Risky Business Risky Business #813 -- FFmpeg has a point
60 snips
Nov 5, 2025 In this engaging discussion, security journalist Adam Boileau sheds light on the recent drama between FFmpeg and Google over vulnerability disclosures. He advocates for clearer responsibilities among researchers and larger firms regarding bug fixes. The episode also explores OpenAI's Aardvark system and its innovative approach to bug hunting, alongside critical conversations about arrests of ransomware responders and the resurgence of notorious hackers. Adam's insights into the evolving landscape of cybersecurity make this chat both informative and captivating.
AI Snips
Chapters
Transcript
Episode notes
Open Source Disclosure Needs Nuance
- Open-source projects vary: some prioritize security, many are volunteer-led and not set up for heavy external disclosure pressure.
- Large researchers should use community-aware, collaborative disclosure rather than rigid, punitive timelines.
Help, Don't Just Report
- If you find bugs in volunteer projects, offer help beyond raw reports: propose patches or collaborate on fixes.
- Use common sense and community-aware disclosure instead of strict 90-day pressure tactics.
Multiple AI Paths To Bug Hunting
- AI approaches to bug hunting differ: Google uses fuzzing scale, OpenAI focuses on reasoning-model-driven analysis.
- Both methods are promising and likely to reshape vulnerability discovery and remediation.