It is absolutely Google's security issue if they use an open source project with that license:

fabrice_d • last Saturday at 9:59 PM • 2 replies • view on HN

and then expect volunteers to provide them fixes.

joatmon-snoo • last Saturday at 11:04 PM

Google never asked a volunteer for a fix.

This is part of Google’s standard disclosure policy: it gets disclosed within 90 days starting from confirmation+contact.

If ffmpeg didn’t want to fix it, they could’ve just let the CVE get opened.

GaryBluto • last Saturday at 10:09 PM

It's not just Google who could be affected by this.

> and then expect volunteers to provide them fixes.

Expect volunteers to provide everyone using the software with fixes.

➕ show 1 reply

alt Hacker News