upvote

points

by bawolff19 hours ago |
comments
upvoteby naturalmovement18 hours ago|
next
[-]
> AI slop is a real problem and annoying. Just because it exists does not mean every vulnerability report is AI slop.

Ok but who is going to sift through it all to triage the good bits when you're working on something for free?

> Ffmpeg devs are free not to care, but then they cant complain when they start to get a bad reputation

Who gives a shit about reputation when you're the only game in town?

There is nothing out there that even attempts to approximate an ffmpeg clone. They are the Swiss army knife of media encoding and all complainers have produced are plastic sporks.

reply
upvoteby notenlish1 hours ago|
parent|
next
[-]
Its not as full featured as ffmpeg but I remember hearing about mediabunny, It's a web native ffmpeg alternative, and according to its website, seems to be a lot faster than ffmpeg.wasm
reply
upvoteby bawolff17 hours ago|
parent|
prev|
[-]
> Ok but who is going to sift through it all to triage the good bits when you're working on something for free?

Its like anything else in open source. Maintainers will do so if they care. Maybe they decide they don't care. That is always their decision to make but there are consequences for the project. Maybe those consequences make sense. Being a maintainer is all about making cost-benefit trade offs.

> Who gives a shit about reputation when you're the only game in town?

Its up to the maintainers whether they care or not. It depends on what they value.

Ultimately if maintainers make decisions that are at odds with what their userbase want, someone eventually forks and people vote with their feet.

reply
upvoteby naturalmovement17 hours ago|
parent|
next
[-]
Security is a bit different.

Today it's an industry driven by unscrupulous clout-chasers and a commitment to quantity over quality.

There is a difference between going through patches and pull requests vs. the endless stream of LLM-assisted bullshit that has started cluttering security inboxes in the last few years.

reply
upvoteby tptacek16 hours ago|
parent|
[-]
Vulnerability researchers don't create the vulnerabilities they report. The vulnerabilities exist whether or not they're reported by "clout chasers".
reply
upvoteby dspillett7 hours ago|
parent|
[-]
There is a difference between a proper vulnerability researcher and a clout chaser calling themselves a vulnerability researcher. Research for a start, to assess the problem to see if it is genuine and if so if there are significant mitigating factors (by default or that can be implemented), and checking if it hasn't already been reported, instead of just copypasting some LLM output with minimal review. And to many clout chasers everything they find is a grade A world wrecking highest possible priority "if you don't drop everything else and fix this now you are a kitten murderer and I'm going to release the information to the world in 24 hours" level issue (they know this because they suggested it to an LLM and it told them they were so right).
reply
upvoteby tptacek5 hours ago|
parent|
[-]
No there isn't. The vulnerability is either real or it isn't. How you feel about the researchers doesn't enter into it. People angry about vulnerability research have been making this argument since 1992.
reply
upvoteby dspillett8 hours ago|
parent|
prev|
next
[-]
> Maintainers will do so if they care.

Caring is only part of the problem. If you are inundated by low quality reports, or many duplicates of what turn out to effectively be the same problem, that you have to sift through to find the useful reports, then by the time you have something actionable you have no time left to take action on it.

The amount of reports coming in, particularly the low/zero quality ones, is apparently growing at a much faster rate than the time volunteers have for dealing with them.

Caring does not magically solve problems without enough people with enough time.

reply
upvoteby RossBencina7 hours ago|
parent|
prev|
next
[-]
"care" is not a viable metric for prioritising the allocation of a scarce resource.
reply
upvoteby eipi10_hn15 hours ago|
parent|
prev|
[-]
Yes, and people will sit there and sip tea while waiting for "someone"? For how long?
reply
upvoteby bawolff14 hours ago|
parent|
[-]
> Yes, and people will sit there and sip tea while waiting for "someone"? For how long?

Until someone cares enough to do it. This is open source software. When it comes to open source, the golden rule is you either do the things you care about yourself or stfu.

Given the libav fork wasn't all that long ago, it can obviously happen to ffmpeg just as much as it can happen to any other project.

reply
upvoteby krageon8 hours ago|
prev|
[-]
Even before the advent of AI the quality of most reports was depressingly low. Most of your reports will quite simply come from folks in lower-wage countries that broadly don't speak English well and that use a shotgun approach to bug bounties. That means you are receiving a lot of them, they will be hard to read (assuming the information you need is in there at all) and if they get one success out of fifty then for them it is a really good return.

The advent of LLMs has made this a hundred times worse. Both because it makes it easier for most people to create reports that sound good (and so are more effort to dissect) and because people who didn't have to work hard to get any amount of competence are usually more entitled and more rude (the stakes are even lower for them).

It is economically no longer a good idea to run a bug bounty program at all. I honestly question whether or not even having a direct input for such things makes any sense anymore. The volume is becoming so great you need a classical spam filter to plow through it. But that won't work, because they all sound reasonable.

reply