In Part 1, we explored how Fabrice Bellard created FFmpeg in 2000, walked away in 2004, and left it in Michael Niedermayer's hands, who then survived a civil war that nearly tore the project apart.

We saw how YouTube, Netflix, Instagram, and TikTok built their empires on FFmpeg's foundation.

Billions of encodes per day and trillions of bytes compressed.

But those are just the companies you know about.

In reality, FFmpeg runs everywhere.

And the deeper you look, the more absurd the dependency becomes and the more obvious the question nobody's asking: Who's actually paying for this?

WWW

Aside from the World Wide Web, FFmpeg also runs in the wild weird world.

Millions of Ring doorbells, Nest cameras, and no-name Chinese surveillance devices use FFmpeg to compress feeds before uploading to the cloud. That’s how your doorbell can send you a notification with a video clip seconds after detecting motion without melting your home Wi-Fi.

Your doctor is reviewing your colonoscopy footage through FFmpeg.

The Mars Ingenuity helicopter (first aircraft to achieve powered flight on another planet) records video of its flights through Martian atmosphere and then compresses it using FFmpeg.

FFmpeg is completely without bias.

It doesn’t care if you’re encoding The Mandalorian, surveillance footage of ISIS propaganda or a reel of a dachshund on a skateboard.

TRILLION-DOLLAR PARADOX

Video streaming market size (2025): $416.8 billion

Social media market size: $250+ billion

Cloud gaming: $5+ billion

Security/surveillance: $60+ billion

Generative AI (which uses FFmpeg for training data preprocessing): $100+ billion

Conservative estimate of industries that critically depend on FFmpeg: $800+ billion in annual revenue.

But until recently, FFmpeg’s funding was essentially zero.

For over two decades, volunteers maintained the software underpinning a near-trillion-dollar industry for free. They debugged issues while working day jobs and optimized codecs on weekends. They wrote documentation in their spare time and fixed security vulnerabilities that, if exploited, could take down YouTube.

Things changed in 2024.

The German-backed Sovereign Tech Fund invested €157,580 (approx. $170,000) into FFmpeg in 2024, followed by a $100,000 donation from the Indian fintech company Zerodha in 2025.

These investments might seem serviceable but let’s look closer.

YouTube generated $31.5 billion in revenue in 2023. Netflix pulled in $33.7 billion. Meta, $134.9 billion. In fact, Netflix’s CEOs, Reed Hastings and Ted Sarandos, made a combined $101 million in 2022 alone.

A single YouTube outage costs Google $5 million per hour.

To put that into context, that single hour costs nearly 30 times more than the entire donation the German government made to keep FFmpeg running.

THE DAY JOB

Here’s what happens when the software running half the internet is maintained by volunteers who can’t afford to quit their day jobs.

Every time you upload a video to YouTube or TikTok, you’re handing FFmpeg a mystery box from a stranger and saying “open this.”

Video files are Trojan horses that can contain very complex data in the most trivial of content.

Like this one:

For hackers, this is Christmas morning.

Consider one attack that actually worked. A hacker crafts a poisoned playlist file. The server running FFmpeg receives it and dutifully tries to transcode it; reading the password file, encoding it into a video, and outputting it like any other job. The hacker hits play and watches your server’s password file scroll across the screen like end credits.

This happened multiple times, at real companies.

FFmpeg is written in C, a high-performance language from 1972 that is blindingly fast but lacks modern memory safety. A single malicious byte in a video file can trigger a memory error that hands an attacker full control of the system processing it.

Google even now runs a project that bombards FFmpeg with millions of corrupted files specifically to find these vulnerabilities before hackers do, which says something about how seriously the industry takes the risk.

Trillion-dollar companies depending on FFmpeg would rather spend millions cleaning up the explosion than a single dime to prevent it.

THROWN UNDER THE BUS FACTOR

Imagine you’re a software developer working a day job but in your spare time, you maintain a critical component of FFmpeg because you care about open-source.

Then the emails start:

“FFmpeg crashed on my video. help?”
“I need XYZ feature for my startup. When will you add it?”
“This is broken. You guys don’t know what you’re doing.”
“Help me torrent movies.”

These messages come at 3 AM or on weekends. During your vacay or a wedding. From people who have never contributed a single line of code or a single dollar.

You step back from the project and stop responding.

And the “bus factor” drops by one.

The bus factor is a morbid but brilliant metric that boils down to this:

How many people need to get hit by a bus before this project dies?

It’s a real calculation software projects use to measure fragility because If only one person understands the authentication system then the bus factor is one. If three people can, then the bus factor is three.

For FFmpeg, the bus factor is maybe twelve.

A dozen people around the world with deep enough knowledge to maintain the core codebase and most are volunteers. A few are employed by FFmpeg dependants and at least allow them to contribute during work hours.

THE LAST COMMIT

What happens the day the last maintainer walks away?

