►
From YouTube: 2016-12-22 Node js Security Group Meeting
Description
B
A
B
A
B
B
A
B
F
B
H
I
I
I
K
C
A
Be
still
being
formed,
security
work
group,
well
things
on
the
agenda,
two
very
specific
things:
we
have
the
nose
security
project
coming
into
the
foundation,
so
we
kind
of
need
to
figure
out
where
that
this
in
relation
to
well
what
this
working
group
is
going
to
be
doing
and
how
they
relate
to
one
another
and
then
closely
adjacent
to.
That
is
the
question
of
what
exactly
is
this
working
group
and
what
is
its
scope
going
to
be
I
know
there
have
been
a
number
of
conversations
on
that,
but
why
don't
we
start
Michael?
N
Thanks
well,
yeah
I
mean
so
we
have
an
agreement
with
lift
security
for
them
to
hand
over
the
data
and
in
a
couple
of
their
resources,
we're
still
working
on
that
actual,
like
signed
agreement.
So
that's
not
quite
completed
yet,
but
we
have
kind
of
you
know
gotten
tested
a
board
approval
that
this
is
something
that
we
want
to
do.
Essentially,
all
that
means
is
that
the
place
for
reporting
vulnerabilities
in
the
ecosystem
can
move
to
something
run
by
the
foundation.
That's
essentially
what
that
means.
N
That's
the
only
like
you
know,
kind
of
top
level
decision.
That's
really
been
made.
The
exact
process
for
this
hasn't
been
called
out.
Yet
we've
discussed
some
of
the
limitations
of
the
process
right.
So,
for
instance,
we
want
to
have
one
place
that
people
report
to
write
like
just
for
simplicity
sake.
N
N
It's
really
kind
of
up
to
this
group,
along
with
you,
know
the
the
core
security
group
to
really
figure
out
what
the
best
processes
for
vetting
vulnerabilities
for
getting
people
disclose.
What
abilities,
and
also
for
publishing
the
data
around
those
vulnerabilities,
and
we
expect
that
to
be
kind
of
an
ongoing
discussion.
N
A
There's
been
no
view
in
terms
of
far
as
the
board
is
concern
about
whether
this
is
a
separate
top-level
projects
or
is
it?
You
know
that
fall
under
the
tses
purview?
Is
it
something
that
you
know,
TC
TC
need
to
work
with
an
edge
security
project
figure
out
how
it
fits
and
what
what
kind
of
process
has
been
envisioned
at
the
foundation
board
level
at.
N
The
board
level
none,
so
none
of
that
has
really
been
thought
about
at
the
board
level
or
recommended
for
mobile
they're
sort
of
going
to
lean
on
this
group
and
the
core
project
to
figure
out
what
the
best
thing
to
do
there
is
I
will
say,
though
we
have
a
security
group
in
core
that
core
has
delegated
some
responsibility
to.
If
we're
going
to,
we,
we
don't
have
the
ability
to
take
that
responsibility
away
from
without
their
consent.
Soho.
N
If,
if
you
know
this
group
wanted
to
like
you
know
it
going
on
something
that
the
core
security
group
was
articulate,
that
would
need
to
be
a
conversation
with
them
as
well.
So
I
think
that
they're
there
does
need
to
be
a
line,
a
distinction
there.
You
know,
honestly
that
that
security
group
is
gonna.
You
know
work
well
with
this
group,
there's
no
kind
of
hostility
there.
N
The
focus
of
this
should
be
on
the
good
system,
stuff,
and
so
the
best
place
for
that
to
happen
would
be
directly
at
the
tsc
level
and
knocked
rip
out
the
secret,
but
I
wouldn't
jump
to
a
lot
of
unnecessary
structure
like
a
top-level
project
until
you
need
it.
So,
starting
with
a
working
group,
you
can
do
something
much
more
informal.
N
You
can
have
you
know
much
less
people
and
then,
as
the
group
both-
and
maybe
you
want
to
break
out
subgroups
and
stuff
like
that,
then
you're
going
to
want
a
project,
and-
and
so
you
just
want
it-
you
want
to
add
structure
as
you
needed,
rather
than
trying
to
pre-plan
trick
structure.
