@sjvn I think it's unclear what's preventing ffmpeg devs from just ignoring these bug reports.

Like, if GPZ were to publish the details of an unfixed vuln in a rarely-used feature of ffmpeg, there shouldn't be much impact on real users, most of the pain would be with the CVE-obsessed corpos that use ffmpeg in their products, right?

@lanodan @sjvn
Right, so they'd have to survive a wave of corpos asking about the CVE and tell all of them to send a patch or gtfo....

Maybe they could create an issue on their issue tracker with the details of the vuln, and info why it's not a priority and that they lack resources to fix it.

Then send all the angry corpos a link to that issue, and disable notifications.

@lanodan @sjvn
I see three possible outcomes:
- the corpos eventually make a patch
- the corpos fork ffmpeg
- the corpos remove ffmpeg from all of their products

I don't think any of those would be tragic, though getting there might be painful :/