"Last week the @FFmpeg account began taunting security researchers. Foolish thing to do, as it ignores the asymmetry of their attack surface vs ours.

So as an exercise I found a stack-based buffer overflow on software that he wrote." - @ortegaalfredo

https://threadreaderapp.com/thread/1991974275532636263.html

Normally I'm all for these stunts, but this one...

@buherator we need a new internet for the people who just want to do useful stuff.

Do I recall that the issue was ffmpeg maintainers tired of endless issues filed by giant corps who are using it but not actually helping?

@acsawdey it's complicated... if you squint, pointing out bugs is a form of help, but the P0 disclosure process (designed to incentivize other large corps) doesn't seem to work with highly popular, but underfunded OSS.

I don't know the solution, but shiting on individual developers code is probably not it.

@buherator@infosec.place @acsawdey@fosstodon.org fix bounties when

@buherator @ortegaalfredo 👏👏 nice read. Sad that stuff like this cant be followed in the fedi

@addison @acsawdey @buherator The idea per se isn’t a bad one, but who’s going to pay for that? Most OSS projects are strapped for cash. I’d like to see a culture of “You found an exploitable vulnerability in OSS, you fix it (if you know how)”

@schrotthaufen@mastodon.social @acsawdey@fosstodon.org @buherator@infosec.place In the sense of, the company requesting the fix pays the bounty on the issue. Ideal world, not going to try to codify how this would actually be enforced lol

@addison @acsawdey @buherator That sounds quite sensible.