But
that's
just
my.
N
I
Is
where
I
kind
of
disagree
with
you,
and
only
because
there's
an
existing
project
out
there
that
it's
being
brought
in
the
notes,
security
project
and
there's
data
and
the
API
and
tangible
IP
that's
around
it,
and
so
that
is
a
project
on
its
own.
Now,
it's
so
I
mean
it's
not
like
it's
being
created
from
the
ground
up,
it
already
exists
and
so
to
the
present
facilities
that
are
available
to
it
for
us
to
do,
use
and
leverage
a
core
top
of
a
project
makes
sense.
I
N
N
Even
though
there
is
some
some
data
to
start
with
there,
it's
very
similar
like
I,
don't
know
I
would
I
would
classify
it
closer
to
something
like
we
took
in
nan
or
when
we
took
in
you,
know,
readable
stream
and
like
these
are
you
know,
sub
repositories
that
have
some
code
in
them.
But
ultimately,
we
found
that
working
groups
were
the
best
way
to
facilitate
that
and,
of
course
like
they
have
code
and
they
have
like
process
inside
of
those
working
groups.
N
There's
nothing
stopping
a
working
group
from
having
like
a
process
similar
to
the
top
to
a
TLP
I
think.
The
only
reason
you
would
want
to
tell
p
is:
if
you
immediately
want
to
spin
off
multiple
working
parts
and
I,
don't
don't
case
yet
right
like
do
do
you
want
some
already?
Is
there
like
so
many
people
and
so
much
work
that
you're?
Looking
at
that,
you
want
to
create
a
subgroup
or
or
do
you?
N
I
I
think
the
different
favor
means
that
is
a
nan
is
a
just
code
and
a
fairly
small
thing,
whereas
the
data
and
the
api
and
the
vetting
I
mean,
there's
already
a
bunch
of
individual
pieces
to
the
node
security
project,
and
I
really
I
don't
have
a
big
dog
in
the
fight
here
at
all
so
I'm,
just
looking
at
it
abstractly
from
what
I
see
out
there
and
what
I
see
being
into
the
puzzle.
That's
all
well.
A
A
Essentially,
a
vulnerability
database
for
projects
that
fall
under
the
foundation,
including
core,
as
well
as
for
the
ecosystem
right,
maintaining
that
that
database
of
vulnerabilities
and
making
that
available
brothers
and
then
secondary
to
that
were,
as
part
of
that
is,
defining
the
policies
and
procedures
for
handling
those
vulnerabilities
dealing
with
disclosure
is
figuring
out.
You
know
what
the
reporting
of
those
things
that
will
be
and
then
from
there
promoting
improvement
of
security
practices
across
the
ecosystem
book
within
core
and
within
the
ecosystem.
A
H
Can
I
all
say
that
I
think
would
be
useful
to
actually
have
a
process
for
one
interacting
with
people
that
actually
report
things
like
have
it
in
addition
to
detect
like
an
actual
process
and
like
actual
policies
quote
for
doing
this,
so
I
think
like
that
that
seems
to
me
like
that
alone.
Is
it
a
bit
of
work
and
I,
like
whatever
you
said,
I
completely
agree
with
I
think
all
those
things
for
actually
interesting
in
my
tree
these
days.
N
Yeah
I,
wouldn't
I,
wouldn't
underestimate
the
amount
of
like
process
that's
going
to
need
to
be
written
in
making
like
a
lot
of
security
work.
It
is
literally
just
like
creating
the
process.
You
know
running
that
process
by
different
people,
adhering
to
it
like
yeah
I
mean
dealing
with
disclosures.
It's
difficult.
B
N
I
mean
I'm
not
as
worried
about
it,
so
we've
we've
had
a
couple
of
these.
These
kinds
of
things
come
up
in
the
past
and
they
usually
end
up
being
subsets
of
what
we're
already
doing
like
you
know,
they're,
really
targeting
this
at
projects
that
are
incredibly
bad
at
this
kind
of
stuff
like
this
came
up
when
we
did
the
badging
program
with
CII,
which
is
like
they
literally
had
in
there
like
your
source
repository,
should
be
public.
