FFmpeg to Google: Fund us or stop sending bugs

[Wowfunhappy]

I don’t understand how it helps the community to publicly release instructions for attacking people, unless you’re trying to incentivize a company to fix their crap. In this case, there is no company to incentivize, so just report it privately.

You can say publicly that “there is an ABC class vulnerability in XYZ component” so that users are aware of the risk.

[walletdrainer]

It’s OSS so somebody who cares will fix it, and if nobody cares then it doesn’t really matter.

This also informs users that it’s not safe to use ffmpeg or software derived from it to open untrusted files, and perhaps most importantly releasing this tells the distro package maintainers to disable the particular codec when packaging.

[Wowfunhappy]

Right, I just don’t see why they need to publish the actual exploit.

[walletdrainer]

They have not, neither have they indicated that they’re planning to do so.

[Wowfunhappy]

I thought that was how the 90 day disclosure timeline worked?

[walletdrainer]

After 90 days they just disclose the vulnerability. From there, developing an exploit is still a fairly complex task.