FFmpeg criticizes Google for using AI to report large numbers of bugs, saying it is 'pushing work onto volunteers' and 'just wants to create a track record of detection and reporting'

Google has used its AI-based security vulnerability detection system, Big Sleep, to identify numerous vulnerabilities and bugs. However, the sheer volume of reports has become a significant burden on open source projects. This has led to talented developers abandoning the project, citing their inability to do other work. The multimedia framework FFmpeg has criticized the project, saying, 'Companies with highly paid engineers are pushing the work onto volunteers,' 'If Google really wants to prevent risk, they should write and submit patches,' and 'They're not really interested in fixing bugs; they just want to build a track record of detecting and reporting them.'

FFmpeg to Google: Fund Us or Stop Sending Bugs - The New Stack
https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/

The following is a bug discovered by Big Sleep in August 2025: 'A carefully crafted animation using Subversion allows FFmpeg to write after free memory when decoding SANM files.'

Medium impact issue in ffmpeg: use-after-free write in SANM process_ftch [440183164] - Issue Tracker
https://issuetracker.google.com/issues/440183164

FFmpeg's goal is to play every video file ever created, so it fixed the bug. However, the SANM file format was a video format used by LucasArts, a video game studio active from 1982 to 2013, and the patch it created was specifically designed to decode the first 10-20 frames of the 1995 game Rebel Assault 2.

Patch to fix an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.

FFmpeg aims to play every video file ever made. pic.twitter.com/9WryDgDpER

— FFmpeg (@FFmpeg) October 30, 2025

FFmpeg said it takes security issues very seriously, but questioned whether it's fair for a multi-trillion dollar company to use AI to dig up security issues in a hobbyist's code and then ask volunteers to fix them.

Here's an example of Google's AI reporting security vulnerabilities in this codec: https://t.co/CvGemnoUk9

We take security very seriously but at the same time is it really fair that trillion dollar corporations run AI to find security issues on people's hobby code? Then expect… https://t.co/RxOeoVphN0

— FFmpeg (@FFmpeg) October 31, 2025

The reason behind FFmpeg's posting is that some of its most talented developers have left the project. Nick Wellnhofer, who was a maintainer of the XML library libxml2 and described himself as 'one of the most talented engineers,' left the project due to being overwhelmed by the large number of bugs reported by Google and other organizations.

Arguably the most brilliant engineer in FFmpeg left because of this. He reverse engineered dozens of codecs by hand as a volunteer.

Then security 'researchers' and corporate employees came along repeatedly insisted 'critical' security issues were fixed immediately waving their… https://t.co/H1g5poCucF

— FFmpeg (@FFmpeg) October 16, 2025

'I spend several hours each week addressing security issues reported by third parties. While not particularly important, it's a lot of work and is unsustainable in the long term for unpaid volunteers like me,' Wellnhofer wrote on the libxml2 Gitlab page. 'Making demands on open source software maintainers without compensation is harmful in the long term.' 'It's even more unlikely that I'll return to being a maintainer of a project I resigned from, especially when Google Project Zero , the best white-hat security researchers money can buy, are strangling volunteers.' Google Project Zero is a team that specializes in zero-day attacks, which target the gap between when a vulnerability is discovered and when a patch is applied.

Triaging security issues reported by third parties (#913) · Issue · GNOME/libxml2
https://gitlab.gnome.org/GNOME/libxml2/-/issues/913

In a conversation with security expert Robert Graham, FFmpeg said, 'If Google was serious about protecting against hackers, they would send us patches or provide funding. The reality is, Google just wants to collect CVE badges.'

If Google was interested in actually improving the situation against hackers, they'd send or fund patches.

In reality they want to collect CVE scout badges.

— FFmpeg (@FFmpeg) November 3, 2025

While Graham acknowledges FFmpeg's argument, he points out that 'it's not Google's fault that vulnerabilities exist; they simply find them before hackers do, and that's a reality we need to face.'

This is the core tweet of the Google-vs-FFmpeg debate.

FFmpeg is justifiably upset, Google is swamping it with vulns that the FFmpeg project doesn't have the resources to fix. This is especially a big deal since such projects struggle to attract necessary talent in writing… https://t.co/MymvBzJOTu

— Robert Graham (@ErrataRob) November 3, 2025

The debate is spreading, making it difficult to see the overall picture, but there are a certain number of developers who support FFmpeg's position. Alexei Lyakhov, the developer and maintainer of `` react-google-maps/api '', said, ``It is downloaded almost 1 million times every week and used in hundreds of thousands of projects, but although Google has requested consulting twice, they have never provided any support to individuals.If Google continues to take this attitude toward the open source community, we will consider either ``relicensing the package under a commercial license'' or ``removing the package completely and cutting ties with Google.''

I'm an author and maintainer of react-google-maps/api package which is used my hundreds of thousands of projects and almost a million downloads weekly.
Google has contacted me 2 times for consulting, but never even once has supported me personally.
If Google going to continue…

— Alexey Lyakhov (@justfly1984) November 4, 2025

In July 2025, Google Project Zero began testing a new reporting transparency policy that requires developers to report vulnerabilities within one week of discovery and disclose them within 90 days, regardless of whether a patch is available. This puts a significant burden on developers.

The New Stack acknowledged that experts believe security issues should be brought to light, but pointed out that open source projects lack the necessary resources and funding to address them. For example, libxml2, which Wellnhofer announced would no longer be maintained by the end of December 2025, is an essential library for all web browsers, web servers, LibreOffice, and many Linux packages. The New Stack argued that support is needed before a serious security breach occurs.