►
From YouTube: Security WG meeting - June 17 2019
Description
C
C
E
B
C
D
C
F
B
F
Yeah
sure
I
mean
I
can
learn
the
PR
without
it
just
saying
that,
generally
speaking
for
the
actual
giving
someone
a
bounty,
we
said
that
we
need
like
maintenance
to
approve
that
they
want
to
participate
in
that
yeah.
We
can
lend
the
PR
buddy
tool
it
will
render
there,
but
the
bug
bounty
itself
is
useless.
So
do.
B
B
C
F
F
B
C
H
C
F
B
H
Yeah
but
imagine
a
scenario
where
you
report
a
vulnerability,
an
aversion
and
then
for
some
other
reason
they
make
a
release
and
both
the
version
number.
It
might
be
the
case
now
that
your
vulnerability
no
longer
applies
to
that
particular
versions
released.
It
doesn't
actually
have
any
sort
of
security
fixed
right.
B
H
F
Yeah,
so
right
so
most
most
of
the
times
or
the
ideal
way
to
try
that
during
trials
we
actually
pull
in
the
maintainer
and
they
coordinate
the
fix
with
us
and
then
there's
no
problem.
This
is
only
a
problem
with
the
upper
version
in
those
not
so
Idol
cases
ideal,
because
in
those
cases,
basically
the
maintainer
didn't
respond
to
anything
and
we
have
to
just
push
it
out
and
at
that
time
it's
just
gonna
be
like
an
asterisks
or
something
saying
that
it's
everything
until
it
hits
them
in
some
way.
F
B
A
B
H
It
basically
says
like
if
you
report
a
vulnerability
to
us
in
45
days,
regardless
of
what
happens,
we're
going
to
make
it
live
and
I
think
that
hackers
see
that
and
that's
one
of
the
reasons
they
do
report
to
us
is
because
they
have
an
expectation
that
if
there
is
an
activity
for
the
maintainer
of
will
go
public
and
I,
don't
think
historically,
we've
nest.
I
think
we've
gone
the
other
way
and
tried
to
automate
police's
to
not
cause
waves,
which
means
both
makes
sense.
F
F
I
would
say
it's
like
generally
yeah
unless,
like
we
get
accorded
like.
Ideally,
the
report
should
have
the
maintainer
and
then
a
fix
that
would
that,
like
most
of
the
reports,
hopefully,
but
when
cases
that
we
can't
reach
out,
we
reach
them
out
or
you
know,
they're
not
responding
whatever
we
have
to
basically
do
it
without
them,
then
we
have
to
put
a
start,
that's
kind
of
what
I'm
saying,
because
otherwise
the
only
version
that
we
know
is
that
of
the
current
date
and
if
they
just
didn't
respond
to
us,
but
continued,
releasing
vulnerability
story.
C
F
C
Yeah
I
agree,
so
it
sounds
like
the
consensus
here
is
that
we
have
is
that
we
don't
we
try
not
to
release
until
the
vote.
You
know
the
maintainer
has
had
a
chance
to
update
effects,
but
if
there
is
no
fix
available,
we
have
to
release
the
vulnerability
and
we
have
to
release
it
with
the
star.
Doesn't
it
not
really
any
other
choice.
F
F
C
D
A
H
Things
are
being
placed
after
initial
triage,
so
the
idea
is
that
they
save
us
some
work
of
verifying
vulnerabilities,
but
then
they
end
up
in
a
new
queue
which
we
then
need
to
pick
up.
So
I
think
there's
been
some
chat
about.
We
have
20
of
them
and
we're
gonna
start
working
through
them,
but
they've
sort
of
been
pooling
in
a
new
location.
B
H
Think
that's
pretty
heaven
in
the
user
interface,
but
they
did
when
we
were
doing
triage
before
we
hacker
wants
help.
They
would
pool
in
the
initial
triage
phase,
which
would
affect
our
numbers
that
were
visible
on
the
public
web
page
about
our
responsiveness,
but
now
they
don't.
Instead
they
move
into
a
new
category
and
give
us
a
a
longer
chance
to
deal
with
them.
C
F
F
H
F
Yeah
I
think
we
can't
think
with
the
current
size
that
we
have
it's
not
that
bad
we're
a
bit
behind,
but
I'm
just
wondering.
Maybe
we
should
add
more
like
specific
key
people
that
have
done
this
before
and
have
some
more
motivation
to
do
that,
because
it's
also
very
easy
to
just
started
out.
