Is Google expecting too much of opensource
Related videos
Mythos unleashed on Opensource
The PrimeTime
331.6k views
Open source is dying
Theo - t3․gg
97.8k views
Open Source might change forever
The PrimeTime
68.2k views
OpenAI Is A Ponzi Scheme
ThePrimeTime
86.7k views
Exposing Brain Rot To AI
ThePrimeTime
139.2k views
What even is Quantum Computing?!
ThePrimeTime
75.4k views
Tailwind Creator on the Challenges of Open Source | The Standup
ThePrimeTime
81.2k views
Giving in to the AI Hype
ThePrimeTime
201.9k views
AI Outlawed ☠️ in Open Source Project
ThePrimeTime
104.4k views
Google takes down the internet! (The Standup)
ThePrimeTime
91.2k views
LLM-Identified Vulnerabilities vs. Open Source Maintainer Burden
Discover the ethical and logistical conflicts arising when massive corporations use AI to report obscure security bugs to under-resourced volunteer software projects.
Short Summary
- Google reported a low-impact vulnerability in FFmpeg via an LLM system ('Big Sleep'), triggering pushback over disclosure timelines and resource imbalance.
- Maintainers argue that entities powerful enough to find bugs should also shoulder the burden of writing and submitting the patch, not just dropping a time-bound report.
- The conversation highlights the dilemma: knowing about threats versus the practical inability of small teams to triage an ever-increasing volume of AI-generated reports.
- This episode details the trade-offs between security discovery and the sustainability of open-source maintenance workflows under AI pressure.
This discussion centers on a recent controversy involving FFmpeg, an open-source media framework, and Google's AI-driven security tools. Guests Teimu Casey and Trash weigh in regarding whether automated bug reporting from resource-rich entities imposes an unfair mandate on volunteer maintainers, especially concerning disclosure deadlines and the exploitability of the reported issues.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Related videos
Mythos unleashed on Opensource
The PrimeTime
331.6k views
Open source is dying
Theo - t3․gg
97.8k views
Open Source might change forever
The PrimeTime
68.2k views
OpenAI Is A Ponzi Scheme
ThePrimeTime
86.7k views
Exposing Brain Rot To AI
ThePrimeTime
139.2k views
What even is Quantum Computing?!
ThePrimeTime
75.4k views
Tailwind Creator on the Challenges of Open Source | The Standup
ThePrimeTime
81.2k views
Giving in to the AI Hype
ThePrimeTime
201.9k views
AI Outlawed ☠️ in Open Source Project
ThePrimeTime
104.4k views
Google takes down the internet! (The Standup)
ThePrimeTime
91.2k views
Top Comments (10)
"Talk is cheap. Submit patches."
1. If you make a lot of money with someone else's software, fund them. 2. Automated bug findings should be triaged by a human expert before sending the report to the authors. 3. Patches are welcome, but they should not be required. The reporter does not know the software as well as the author. Even with triage, it could be unexploitable.
I kind of agree with the ffmpeg people. If you find a bug/security issue, and you have the expertise to find it, you probably have the expertise to at least give an example on how to fix it as well! When you're a multi billion $ company that actually rely on the project, you damn well better help them out
In my opinion, if your company depends in any kind of open source free software like ffmpeg for the stuff it does (Youtube probably uses it, for example), if you have ANY demands from the tool, it's your job to allocate resources to make it happen. Be it funding or putting employees to work on the tool to implement any patches or features needed. You can't build anything on top of effectively third-party people's pet projects and then demand free work, no matter the perceived importance of said project.
A teenage hacker in the 90s put more effort into telling the exploitable how to patch their vulnerabilities.
I think the issue here is the power dynamic. Their new income is up at 100 billion. They literally have enough money to pay a years salary to the top 10 ffmpeg contributors and it wouldn't even be noticed in their financial disclosures, it would barely be a rounding error. The fact that what they decided to do the the opensource community is to just throw AI security reports at them and try and bully them into fixing it in 90 days instead of saying "hey we use this major thing, lets give them cash to fix this, or fix it ourselves" shows how little they value the projects they are built on.
The reason Google is doing it is because they're clearly staking their cloud platform differentiation on security out of the box. it's a big reason they bought wiz as well. If they own the cybersecurity AI landscape, that strengthens their position further, it's effectively marketing for that story.
It’s in manufacturers best interest to ensure healthy supply chains, given how much Google has profited from ffmpeg, they should be paying them and contributing to code
Hey Ed, welcome to the standup. So what are your blockers for the month, and how are you going to resolve them with AI?
I know a bug bounty hunter that pressured Microsoft to fix and pay within 90 days since these multi-billion dollar companies will not pay until they patch it. Bug hunters get paid like 10 to 30 thousand for vulnerabilities on these giant companies that would cost them millions upon millions. This is totally different from an LLM telling OSS they have 90 days to fix bugs or they tell everyone which would exploit not only the company, but all the innocent that use that software.
Unlock the Data Inside
Turn Videos into Knowledge
- Get FREE 10/day: transcripts, summaries, chats
- Chat with videos, export text & PDF
- $1 free API credit for RAG, chatbots & research
Free forever plan • All features unlocked
Top Comments (10)
"Talk is cheap. Submit patches."
1. If you make a lot of money with someone else's software, fund them. 2. Automated bug findings should be triaged by a human expert before sending the report to the authors. 3. Patches are welcome, but they should not be required. The reporter does not know the software as well as the author. Even with triage, it could be unexploitable.
I kind of agree with the ffmpeg people. If you find a bug/security issue, and you have the expertise to find it, you probably have the expertise to at least give an example on how to fix it as well! When you're a multi billion $ company that actually rely on the project, you damn well better help them out
In my opinion, if your company depends in any kind of open source free software like ffmpeg for the stuff it does (Youtube probably uses it, for example), if you have ANY demands from the tool, it's your job to allocate resources to make it happen. Be it funding or putting employees to work on the tool to implement any patches or features needed. You can't build anything on top of effectively third-party people's pet projects and then demand free work, no matter the perceived importance of said project.
A teenage hacker in the 90s put more effort into telling the exploitable how to patch their vulnerabilities.
I think the issue here is the power dynamic. Their new income is up at 100 billion. They literally have enough money to pay a years salary to the top 10 ffmpeg contributors and it wouldn't even be noticed in their financial disclosures, it would barely be a rounding error. The fact that what they decided to do the the opensource community is to just throw AI security reports at them and try and bully them into fixing it in 90 days instead of saying "hey we use this major thing, lets give them cash to fix this, or fix it ourselves" shows how little they value the projects they are built on.
The reason Google is doing it is because they're clearly staking their cloud platform differentiation on security out of the box. it's a big reason they bought wiz as well. If they own the cybersecurity AI landscape, that strengthens their position further, it's effectively marketing for that story.
It’s in manufacturers best interest to ensure healthy supply chains, given how much Google has profited from ffmpeg, they should be paying them and contributing to code
Hey Ed, welcome to the standup. So what are your blockers for the month, and how are you going to resolve them with AI?
I know a bug bounty hunter that pressured Microsoft to fix and pay within 90 days since these multi-billion dollar companies will not pay until they patch it. Bug hunters get paid like 10 to 30 thousand for vulnerabilities on these giant companies that would cost them millions upon millions. This is totally different from an LLM telling OSS they have 90 days to fix bugs or they tell everyone which would exploit not only the company, but all the innocent that use that software.