Who Should Fix AI-Discovered Bugs? Google vs. FFmpeg Open-Source Clash

Google’s “Bug Report Transparency” Policy

In July 2025 Google Project Zero announced a “Reporting Transparency” policy, promising to publish a public notice within a week of discovering a bug, including the affected project, timeline, and a 90‑day fix window, even if the bug remains unfixed.

Big Sleep Scans Open‑Source Projects

Google’s AI security engine Big Sleep, built by DeepMind, began scanning major open‑source projects. In August 2025 it reported about 20 bugs, including several in the multimedia framework FFmpeg, which is widely used in browsers, operating systems, and media applications.

Although most reported bugs were rated low or medium severity, the “transparent disclosure” forced FFmpeg maintainers onto a public clock, demanding rapid fixes without Google providing any patches.

FFmpeg’s Reaction

FFmpeg developers expressed frustration on X (formerly Twitter), accusing Google of “throwing bugs at open‑source projects without offering fixes,” effectively shifting the repair burden onto unpaid volunteers.

Community Perspectives

Security researchers supporting Google argue that the responsibility lies with the project maintainers and that early disclosure helps prevent exploitation. Open‑source advocates counter that merely reporting bugs without patches is meaningless and places undue pressure on volunteers.

Broader Implications

The dispute echoes previous tensions, such as libxml2’s complaints and the 2024 XZ Utils supply‑chain incident, highlighting the fragility of critical internet infrastructure that often relies on a handful of volunteers.

The ongoing debate raises the question of who should ultimately fix AI‑discovered vulnerabilities: the powerful corporations that find them or the under‑resourced open‑source maintainers who must patch them.