I mean, the simple solution is to do the same as curl’s dev: If it’s AI, it’s ignored. If it’s a corporation who hasn’t had recent code published in the codebase, it’s ignored. Bugs and vulnerabilities should be human-reported by the community.
That’s the way forward for FOSS - ignore the corps. Then start rebasing on exclusively non-commercial licenses.
AI reports are ignored because they are so frequently crap that they are almost not worth investigating. If these ffmpeg reports are from Project Zero though, they are presumably real. Shipping code with vulnerabilities is always a terrible idea. If Google can find them, attackers can also find them.
I do have to wonder how many of these vulnerabilities are actually in the assembly language parts of the codecs. I had guessed they were more likely to be at the higher levels.
I mean, the simple solution is to do the same as curl’s dev: If it’s AI, it’s ignored. If it’s a corporation who hasn’t had recent code published in the codebase, it’s ignored. Bugs and vulnerabilities should be human-reported by the community.
That’s the way forward for FOSS - ignore the corps. Then start rebasing on exclusively non-commercial licenses.
AI reports are ignored because they are so frequently crap that they are almost not worth investigating. If these ffmpeg reports are from Project Zero though, they are presumably real. Shipping code with vulnerabilities is always a terrible idea. If Google can find them, attackers can also find them.
I do have to wonder how many of these vulnerabilities are actually in the assembly language parts of the codecs. I had guessed they were more likely to be at the higher levels.