Remember when google set up a whole project to find vulnerabilities but never sent any fix and unpaid developers were basically having to fix things that an entire team of people was hired to find… yeah maybe they could have just made an offer to some maintainers instead of burning them out?
Is this an oblique reference to OSS Fuzz, or something else?
It seems weird to blame Google here, given that they didn’t manufacture the bugs: the bugs were already there, and they just found them. This is arguably the best thing for all parties: open source maintainers are still under no obligation to fix things, but downstreams can properly inform themselves about the risks they inherit by using any given project.
The alternative is a “don’t ask, don’t tell” system, which people generally agree doesn’t work well in other aspects of life.
People were getting rightly roasted for calling google a leech when A) google does donate money to ffmpeg and B) that bug was in a weird format google almost certainly has disabled so they're not reporting it to get free labor.
From the horses mouth: "Michael Niedermayer, a leading FFmpeg developer, tweeted, “I am the main developer fixing security issues in FFmpeg. I have fixed over 2700 Google OSS fuzz issues. I have fixed most of the BIGSLEEP issues. And i disagree with the comments FFmpeg (Kieran) has made about Google. From all companies, Google has been the most helpful & nice.” https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-send...
Sounds like Google has been very helpful and nice.