Core Viewpoint - The article discusses the conflict between Google Project Zero and the open-source framework FFmpeg regarding the responsibility of fixing bugs discovered by AI tools, raising questions about the ethics of relying on volunteer maintainers for critical software security [1][17]. Group 1: Triggering Event - Google Project Zero announced a new policy called "Reporting Transparency" in July 2025, which requires the disclosure of bugs within a week of discovery, even if they are not yet fixed, while maintaining a standard 90-day repair window for vendors [3][5]. - The policy aims to reduce the "upstream patch lag," where fixes are available but not yet distributed to users, facilitated by Google's AI security engine, Big Sleep [3][5]. Group 2: Bug Discovery and Response - In August 2025, Big Sleep identified approximately 20 bugs in major open-source projects, including FFmpeg, which is widely used in browsers and media applications [5][6]. - Although most bugs were rated as low or medium risk, the public nature of the disclosures pressured FFmpeg maintainers to fix the bugs quickly without providing any direct patches from Google [6][7]. Group 3: FFmpeg's Reaction - FFmpeg developers expressed their frustration on social media, arguing that Google’s approach places undue pressure on volunteers to fix bugs without offering any support or solutions [8][12]. - They criticized the situation as a form of "corporate coercion," where a wealthy company uses AI to find vulnerabilities and then shifts the repair responsibility to unpaid volunteers [8][12]. Group 4: Diverging Perspectives - The security research camp, supporting Google, argues that FFmpeg, as a critical internet supplier, has an obligation to fix vulnerabilities and that the responsibility lies with maintainers [9][10]. - Conversely, the open-source camp, supporting FFmpeg, contends that Google should also contribute by providing patches alongside bug reports, emphasizing the strain on volunteer developers [12][13]. Group 5: Historical Context - This conflict is not unprecedented; similar frustrations have been voiced by other open-source maintainers, such as Nick Wellnhofer from libxml2, who highlighted the pressure from Google Project Zero [16]. - The article references the XZ Utils incident, where over-reliance on a few volunteers led to significant security risks, underscoring the vulnerabilities in the open-source ecosystem [16][18]. Group 6: Broader Implications - The ongoing debate highlights the fragile nature of the internet's foundational infrastructure, which often relies on a small number of volunteers, raising concerns about sustainability and security in the face of increasing bug reports from AI tools [17][18].