Now, if Google or whoever really feels like fixing fast is so important, then they could very well contribute by submitting a patch along with their issue report.

Then everybody wins.

replies(3): >>45891625 #>>45891932 #>>45895660 #
danlitt ◴[11 Nov 25 19:22 UTC] No.45891625[source]
> it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days

This is very far from obvious. If google doesn't feel like prioritising a critical issue, it remains irresponsible not to warn other users of the same library.

replies(3): >>45891667 #>>45891696 #>>45892044 #
1. Msurrow ◴[11 Nov 25 19:25 UTC] No.45891667[source]
If that’s the case why give the OSS project any time to fix at all before public disclosure? They should just publish immediately, no? Warn other users asap.
replies(3): >>45892856 #>>45894143 #>>45895946 #
2. danlitt ◴[11 Nov 25 21:07 UTC] No.45892856[source]
Why do you think it has to be all or nothing? They are both reasonable concerns. That's why reasonable disclosure windows are usually short but not zero.
3. GabrielTFS ◴[11 Nov 25 23:06 UTC] No.45894143[source]
Full (immediate) disclosure, where no time is given to anyone to do anything before the vulnerability is publicly disclosed, was historically the default, yes. Coordinated vulnerability disclosure (or "responsible disclosure" as many call it) only exists because the security researchers that practice it believe it is a more effective way of minimizing how much the vulnerability might be exploited before it is fixed.
4. saagarjha ◴[12 Nov 25 02:59 UTC] No.45895946[source]
Because it gives maintainers a chance to fix the issue, which they’ll do if they feel it is a priority. Google does not decide your priorities for you, they just give you an option to make their report a priority if you so choose.