ZERO DAY SCENARIO

Day 1-30: The Illusion of Stability

Nothing. YouTube and Netflix will still stream. So will Instagram. The code is already compiled and running on billions of servers worldwide so FFmpeg doesn’t need its creators online to function.

But this is the dangerous part because everything looks fine.

Month 1-6: The Security Rot Begins

A hacker discovers a buffer overflow in FFmpeg’s handling of a new HDR video profile and it’s exploitable. They upload a poisoned video file to YouTube, and now you can execute code on Google’s servers. One of the core maintainers would have written a patch fix for this within days.

Google, Facebook and Netflix’s engineers try to patch it themselves with each company creating their own fix, but without FFmpeg know-how, the patches are near-useless.

And there’s no guarantee the patch won’t just break something else.

The internet now has dozens of partially-broken versions of FFmpeg running in production.

Year 1-2: The Codec Wall

A new video standard launches, called VVC (Versatile Video Coding) or AV2 and it’s 40% more efficient than the current standard, which means streaming companies can save billions in bandwidth costs.

But FFmpeg doesn’t support it and there’s no one left who can add it.

The new iPhone 18 starts recording in the new format by default and suddenly, half the internet can’t process videos shot on these new phones.

Companies try to hire engineers to add codec support. They try Silicon Valley first, offering $500K+ salaries for anyone with deep video codec experience. Then they try the tiny pool of university researchers who somehow specialize in video compression.

But FFmpeg’s codebase is millions of lines of C written over 25 years so the new hires spend months just trying to understand how one singular decoder works.

Meanwhile, security vulnerabilities are piling up.

Year 3+: The Fragmentation

Every major tech company now maintains their own fork of FFmpeg. Google’s version is incompatible with Meta’s. Amazon’s breaks differently than Microsoft’s.

Indie developers and small companies, who can’t afford dedicated video engineering teams, are stuck with the now-ancient FFmpeg codebase riddled with security holes.

In essence, if the dozen core FFmpeg maintainers quit tomorrow, the internet wouldn’t go dark instantly, but it would enter a state of irreversible decay.

And there’s no backup plan.

At this point you might be asking: can’t AI just do this?

Feed the codebase to an LLM, point it at the bug, let it patch. It’s a fair question. AI coding tools can handle isolated, well-defined bugs well enough. Give it a buffer overflow with clear context and it’ll write you a plausible fix.

But FFmpeg is 25 years of deeply optimized C held together by tribal knowledge that was never written down. Fixing one decoder without breaking six others requires understanding how everything connects, which is the kind of systems intuition that comes from years of actually working inside a codebase.

A patch that passes every test can still silently corrupt video in edge cases that only surface months later in production.

So yes, AI buys time. But it doesn’t replace the dozen people who actually understand what’s running under the hood.

IN SLOW SUCCESSION

Fabrice Bellard is 52 and has been absent from the codebase for two decades. Michael Niedermayer is still Chief Architect but technically stepped down in 2015. He cannot stay forever so who’s training the next generation?

Maintenance isn’t sexy, especially in a world obsessed with AI gold rushes and billion-dollar startups. Few developers want to spend their lives in a 25-year-old C codebase.

But with the $270,000 in 2024/25 they received in funding, maybe things are changing.

A new generation has emerged from the trial by fire of the project’s mailing lists. I spoke with two of them who helped me with research for this post.

JEAN-BAPTISE KEMPF

President of VideoLAN, the org behind VLC. He famously turned down tens of millions of dollars to keep VLC ad-free. He’s also FFmpeg’s chief diplomat, and helped secure the project’s first government funding from Germany’s Sovereign Tech Fund.

TOMAS HÄRDIN

Swedish FFmpeg maintainer by day and propmaster on indie films by night. Tomas keeps the MXF and LXF codebases running, which, if you’ve ever exported a file from a pro camera or editing suite, means he’s kept your workflow running too. Based in Umeå, a small university circle just below Arctic Sweden.

CHAOS BEFORE THE STORM

The next decade will test FFmpeg like never before.

AV1, the next-generation codec from Google, Netflix, and Apple, offers 30% better compression than H.265 but fully optimizing it requires thousands of hours of work.

AI video tools like Sora (RIP) and Runway haved flooded the web with massive uncompressed files that all need transcoding. 8K video contains four times the pixels of 4K; VR requires dual 4K+ streams at 90fps; 360-degree video captures entire spheres.

Eddie AI uses FFmpeg to swiftly create manageable proxies from terabytes of multi-camera footage and start editing within minutes or even seconds.

The load is increasing exponentially as we enter an unprecedented era of video.

But for the first time in FFmpeg’s 25 year history, so has the recognition.

The work that was invisible for so long is slowly being treated as the critical infrastructure it always was.

This piece took nearly a year to research and write via tracking down maintainers in Arctic Sweden, decoding mailing list archives, and understanding 25 years of video compression history.

If you found it valuable, we’d really appreciate if you share it :)