The solution is even simpler. The project puts the bug report in its triage backlog. It works through it in its own time, and decides on severity and priority. That's the time-honored method.
The compounding factor here is the automated reporting and disclosure process of Google's Project Zero. GPZ automatically discloses bugs after 90 days. Even if Google does not expect bugs to be fixed within this period, the FFmpeg devs clearly feel pressure.
But it is an open source project, basically a hobby for most devs. Why accept pressure at all? Continue to proceed in the time-honored method. If and when Youtube explodes because of a FFmpeg bug, Google has only itself to blame. They could have done something but decided to freeload.
The compounding factor here is the automated reporting and disclosure process of Google's Project Zero. GPZ automatically discloses bugs after 90 days. Even if Google does not expect bugs to be fixed within this period, the FFmpeg devs clearly feel pressure.
But it is an open source project, basically a hobby for most devs. Why accept pressure at all? Continue to proceed in the time-honored method. If and when Youtube explodes because of a FFmpeg bug, Google has only itself to blame. They could have done something but decided to freeload.
I really don't see the issue.