FFmpeg Calls Google's AI Bug Reports "CVE Slop"
8 days ago
- #OpenSource
- #FFmpeg
- FFmpeg maintainers criticized Google for using AI to report a security bug in a 1995 video game code.
- Google's AI tool, Big Sleep, found a bug in FFmpeg's LucasArts Smush codec, affecting 'Rebel Assault II'.
- FFmpeg developers patched the bug but questioned the fairness of trillion-dollar corporations using AI to find issues in volunteer-maintained code.
- Google's 'Reporting Transparency' policy mandates public disclosure of vulnerabilities within a week, starting a 90-day clock, regardless of patch availability.
- FFmpeg is a critical digital infrastructure used in major platforms like Google Chrome, YouTube, and VLC, maintained mostly by volunteers.
- The incident highlights tensions between corporations and open-source volunteers over responsibility for fixing obscure issues.