(thenewstack.io)

1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0.242s | source

Show context

JamesBarney ◴[11 Nov 25 19:11 UTC] No.45891454[source]▶

I get the idea of publicly disclosing security issues to large well funded companies that need to be incentivized to fix them. But I think open source has a good argument that in terms of risk reward tradeoff, publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.

replies(5): >>45891546 #>>45891615 #>>45892029 #>>45892122 #>>45898765 #

1. arccy ◴[12 Nov 25 11:13 UTC] No.45898765[source]▶

>>45891454 #

But if open source is reliant on public contributors to fix things, then the bug should be open so anyone can take a stab at fixing it, rather than relying on the closed group of maintainers

↑

FFmpeg to Google: Fund us or stop sending bugs