FFmpeg Calls Google's AI Bug Reports "CVE Slop"

FFmpeg maintainers have publicly criticized Google after its AI tool reported a security bug in code for a 1995 video game.

The maintainers called the finding “CVE slop” and questioned whether trillion-dollar corporations should use AI to find security issues in volunteer code without providing fixes.

Unchecked Automation is Not an Answer

So what happened is, Google’s AI agent Big Sleep found a bug in FFmpeg’s code for decoding LucasArts Smush codec. The issue affected the first 10-20 frames of Rebel Assault II, a game from 1995.

If you didn’t know, Big Sleep is Google’s AI-powered vulnerability detection tool developed by its Project Zero and DeepMind divisions. It is supposed to find security vulnerabilities in software before attackers can exploit them.

But there’s an issue here: under Google’s “Reporting Transparency” policy, the tech giant publicly announces it has found a vulnerability within one week of reporting it. A 90-day disclosure clock then starts regardless of whether a patch is available.

You see the problem now? ๐Ÿค”

FFmpeg developers patched the bug but weren’t happy about it. They tweeted in late October that “We take security very seriously but at the same time is it really fair that trillion-dollar corporations run AI to find security issues in people’s hobby code? Then expect volunteers to fix.”

Beyond that, you have to understand that FFmpeg is an important piece of digital infrastructure that is used in Google Chrome, Firefox, YouTube, VLC, Kodi, and many other platforms.

The project is written almost exclusively by volunteers. Much of the code is in assembly language, which is difficult to work with. This situation basically highlights the ongoing tensions over how corporations use volunteer-maintained open source software that powers their commercial products and expect them to fix any obscure issues that crop up.

Via: The New Stack

Suggested Reads ๐Ÿ“–

Open Source Infrastructure is Breaking Down Due to Corporate Freeloading
An unprecedented threat looms over open source.
FFmpeg Calls Google's AI Bug Reports "CVE Slop"It’s FOSSSourav Rudra
FFmpeg Calls Google's AI Bug Reports "CVE Slop"
FFmpeg Receives $100K in Funding from Indiaโ€™s FLOSS/fund Initiative
It is one of the worldโ€™s most widely used multimedia frameworks today.
FFmpeg Calls Google's AI Bug Reports "CVE Slop"It’s FOSSSourav Rudra
FFmpeg Calls Google's AI Bug Reports "CVE Slop"

Leave a Comment