I would rather they fix it and submit a patch like normal fucking people.

> Right, they probably already mitigated this bug in their own usage.

Indeed. A step so obvious it renders comments such as this:

  It's enabled by default so all that's required to exploit it would be to construct a payload file and name it movie.mp4

> Which is exactly why reporting the bug is a FAVOR to ffmpeg.

Not sure you have to SHOUT the obvious.

> Would you rather they just quietly fix it on their own and not report it to the maintainers?

What do you suppose the answer to that question to be?