No, it is a notice to others that your software as-is is insecure in some way. The pre notice is again a courtesy if you want to fix it.

What you do with the notice as a dev is up to you, but responsible ones would fix it without throwing a tantrum.

Devs need to stop thinking of themselves as the main character and things get a lot more reasonable.

No, it is a request to fix it. How the maintainer feels about it is up to them.

A request to fix it would be privately telling the maintainers about the issue. Publicly releasing it is a demand.

This is not how filing issues against open source software works.

You dont get to decide that lmao. Telling everyone this project doesnt care about security if they ignore my CVE is obviously a demand and your traditions can not change that

> Telling everyone this project doesnt care about security

Google did nothing like this.

If people infer that a hypothetical project doesn't care about security because they didn't fix anything, then they're right. It's not google's fault they're factually bad at security. Making someone look bad is not always a bad action.

Drawing attention to that decision by publicly reporting a bug is not a demand for what the decision will be. I could imagine malicious attention-getting but a bug report isn't it.

Bullshit. That is exactly what google is doing. Demands aren’t necessarily malicious, but they’re certainly annoying for the person being demanded.

If merely publishing a bug they found, and doing nothing else, would qualify by your definition as "telling everyone this project doesn't care about security", then there is absolutely nothing wrong with doing that "telling".

If the FFmpeg team does not want people to file bug reports, then they should close their public issue tracker. This is not something that I decided but a choice that they made.

CVE!=vulnerability

These two terms are not interchangeable.

Most vulnerabilities never have CVEs issued.