logoalt Hacker News

waste_monkyesterday at 6:21 AM2 repliesview on HN

>I think that is a little entitled. They should be happy google isn't just straight up emailing full-disclisure.

Google has literally billions of dollars in profits (in part because they use FFmpeg in a bunch of commercial products like Youtube and Chrome), and one of the largest software workforces in the world, including expertise on secure software and vulnerability remediation.

If anyone can afford to contribute back a fix instead of just raising a report, and has the ethical responsibility to do so, it's Google.

Replies

godelskiyesterday at 7:09 PM

  > because they use FFmpeg in a bunch of commercial products like Youtube and Chrome
Not to mention they just have a vested interest in getting the problem solved. Even if we don't talk about money.

I'm not sure why this is an unpopular idea, but contribute back to your upstream dependencies. If they're a dependency, they're part of *your code*.

show 1 reply
bawolffyesterday at 8:39 PM

Security vulnerability finding is a contribution. On the open market the type of service google is providing here would cost hundreds of thousands of dollars if not millions.