alt Hacker NewsBecause it burns out developers and ruins the project. Its like how the treatment can be worse than the disease in medicine.
The CVEs get reported, then big corps automated systems start flagging all use of ffmpeg, the big corp security software stops builds and removes it from dev laptops, then frustrated big corp engineers start harassing the volunteers and soon its not worth volunteering anymore, and the project dies, and there was never a real world impact.
My point of view is that the unpaid ffmpeg maintainers should stop playing along with the corporate "security researchers" and not prioritize a bug over everything else simply because it's a CVE. In this case, the "high priority CVE" is from a reverse-engineered codec a hobbyist wrote to decode video from 1990s LucasArts video games. I think it's unreasonable to expect the maintainers to drop everything to fix a bug in a codec that most people will never use. If the trillion-dollar companies sending AI-generated CVE reports care so strongly about getting them fixed ASAP, they should really be fixing them themselves.