# Dan Kowalski, Platform Engineering Lead at Speckle Video — read of Hardened FFmpeg API, June 13 2026

> 11 years backend, currently wrangling FFmpeg via Node child_process spawns at a 40-person B2B video SaaS. Three kids in youth soccer. Drives a manual Civic. Builds mechanical keyboards when the kids are asleep.

## How I got here

We had a security review last month and the auditor flagged our FFmpeg setup as a liability. No sandboxing, no size limits on user uploads, raw subprocess calls. She sent a spreadsheet of CVEs. I Googled "ffmpeg security api managed service" and this page was on the second results page. I clicked because the domain wasn't ffmpeg.org and I was curious what "managed" meant in this context.

## What I clicked first

The headline pulled me in: "Video processing without the zero-days." That is actually the pain I walked in with. Not "powerful video API" or "fast transcoding at scale." Zero-days. That is exactly the thing my auditor just handed me in a spreadsheet. Then right below it: "All 21 known FFmpeg zero-days fixed and monitored." I stopped there for a second. Someone counted. That felt credible for about 10 seconds.

## Where I paused

The spec table. "Built from the hardened fork, not stock FFmpeg." I know this fork exists. There is actual engineering here if this is real. And "Automatic input validation / No malformed files crash your pipeline" is the exact attack surface I am worried about. So I am nodding along, I am reaching for the pricing tab in my head, and then I scroll and hit:

> "Honest disclosure: we don't have live customers on this idea yet. We shipped the strategy package; you ship the customer conversations."

I had to read that twice. This is not a product. This is a pitch deck for a product that does not exist, being sold to someone who would build it. The whole page was written as if I could get an API key today. The nav says "Get API key." There is a section called "API Integrations." And then buried in the middle: this thing is not live, no one uses it, and the $5 unlocks a strategy doc, not credentials.

## What I distrusted

The bait-and-switch structure of the page. It opens looking like a developer tool I can adopt tomorrow. The nav bar has "Docs / API / Integrations / Pricing." That is the layout of a live product. I did not realize until the scoring section that I was on an idea marketplace and the product is vaporware. That is a real trust problem. If the first line of honest copy is "we don't have live customers," that information should be above the fold.

Also: "1 in 8 Meaningful-success odds (Fermi)" and "$-39,060 Year-1 take-home." That is a loss number. Negative thirty-nine thousand dollars year one. The page is telling me this idea probably fails and loses money, but it costs $99 to buy the starter kit for it. I do not know what to do with that combination.

## What would convince me

If this were a real API product: I would need to see what "hardened fork" actually means in the implementation. Link to the fork repo. Name the CVEs that are patched. Show me a changelog. Tell me which sandboxing mechanism you use (seccomp? gVisor? something else?) and what the failure mode is when the sandbox catches something. One real integration example with a curl command showing actual request and response would do more than all the score tables combined.

If this is an idea marketplace and you are trying to sell me the dossier: show me one person who bought a dossier and built something real. Not a testimonial. A GitHub repo with commits. A ProductHunt post. A tweet thread from the builder. One artifact that proves the strategy package produces builders, not just documents sitting in a Notion folder.

## What I'd ask in an email reply

1. The "Get API key" button in the nav goes where, exactly? Is there a waitlist, a sandbox, a demo environment, or does it just 404?
2. You say "21 known FFmpeg zero-days fixed and monitored." Who is doing the monitoring and on what cadence? When a new CVE drops next month, what is the SLA for patching it?
3. If I buy the $99 adopt tier and the working code starter, what does "working" mean? A Docker container I can run locally and sell API access from, or something I have to finish building myself?

## Verdict: on-the-fence

The pain is real and the positioning is sharper than most security tools I have seen. But I came here looking for a product I could actually use next week, and what I found was an idea for a product that does not exist yet, wrapped in a UI that made me think it was live. That gap is going to kill conversion from anyone who found this page the same way I did.

---
*Memo by skeptic persona, generated 2026-06-13. Studio breaks own self-grading loop.*
