They’re bug reports: no one needs to fix them.
This problem is solved easily enough by letting the chips fall.
If companies want them fixed badly enough, they can send bug fixes, which is much cheaper than the alternative (paying more engineers to develop & maintain non-open alternatives).
Those companies have at least as much interest as anyone to keep that software maintained & secure.
The position of the FFmpeg X account is that somehow disclosing vulnerabilities is a bad thing.
The truth is never a bad thing.
They don’t need to care.
A bug is a bug: better to know than not.
The truth can absolutely be a bad thing. If google reports an important vulnerability, then buries it in CVE slop for 90 days, and publicly announces details of the important vulnerability that hasn’t been fixed yet, it would be worse than if they had never reported it
The 90-day publishing window is tough when OSS projects are getting buried in AI slop reports
Then Google would have to put out of the fire of that vulnerability in their dependent software.
Not disclosing a vulnerability doesn’t stop attackers from exploiting it.
A report simply indicates someone who noticed bothered to report it.
The problem is the vulnerability.
False urgency is nothing more: Google’s urgency isn’t the maintainer’s & the maintainers don’t need to “meet the window”.
Companies will be left with their pants on fire if they don’t act, too, but it will cost them more.
Maintainers can just ignore the window to shift the burden back on moneyed interests as I explained before.
They’re bug reports: no one needs to fix them. This problem is solved easily enough by letting the chips fall.
If companies want them fixed badly enough, they can send bug fixes, which is much cheaper than the alternative (paying more engineers to develop & maintain non-open alternatives). Those companies have at least as much interest as anyone to keep that software maintained & secure.
The truth is never a bad thing. They don’t need to care. A bug is a bug: better to know than not.
The truth can absolutely be a bad thing. If google reports an important vulnerability, then buries it in CVE slop for 90 days, and publicly announces details of the important vulnerability that hasn’t been fixed yet, it would be worse than if they had never reported it
The 90-day publishing window is tough when OSS projects are getting buried in AI slop reports
Then Google would have to put out of the fire of that vulnerability in their dependent software.
Not disclosing a vulnerability doesn’t stop attackers from exploiting it. A report simply indicates someone who noticed bothered to report it.
The problem is the vulnerability. False urgency is nothing more: Google’s urgency isn’t the maintainer’s & the maintainers don’t need to “meet the window”. Companies will be left with their pants on fire if they don’t act, too, but it will cost them more. Maintainers can just ignore the window to shift the burden back on moneyed interests as I explained before.