But
then
you
know
just
just
shy
away
from
that
because
of
work
and
other
stuff.
So
I've
got
something
in
mind.
Let
me
see
if
I
can
put
that
into
into
any
show
and
shirt.
C
D
D
That
we
were
waiting
for
the
next
updates
from
the
from
the
open,
draya's
foundationless
CPC
me
as
a
CPC
being
established.
I,
don't
really
know
what
the
states
of
the
open
J
is
from
the
Chinese
right
now.
The
idea
behind
this
issue
is:
can
we
expand
the
scope
of
the
security
working
group
to
jail?
Those
are
projects
of
the
unity
foundation.
B
Yes,
although
the
openness
foundation
is
further
along
in
terms
of
ramping
up
the
wrappers,
the
voting
representatives
have
been
you
know,
elected
and
I.
Think
that's
about
where
it
is.
There's
been
some
work
to
start
spinning,
spinning
up
other
things
in
terms
of
like
there's,
a
standards
Weibo
you
know
been
opened
up
and
if,
if
we
think
that
things
should
be
happening
at
that
level,
with
really
with
respect
to
security,
it's
probably
a
good
time
to
open
an
issue
to
start
that
discussion.
D
B
G
B
D
And
you
agree,
or
so
maybe
having
a
framework
for
security
criticism
and
and
having
an
agreement
from
maintenance
from
all
projects
to
walk
with
us
when
something
is
found
in
the
packages
guidelines
regarding
what
are
the
security
processes
for
all
these
repos,
who
could
be,
could
be
a
good
sign
of
stability
to
the
outside
world.
Yeah.
B
D
B
B
C
C
C
F
H
I
met
with
drew
from
our
to
see
who's
mentioned
in
this
issue,
I
in
person
at
a
conference,
and
he
said
that
they
have
like
20,000
vulnerabilities
in
the
node
module
ecosystem,
but
nowhere
to
put
them
and
I
don't
know
what
the
quality
of
them
is.
I
exchanged
a
few
emails
with
him,
because
somebody
wanted
me
to
follow
up.
D
So
yeah
yeah,
it's
actually
zooming
to
peak
of
the
tissue
that
who
would
be
so.
There
are
couple
people
who
have
thousands
of
things,
I
consider
vulnerabilities.
They
got
mostly
through
static
analyze,
analyzes
and
the
thing
is
the
she
walk
first,
a
manual
workforce
to
make
sure
the
dallied
is
insane
and
it's
as
disastrous
to
miss
Serena.
D
H
E
B
E
C
F
C
So,
as
far
as
bulk
vulnerability,
like
just
literally
bulk
vulnerability
disclosure
goes
the
person
that
it
looks
to
me
like
the
people
stopped
responding
and
the
github
issue.
They're.
Just
Liron
asked
me
to
ask
some
questions.
I
asked
some
questions
is
not
really
any
response
and
I
guess
we
all
are
reluctant
to
add
20,000
vulnerabilities
on
packages
that
haven't
been
actually
verified
to
be
vulnerabilities
right,
like
I,
don't
think
we
would
do
that.
F
Sorry
I
just
want
to
say
it's
more
than
just
adding
them,
even
if
they
were
validate
validated,
which
more
about
also
inviting
the
maintainer
of
each
and
you
know,
coordinating
the
releases
of
fixes
etc,
which
I
don't
not
I'm,
really
good.
To
see
what
the
kid
wanted
churn
that.
But
it's
probably
not
something
that
we
can
do
at
the
scale
of
the
working
group.
For
now.
C
Right,
what
more
we
can
say
about
so
I
think
that
kind
of
covers
a
whoa.
Well,
we
think
about
both
vulnerabilities
with
respect
to
specifically
to
the
buffer
vulnerabilities
I
opened
an
issue
and
a
PR
also
in
node,
to
remove
the
vulnerable
constructor
I
didn't
really
expect
it
to
get
anywhere
and
it
didn't-
and
there
hasn't
been
a
lot
of
comment.
C
E
I
think
that
Jack
orange
move
my
question
to
the
public,
but
on
a
second
thought.
So
I
wanted
to
ask
everyone
to
confirm
that
my
Marcus's
into
system
usage
people
could
be
opened
up
and
down.
