←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)

1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

dbl000 ◴[11 Nov 25 19:55 UTC] No.45892005[source]▶

>>45891016 (OP) #

I don't understand the rational for announcing that a vulnerability in project X was discovered before the patch is released. I read the project zero blogspot announcement but it doesn't make much sense to me. Google claims this is help downsteam users but that feels like a largely non-issue to me.

If you announce a vulnerability (unspecified) is found in a project before the patch is released doesn't that just incentivize bad actors to now direct their efforts at finding a vulnerability in that project?

replies(3): >>45892192 #>>45895975 #>>45905853 #

1. Bratmon ◴[12 Nov 25 20:15 UTC] No.45905853[source]▶

"Don't announce an unpatched vulnerability ever" used to be the norm. It caused a massive problem: most companies and organizations would never patch security vulnerabilities, so vulnerabilities would last years or sometimes decades being actively exploited with nobody knowing about it.

Changing the norm to "We don't announce unpatched vulnerabilities but there is a deadline" was a massive improvement.