FFmpeg Calls Google's AI Bug Reports "CVE Slop"

Open source project pushes back on AI-generated vulnerability reports.
Sourav Rudra
2 min read
Warp Terminal

FFmpeg maintainers have publicly criticized Google after its AI tool reported a security bug in code for a 1995 video game.

The maintainers called the finding "CVE slop" and questioned whether trillion-dollar corporations should use AI to find security issues in volunteer code without providing fixes.

Unchecked Automation is Not an Answer

So what happened is, Google's AI agent Big Sleep found a bug in FFmpeg's code for decoding LucasArts Smush codec. The issue affected the first 10-20 frames of Rebel Assault II, a game from 1995.

If you didn't know, Big Sleep is Google's AI-powered vulnerability detection tool developed by its Project Zero and DeepMind divisions. It is supposed to find security vulnerabilities in software before attackers can exploit them.

But there's an issue here: under Google's "Reporting Transparency" policy, the tech giant publicly announces it has found a vulnerability within one week of reporting it. A 90-day disclosure clock then starts regardless of whether a patch is available.

You see the problem now? πŸ€”

FFmpeg developers patched the bug but weren't happy about it. They tweeted in late October that "We take security very seriously but at the same time is it really fair that trillion-dollar corporations run AI to find security issues in people's hobby code? Then expect volunteers to fix."

Beyond that, you have to understand that FFmpeg is an important piece of digital infrastructure that is used in Google Chrome, Firefox, YouTube, VLC, Kodi, and many other platforms.

The project is written almost exclusively by volunteers. Much of the code is in assembly language, which is difficult to work with. This situation basically highlights the ongoing tensions over how corporations use volunteer-maintained open source software that powers their commercial products and expect them to fix any obscure issues that crop up.

Via: The New Stack

Suggested Reads πŸ“–

Open Source Infrastructure is Breaking Down Due to Corporate Freeloading
An unprecedented threat looms over open source.
It's FOSSSourav Rudra
FFmpeg Receives $100K in Funding from India’s FLOSS/fund Initiative
It is one of the world’s most widely used multimedia frameworks today.
It's FOSSSourav Rudra
News
About the author
Sourav Rudra

Sourav Rudra

A nerd with a passion for open source software, custom PC builds, motorsports, and exploring the endless possibilities of this world.

Read next

Nitrux 5.0.0 Released: A 'New Beginning' That's Not for Everyone (By Design)

IBM Joins OpenSearch Software Foundation to Advance AI-Powered Search and RAG

Kaspersky Antivirus is Now Available for Linux. Will You Use it?

Ubuntu's Rust Transition Hits Another Bump as sudo-rs Security Vulnerabilities Show Up

You Can Play Classic D3D7 Games on Linux With This New Project, But Don’t Expect Perfection

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

itsfoss happy penguin

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.