N
Okay,
you
know
they're
clearly
targeting
visit
like
a
selection
of
the
software
open
source
ecosystems,
but
it's
like
really
really
bad
it
just
general
kind
of
project
stuff
but
yeah.
We
should
definitely
look
at
the
iso
standard
and
make
sure
that
we
comply
to
it,
but
I
think
that
at
the
end
of
the
day
will
end
up
with
a
superset
yeah.
A
So,
and
now
in
terms
of
the
vulnerability
database,
rut
is
mentioned
before
that
you
know
we
may
just
this
may
just
be
kind
of
a
front
end
to
creating
cve
right
when
one
of
them
already
comes
in
we
just
you
know.
This
group
is
part
of
the
process.
We
just
open
TVs
on
behalf
of
the
various
projects
that
are
involved
and
use
that
mechanism
net
process,
I'm
wondering
oh.
N
No,
like
you
know,
I,
I
think,
there's
there's
a
couple
other
things
that
we
need
to
worry
about.
So,
for
instance
like
we,
we
really
want
this
data
to
map
well
on
top
of
NPM.
So
there's
just
metadata
that
we
need
to
make
sure
that
we
capture
so
that
people
can
build
tooling
on
top
packages
on
top
of
NPM.
That
exposes
that.
N
A
B
N
So
there's
a
different
database
dump,
but
there's
also
tooling
to
interface
with
that
data
once
well,
they're,
not
giving
it's
just
been
open
source.
So
it's
like
we,
we
can
really
I
mean
the
thing
about
the
database
is
that
it's
actually
currently
not
open
source
license.
It's
not
openly
licensed
like
it's
under
a
like.
You
have
to
license
it
from
lift
security,
so
so
we're
getting
that
and
then
we're
going
to
apply
since
it
openly.
But
you.
A
N
I
can
get
with
them
in
January.
Obviously,
a
lot
of
the
stuff
is
on
hold
at
the
end
of
December's
everybody
just
kind
of
takes
off,
but
we
need
to
finish
up
the
last
of
the
legal
work
and
then
they
should
be
able
to
hand
it
over
pretty
easily.
We
can
also
probably
get
a
data
dump
from
them
before
all
the
paperwork
is
done.
We
just
won't
technically
happily
yet,
but
that
I'll
unblock
us
at
the
very
least.
N
Yes,
yes,
but
before
we
publish
the
data,
we
need
to
get
the
licensing
lockdown
right
also-
and
this
is
just
kind
of
a
side
conversation
but
like
during
there's
a
lot
of
work
going
on
right
now,
going
to
figure
out
how
to
open
the
license.
Data
there's
actually
not
very
good
from
data
specifically
laughing,
but
we'll
probably
end
up
doing
a
public
in
the
short
term
and
then
changing
licenses.
I.
C
A
So
I
think
it's
significant
part
of
this
work,
then,
is
you
know,
obviously,
once
we
get
the
data,
if
they're
not
providing
the
code
or
actually
making
it
available
actually
hosting
the
data,
then
we're
going
to
have
to
have
a
project
to
figure
out
what?
Well
you
know,
how
are
we,
how
are
we
hosting
the
data
right,
I.
N
N
That
can
be
a
little
bit
hard
for
programmatic
access,
I
think
yeah,
but
it's
like
really
easy
to
write,
something
that
pulls
the
data
out
of
there
and
puts
it
into
any
database
right
like
we
don't
want
to
make
it
the
choice
of
that
database
of
ahead
of
time,
like
I,
mean
I
can
write
a
tool
in
in
a
minute
that
will
stick
it
into
cash.
Gb
click.
That's
easy!
Well,.
A
N
Right
well,
I
think
so,
if
we,
if
we
write
some
kind
of
tool
that
you
know,
publishes
a
JSON
file
to
like
our
normal
kind
of
downloads,
page,
that's
all
like
cached
and
see
the
end
and
whatnot.
