FFmpeg to Google: Fund us or stop sending bugs

A bunch of people who make era-defining software for free. A labor of love.

Another bunch of people who make era-defining software where they extract everything they can. From customers, transactionally. From the first bunch, pure extraction (slavery, anyone?).

Irrespective of what Google does, security research is still useful for all of us.

They could adopt a more flexible policy for FOSS though.

Is it? I’ve gotten nothing but headaches from these automated CVE-seeking teams.

You got lower chances of getting hacked by a random file on the internet. At Project Zero level they're also not CVE seeking - it doesn't even matter at that scale, it's not an independent trying to become known.

I have yet to see one on any project I’ve been attached to that was actually exploitable under real circumstances. But the CVE hunting teams treat them all as if they were.

You should honestly consider not responding if you are unaware of Project Zero.

TFA is about Project Zero getting uppity about an unexploitable non-issue in ffmpeg.

Project Zero hasn't reported any vulnerabilities in any software I maintain. Lots of other security groups have, some well respected as well, but to my knowledge none of these "outside" reports were actual vulnerabilities when analyzed in context.

You are welcome to view the report however you like, but a world where an easily reproducible OOB read and UAF in the default configuration is an "unexploitable non-issue" is not reality.

For a codec that isn't configured by default, and only used and maintained by a hobbyist video game content preservation group. Yeah it's a non-issue.