Exactly. The call-out is not "please stop doing security research". It is, "if you have a lot of money to spend on security research, please spend some of it on discovering the bugs, and some on fixing them (or paying us to fix them), instead of all of it on discovering bugs too fast for us to fix them in time".
Look, I know you're being snarky, but YES. All of the viable open-source video codecs of the past 10 years would not have happened without Google. Not just for technical reasons, but for expensive patent-related legal reasons too.
Given that ffmpeg is an open-source video transcoding tool, I don't think you can easily just dismiss this as "big company abuses open source."
The ffmpeg devs are volunteers or paid to work on specific parts of the tool. That's why they're unimpressed. What Google is doing here is pretty reasonable.
You got lower chances of getting hacked by a random file on the internet. At Project Zero level they're also not CVE seeking - it doesn't even matter at that scale, it's not an independent trying to become known.
I have yet to see one on any project I’ve been attached to that was actually exploitable under real circumstances. But the CVE hunting teams treat them all as if they were.
TFA is about Project Zero getting uppity about an unexploitable non-issue in ffmpeg.
Project Zero hasn't reported any vulnerabilities in any software I maintain. Lots of other security groups have, some well respected as well, but to my knowledge none of these "outside" reports were actual vulnerabilities when analyzed in context.
You are welcome to view the report however you like, but a world where an easily reproducible OOB read and UAF in the default configuration is an "unexploitable non-issue" is not reality.
They could adopt a more flexible policy for FOSS though.