FFmpeg Calls Google's AI Bug Reports "CVE Slop" (itsfoss.com)

Google’s AI-powered vulnerability scanner (Big Sleep, from Project Zero/DeepMind) flagged a security bug in an FFmpeg module originally written for a 1995 video game, prompting a CVE and an FFmpeg maintainer backlash calling the result “CVE slop.” Under Google’s Reporting Transparency policy the company will publicly announce a reported issue within a week and starts a 90‑day disclosure clock regardless of whether a patch exists. FFmpeg volunteers patched the issue but objected to trillion‑dollar corporations running automated scans against volunteer code and effectively forcing maintainers to rush fixes and deal with public CVEs. The episode matters because FFmpeg is core multimedia infrastructure used across Chrome, Firefox, YouTube, VLC and more, yet much of its code is volunteer‑written and often in hard‑to‑audit assembly. Automated tools can surface real bugs quickly, but they also produce noisy findings, potential false positives, and operational burdens when paired with rigid disclosure timelines. The incident highlights a growing tension around AI-driven vulnerability discovery: improved detection vs. responsible disclosure, tooling and resourcing for maintainers, and whether corporations should adapt policies to avoid creating extra risk or overhead for open‑source projects they depend on.