Comment by woodruffw

Is this an oblique reference to OSS Fuzz, or something else?

It seems weird to blame Google here, given that they didn’t manufacture the bugs: the bugs were already there, and they just found them. This is arguably the best thing for all parties: open source maintainers are still under no obligation to fix things, but downstreams can properly inform themselves about the risks they inherit by using any given project.

The alternative is a “don’t ask, don’t tell” system, which people generally agree doesn’t work well in other aspects of life.