←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 7 comments | 11 Nov 25 18:32 UTC | HN request time: 0.541s | source | bottom
1. ksynwa ◴[11 Nov 25 20:15 UTC] No.45892229[source]
What is the point of Google's Project Zero?

I'm not being dismissive. I understand the imperetive of identifying and fixing vulnerabilities. I also understand the detrimental impact that these problems can potentially have on Google.

What I don't understand is the choice to have a public facing project about this. Can anyone shine a light on this?

replies(5): >>45892326 #>>45892506 #>>45892597 #>>45893019 #>>45896085 #
2. rsanek ◴[11 Nov 25 20:22 UTC] No.45892326[source]
I would imagine it's mostly a PR/marketing thing. That way the researchers can point to being part of something other people know about, and Google gets positive PR (though maybe not in this case) for spending resources on making software in general more secure.
replies(1): >>45892507 #
3. khuey ◴[11 Nov 25 20:38 UTC] No.45892506[source]
Project Zero's public existence came out of the post-Snowden period where Google was publicly pissed at the NSA/etc for spying on them (e.g. by tapping their fiber links).
4. dkdcio ◴[11 Nov 25 20:38 UTC] No.45892507[source]
you could not imagine and just read sources like https://en.wikipedia.org/wiki/Project_Zero
5. jeroenhd ◴[11 Nov 25 20:47 UTC] No.45892597[source]
A lot of their research involves stuff they personally benefit from if they were secure. ffmpeg, libxml2, various kinds of mobile device firmware, Linux kernels and userspace components, you name it.

Their security team gaining experience on other projects can teach them some more diversity in terms of (malware) approaches and vulnerability classes, which can in turn be used to secure their own software better.

For other projects there's some vanity/reputation to be gained. Having some big names with impressive resumes publicly talk about their work can help attract talent.

Lastly, Google got real upset that the NSA spied on them (without their knowledge, they can't help against warrants of course).

Then again, there's probably also some Silicon Valley bullshit money being thrown around. Makes you wonder why they don't invest a little bit more to pay someone to submit a fix.

6. NegativeK ◴[11 Nov 25 21:19 UTC] No.45893019[source]
PR.

And pushing forward the idea that "responsible disclosure" doesn't mean the software creator can just sit on a bug for as long as they want and act superior and indignant when the researcher gives up and publishes anyway because the creator is dragging their ass.

7. Aurornis ◴[12 Nov 25 03:24 UTC] No.45896085[source]
Honestly it seems kind of weird that HN comments are becoming so hostile toward a company hiring security researchers and having them do free security research on popular projects, then giving away the results for free.

There are many groups and companies that do security research on common software and then sell the resulting vulnerabilities to people who don’t have your best interests in mind. Having a major company get ahead of this and share the results is a win for all of us.

A lot of people in this comment section don’t understand the broader security ecosystem. There are many vendors who will even provide patched versions of software to work around security issues that aren’t yet solved upstream. Some times these patches disable features or break functionality, or simply aren’t at a level where upstream is interested yet. But patching known issues is valuable.

Getting patches accepted upstream in big open source projects isn’t always easy. They tend to want things done a certain way or have a high bar to clear for anyone submitting work.