The bug in this case was a vulnerability in 1995’s rebel assault 2 video game cinematic, specifically the first 20 frames. So only people with that game, watching the specific cinematic, who got the special hobby build of ffmpeg, had this vulnerability.
Google also appended a 90 day disclosure policy to their reports. FFmpeg can always say , we’re not going to fix that, but that would mean a security issue would be published, and letting nefarious actors act on it. Even if it would only affect 3 users, the idea that the follow up information of, “don’t use FFmpeg for this use case or you’ll be hacked,” would be out there.
The criticism arrises from the fact Google, the multinational mega-corp, is sending these reports with the 90 day disclosure policy to a tiny unpaid team. How about the company with something like $100,000,000,000/year in net income offer a patch or two?
The bug in this case was a vulnerability in 1995’s rebel assault 2 video game cinematic, specifically the first 20 frames. So only people with that game, watching the specific cinematic, who got the special hobby build of ffmpeg, had this vulnerability.
Okay so, the same industry that is trying to kill video games is now worried that a game from 30 years ago nobody ever heard of has a bug?
Google needs to go back to taking their meds.
Yes, but still a bug. Ffmpeg could just have said "OK. We not gonna patch that "
Google also appended a 90 day disclosure policy to their reports. FFmpeg can always say , we’re not going to fix that, but that would mean a security issue would be published, and letting nefarious actors act on it. Even if it would only affect 3 users, the idea that the follow up information of, “don’t use FFmpeg for this use case or you’ll be hacked,” would be out there.
The criticism arrises from the fact Google, the multinational mega-corp, is sending these reports with the 90 day disclosure policy to a tiny unpaid team. How about the company with something like $100,000,000,000/year in net income offer a patch or two?