[Klonoar]

I feel like you’re misunderstanding their point.

It’s not that the vulnerability was found and reported, it’s that a trillion plus dollar organization that no doubt actively uses ffmpeg in a litany of spaces is punting the important work of fixing it to volunteers.

This is the same issue that we’re seeing over with XSLT in Chrome: they’re happy when they’re making money off the back of these projects but balk when it comes down to supporting them.

(Yes, everyone is aware Google contributes to open source. They’re still one of the most valuable companies to ever exist, there is almost no excuse for them getting away with this trade off)

[Dylan16807]

It would be nice if they helped fix it, and maybe they don't help enough in general?, but as ffmpeg says this specific codec is just a hobby project for ancient obscure files. **Google gains zero value from this codec.** Disabling it would be plenty to fix the problem on their end.

But that would leave everyone else vulnerable, so they report it. Reporting real problems is a good thing.

[haskellshill]

Google found a vulnerability and reported it for free. Why do they need to do anything more? Give and inch and ffmpeg's twitter guy requests a mile. If you don't want people to use your software to make money, release it with a license that prohibits that.

[Klonoar]

> If you don't want people to use your software to make money, release it with a license that prohibits that.

Or, y'know, the project could balk at a trillion dollar company expecting them to do free work.

Cuts both ways.

[Rebelgecko]

What expectation? Giving someone a heads up about a bug isn't a demand to fix it