It
doesn't
have
any
vulnerabilities
that
are
convenient,
but
against
least
Oh
bother
construction
finish
that
would
be
related
to
another
purchase
and
at
least
Scotch
help
people
to
the
age
of
the
barakah
structure
and
to
potentially
find
packages
that
this
is
sorted
by
downloads
per
month
and
as
measured
analysis
from
2016
to
this
year
and.
E
Apart
from
the
edge
there
is
a
list
of
NPM
afters,
with
their
total
downloads
per
month,
use
the
Trostle
gallons
per
month,
which
they
control
I.
Don't
allege
that
is
sensitive,
get
checked
because
everything's
actually
push
each
other
or
obtained
from
and
temperament
area.
Basically,
so
I
would
post
a
link
written
in
chat
right
now
that
people
is
now.
B
E
It
was
hidden
land
there
for
some
time
and
I
think
that
I
went
through
the
top
models
and
took
a
look
at
then
well.
That
was
some
time
ago
to
have
something
changed,
but
I
don't
think
that
much
has
changed,
but
I
think
they'd
open
in
the
top.
You
know
at
this
point
do
mobile
in
the
car,
so
just
people
could
take.
C
E
C
B
D
F
Yeah
I
I
joined
that
I
think
we
can
do
something
that
is
also
more
helpful
like
before.
Maybe
we
go
and
and
publish
that
in
a
very
you
know,
open
forwarding
manner,
we
can
maybe
send
out
communication,
so
it'll,
post,
a
blog
post
about
it
or
Twitter
emails,
or
you
know
whatever
we
have
to
reach
users
just
draw
their
attention
on
this
see.
F
If
we
can
just
make
people
more
aware
of
that
and
ask
them
to
make
the
relevant
changes
if
they
need
to
in
your
code
bases-
or
you
know,
upgrade
to
more
execute
versions
of
note
for
that
and
and
then
publish
it.
So
this
will
be
at
least
useful
and
helpful
for
some
of
for
the
readers-
and
you
know,
can
mean
community
in
general.
B
A
F
Not
but
like
subscribe,
I
know,
there's
like
you
can
use
specific,
like
since
version
eight
or
something
we
patch
that
so
even
if
you
use
the
the
buffer
constructor
like
that,
the
bad
one,
the
bad
usage
for
that
with
with
the
new
court,
you
don't
get
the
yeah
in
the
uninitialized,
a
memory
right
yeah,
so
that
definitely
there.
So
basically,
there
are
some
workarounds
that
we
have
I.
Think
they're,
also
documented
under
on
the
website
and
I.
Think
we
just
need
to
get
people
like
aware
of
that.
F
So
I
would
say
like
I'm
just
trying
to
say
if
it's
some
external
company,
you
know
doing
whatever
research
and
you
know
as
a
zero.
They
just
gonna,
go
and
and
release
that
that's
one
thing.
But
if
we
want
to
do
it
like
if
it's
coming
from
the
kid
or
something
like
that,
I
think
it
would
make
sense
if
we
maybe
try
to
just
communicate
it.
F
In
announcement
like
just
moving
at
an
announcement,
official
announcement
or
something
gonna
go,
get
discovered,
or
maybe
yes,
I,
don't
know,
but
but
more
like
just
trying
to
make
people
aware
that
they
should
follow
that
and
then
and
then
release
it.
So
it's
not
coming
as
a
complete
surprise
to
to
anyone,
even
though
that
that
that's
anyway,
the
issue
like
a
couple
of
years,
yeah.
B
And
I
think
that's
a
good
idea,
along
with
the
like
here's,
what
end-users
should
do
if
you're
already
moved
up
to
eight,
you
know
you're
you're,
okay,
right,
it's
just
that
we'd
like
to
deprecate
you'd
like
to
deprecate
the
old
ones,
but
can't
so
you
know
where
this
is
one
thing
that's
going
out
to
help
push
in
that
direction.
Right.
E
C
E
Those
advanced
thrown
4.5
I
think
it
also
is
that
people
could
use
to
Norfolk,
basically
t-shirt.
Are
they
from
version
4.5,
and
this
relation
of
node
changed
the
memory
location
in
so
that
is
deal
field,
so
it
closes
at
the
memory
exposure
in
winter
butcher,
but
it
does
not
call
the
general
service
manager
not
include
close
the
denial
of
service
an
exception
great
today,
new
my
vintage
is
secure
or
introducing
user
input.
Checks
everywhere
watch
basically
just
mutations
within
your
piece
version.