Exactly this. Corporations can pay up if they want these pieces of critical infrastructure to be more robust. Fully leaning on the passion of people in our profession to do unpaid work because we like the craft is... uncool.
In this case at least reading through the timeline it sounds like the bulk of the discovery of the vulnerability came through paid folks though.
Microsoft aren’t paying, but are still demanding responses to their problems. Now sure you can ignore it (and the ffmpeg lot are a hardened bunch), but I can see how a lone developer can feel pressured by leviathans
Microsoft are being the twats here, not the ffmpeg devs
In this case at least reading through the timeline it sounds like the bulk of the discovery of the vulnerability came through paid folks though.
"shoulda put a ring on it"