TLDR: depthfirst’s production autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg, after intensive security analysis by Google and Anthropic. Moving beyond theoretical analysis, our agent produces concrete, reproducible PoC inputs to confirm its findings at a fraction of the costs ($1k vs. $10k). Several of the findings had been sitting latent for 15 to 20 years. We explored the exploitability of the issues and developed a PoC demonstrating a RCE exploit primitive.
Back in my day, zero-day meant exploited in the wild first, described publicly later. Or a disclosure without involving the target with an exploit attached.
I guess they must’ve published this without notifying ffmpeg first?
So you think they either actively exploited ffmpeg or sold an exploit?
dunno, I didn’t open the article because the title claims they did and I don’t want to encourage that sort of behavior with engagement 😜