←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 4 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source
Show context
woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #
AbrahamParangi ◴[11 Nov 25 19:50 UTC] No.45891930[source]
If google bears no role in fixing the issues it finds and nobody else is being paid to do it either, it functionally is just providing free security vulnerability research for malicious actors because almost nobody can take over or switch off of ffmpeg.
replies(6): >>45892251 #>>45893043 #>>45893172 #>>45896030 #>>45899685 #>>45900110 #
janalsncm ◴[11 Nov 25 21:21 UTC] No.45893043[source]
I guess the question that a person at Google who discovers a bug they don’t personally have time to fix is, should they report the bug at all? They don’t necessarily know if someone else will be able to pick it up. So the current “always report” rule makes sense since you don’t have to figure out if someone can fix it.

The same question applies if they have time to fix it in six months, since that presumably still gives attackers a large window of time.

In this case the bug was so obscure it’s kind of silly.

replies(2): >>45895985 #>>45897503 #
1. rocqua ◴[12 Nov 25 08:03 UTC] No.45897503[source]
This was not a case of stumbling across a bug. This was dedicated security research taking days if not weeks of high paid employees to find.

And after all that, they just drop an issue, instead of spending a little extra time on producing a patch.

replies(1): >>45898086 #
2. walletdrainer ◴[12 Nov 25 09:23 UTC] No.45898086[source]
It’s possible that this is a more efficient use of their time when it comes to open source security as a whole, most projects do not have a problem with reports like this.

If not pumping out patches allows them to get more security issues fixed, that’s fine!

replies(1): >>45900084 #
3. rocqua ◴[12 Nov 25 13:45 UTC] No.45900084[source]
From the perspective of Google maybe, but from the perspective of open source projects, how much does this drain them?

Making open source code more secure and at the same time less prevalent seems like a net loss for society. And if those researchers could spare some time to write patches for open source projects, that might benefit society more than dropping disclosure deadlines on volunteers.

replies(1): >>45900667 #
4. walletdrainer ◴[12 Nov 25 14:31 UTC] No.45900667{3}[source]
I’m specifically talking from the perspective of everybody but Google.

High quality bug reports like this are very good for open source projects.