My take on the FFMPEG drama

1. Open source is provided as is without warranty (depending on the license). Use at your own risk.

2. Google (or anyone) finding bugs/vulnerabilities is good, and they are not responsible for fixing them, even if they are a multi-billion dollar company.

3. Publicly revealing a vulnerability should be avoided. It should use the designated channels. Revealing it publicly might cause more harm than anything, but if you ultimately want to do it, you’re free to do it (unless the license says otherwise, which is a good point).

4. The project maintainers are not obligated to fix it, especially within a limited timeframe, although it’s probably good if they do it.

5. It would be good if whoever found the vulnerabilities would also fix or help fix them, but it's fine if not done as well.

6. Contribute to open source if you can, especially if you use it. Contribute with sponsorship, code or anything. But if you don't want to do that, also fine.

7. Respect the license.

Photo by Claudio Schwarz on Unsplash