Tech News
← Back to articles

FFmpeg to Google: Fund Us or Stop Sending Bugs

2025-11-11 | original
read original related products more articles

You may never have heard of FFmpeg, but you’ve used it. This open source program’s robust multimedia framework is used to process video and audio media files and streams across numerous platforms and devices. It provides tools and libraries for format conversion, aka transcoding, playback, editing, streaming, and post-production effects for both audio and video media.

FFmpeg’s libraries, such as libavcodec and libavformat, are essential for media players and software, including VLC, Kodi, Plex, Google Chrome, Firefox, and even YouTube’s video processing backend. It is also, like many other vital open source programs, terribly underfunded.

Corporate Responsibility vs. Volunteer Labor

A lively debate on Twitter began between Dan Lorenc, CEO and co-founder of Chainguard, the software supply chain security company, the FFmpeg project, Google, and security researchers over security disclosures and the responsibilities of large tech companies in open-source software.

The core of the discussion revolves around how vulnerabilities should be reported, who is responsible for fixing them, and the challenges that arise when AI is used to uncover a flood of potentially meaningless security issues. But at heart, it’s about money.

An Obscure Bug Ignites the Controversy

This discussion has been heating up for some time. In mid-October, FFmpeg tweeted that “security issues are taken extremely seriously in FFmpeg, but fixes are written by volunteers.” This point cannot be emphasised enough. As FFmpeg tweeted later, “FFmpeg is written almost exclusively by volunteers.”

Thus, as Mark Atwood, an open source policy expert, pointed out on Twitter, he had to keep telling Amazon to not do things that would mess up FFmpeg because, he had to keep explaining to his bosses that “They are not a vendor, there is no NDA, we have no leverage, your VP has refused to help fund them, and they could kill three major product lines tomorrow with an email. So, stop, and listen to me … ”

The Growing Burden on Open Source Maintainers

The latest episode was sparked after a Google AI agent found an especially obscure bug in FFmpeg. How obscure? This “medium impact issue in ffmpeg,” which the FFmpeg developers did patch, is “an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”

... continue reading

Related:
Android 16 QPR2 Beta 3.3 has a fix for what ails your phone’s lock screen
Apple releases Xcode 26.1.1 with coding intelligence improvements
Google says new cloud-based “Private AI Compute” is just as secure as local processing
The wait is over: Android 16 QPR1’s source code is now available on AOSP
Your Chromecast 4K is finally getting some love with a new update

© 2025 GoKawiil