Google uses AI to report security vulnerability.
They order a fix and they plan to release the vulnerability after 90 days.

FFmpeg is an open source project though. The project owes nothing to Google, and Google has no right to impose anything on the project. The company can largely finance or submit fixes.