undefined | Better HN

0 pointsbawolff6mo ago0 comments

By the same token nobody has the duty to responsibly disclose security bugs. The entire premise of responsible disclosure is that security researchers give time for upstream projects to fix security issues by privately reporting the issues, in exchange the maintainers graciously accept the reports. Its a deal that benefits maintainers much more than it benefits researchers. If ffmpeg doesn't want that deal, then google should go the full disclosure route.

> If you want the security issue to be fixed,

There is no indication that google actually cared much whether the issue got fixed or not. It seems like the course of events is that they noticed something looked wrong with the code so they filed a bug. That's it.

> willing to pay for them to fix.

Should ffmpeg pay for security researchers time to find these issues? The market price for that is much much much higher than the price to fix bugs.

If you were to pay someone to do vulnerability testing in ffmpeg with sufficient skill to find this issue, it would probably cost you in the hundreds of thousands of dollars at least.

0 comments

eipi10_hn6mo ago

Yes, that's right. Nobody has the duty to disclosure the security bugs. It's the security researchers' principles, and if they want to follow that, they can follow that.

But don't take it further that the maintainers have the duty to fix the issues. They choose that career, don't make it sound like ffmpeg is forcing them to disclosure. Maintainers don't "deal" with any security researchers about those, and don't put the confidence that it "benefits maintainers" than "benefit researchers", unless the maintainers declare that themselves. In this case there's no patch, no fix, no PR either, just issue-submission. "You have more benefits" are the claims of the researchers who think that their issue-submission contributions top everything else.

Finding and disclosing the security are issue-submission contributions, and that's it. Don't make it as a gift or something. ffmpeg doesn't have the need to find these issues, and they don't pay for it for it either. And vice versa, they have no duties to fix the issues. They don't force the security researchers to find and disclose things. If security researchers want to do it themselves, they can do whatever they want, but stop at forcing duties to the maintainers. The only thing I don't agree with ffmpeg is bringing those issues social while they can just ignore them, that's it.

bawolffOP6mo ago

I mean, i agree, ffmpeg are under no obligation to do anything. (In the heat of the moment i think my previous comment went too far, i would phrase it more, as if you want to be a "quality" software project then you have to respond to real security bugs promptly).

My biggest gripe though is that ffmpeg does seem to value these sorts of reports highly. If i'm reading the timestamps right, they fixed this report within 1 day: https://github.com/FFmpeg/FFmpeg/commit/c41a70b6bb79707e1e3a...

How often do you get your bug reports fixed that fast? When i file bugs in open source projects it usually takes at least weeks if im lucky to get a response. People almost never respond within 1 day. I think that demonstrates how valuable ffmpeg views these reports.

If the report was a garbage report (like e.g. the ones the curl maintainer complains about) i'd have more sympathy, but clearly ffmpeg views this issue submission as valuable. The whole thing makes me think of choosing-beggars. They want the google report but also are trying to use social pressure to make google contribute even more.

If they didn't want google's reports that's one thing - just reject them, but both wanting them while also demanding more is scummy in my opinion. Either accept or reject them.

eipi10_hn6mo ago

Nope. Don't mistake a quick fix as they are "valuable" to the maintainers. They said clearly that it's a hobby project and at the most it just simply means that some volunteers were interested and wanted to fix it, or the fix is not complex, and I would just stop at that. The "valuable" is, again, an outsider view that is forced to the maintainers. Same as "They want google report" thing. Just because they fix some issues reported from someones doesn't mean that they view all of those reports being "valuable".

At most, I would just see that they are annoyed by the issue procedures (without PRs) of the "researchers" and they complaint on the social. I don't agree with their complaints because the "researchers" did nothing wrong either. And that's it, I would stop at that. Putting the whole "duty", "valuable reports" and "demand more" on them is just as bs as their complaints.

bawolffOP6mo ago

> volunteers were interested and wanted to fix

If that's not the definition of valuable then what is?

As you said, its a volunteer project. What other metric of value is there other than a volunteer being interested?

j / k navigate · click thread line to collapse

0 comments

eipi10_hn6mo ago

Yes, that's right. Nobody has the duty to disclosure the security bugs. It's the security researchers' principles, and if they want to follow that, they can follow that.

bawolffOP6mo ago

If they didn't want google's reports that's one thing - just reject them, but both wanting them while also demanding more is scummy in my opinion. Either accept or reject them.

eipi10_hn6mo ago

bawolffOP6mo ago

> volunteers were interested and wanted to fix

If that's not the definition of valuable then what is?

As you said, its a volunteer project. What other metric of value is there other than a volunteer being interested?

j / k navigate · click thread line to collapse