We
can
write
that
tool,
but
in
terms
of
just
managing
the
data
and
in
like
having
more
tribute
as
editing
the
data
like
that
should
just
go
into
github
right,
like
that.
We
don't
want
to
have
to
like
recreate
a
bunch
of
process
and
tooling
and
getting
different
people
accounts
to
try
to
manipulate
database.
F
N
I
think
that
will
evolve
over
time.
I
will
say
that,
like
I,
think
that
on
this
issue,
some
of
the
project-
people,
and
even
maybe
the
board,
will
have
a
little
bit
of
an
opinion
in
that.
We
should
have
a
similar
relationship
to
this,
that
we
do
to
a
tracing
and
debugging
where
we
we
try
to
do
everything
that
we
can
at
the
at
the
most
base
layer
to
enable
an
ecosystem.
N
So
if
we
need
to
build
more
tooling
and
better
things
for
people
to
then
be
able
to
go
value
as
vendors,
that's
fine,
but
we
don't
want
to
like.
You
know,
go
off
and
write
our
own
really
high
level.
Debugging
utilities
that
sort
of
like
stamp
out
a
bunch
of
the
ecosystem
and
competition
right,
I,
think
that
that
we
have
in
the
debugging
tools
is
really
good.
A
I
I
A
A
H
I
can
I,
so
we
me
and
Fraser
have
weren't
enough
you
and
try
to
disclose
a
few
Corvo
abilities
or
what
we
think
are
run,
abilities
and
I.
Think
one
of
the
things
that
needs
to
happen
is
it's
not
just
a.
This
is
the
process.
It's
like
I
think
like
somebody
in
probably
description
that
somebody
needs
to
actually
specify
what
is
the
attacker
model
and
what
is
considered
to
be
a
security
bug,
as
it
was
suggests,
a
bug
and
I
think
like
11.
Actually
does
this
like?
H
H
So
I
didn't
know
like
if
I
was
talking
to
a
representative
of
whatever
committee,
but
like
actually
like
making
that
super.
Clear
upfront
to
people
that
are
trying
to
report
would
be
really
useful,
I
think
and
like
whatever
process,
they
should
go
through.
I.
Think
right,
like
hairy
and
on
the
side
of
like
this
might
have
secure
implications,
is
to
me
always
better
than
not,
but
like
right
like
having
all
the
stuff.
Be
clear
is
super
important.
N
K
N
Policy
and
a
lot
of
really
good
stuff
about
kind
of
the
one-to-one
communication,
I
I
best
that
there
are
corporations
that
have
really
good
policies
around
this
that
are
totally
closed
and
there
are.
There
are
companies
that
take
responsibility
for
the
security
of
their
ecosystem,
like
in.net
at
the
same
degree,
but
we
don't
have
action
to
those
policies.
F
And
for
me
that
the
artist
problem
in
in
all
of
in
dealing
with
them,
bully
abilities
for
the
system
means
that
there
is
the
true
possibility
that
the
author
of
a
package
with
a
known
vulnerability,
disappears
or
doesn't
want
to
fix
the
vulnerability.
And
this
is
where
this
is
the
major
difference
between
what
core
is
currently
doing.
And
what.
N
Yeah,
so
let
me
just
ask,
like
we've
actually
identified
some
pretty
clear-cut,
like
areas
of
works
that
need
to
happen.
Is
it
people's
opinion
right
now
that,
like
there
are
areas
that
they
definitely
will
it
won't
be
involved
in
and
that
it's
already
broken
up
to
that?
That
point
I
mean
there's,
actually
a
surprising
number
of
people
already
in
this
call
and
involved
so
I'm,
just
asking
like
I
mean
I
know
that
I
was
pushing
for
no
unnecessary
structure.
N
L
B
There
are,
there
are
a
bunch
of
things
that
have
come
up
in
this
call,
but
it's
not
they're
not
super
clear.
It's
not
it's
hard.
To
put
your
name
right
beside
one
manana
space
thing
starts
to
merge
into
the
vulnerability
reporting
thing
which
starts
to
merge
into
the
threat
model
which
so
it's
not
clear
where
one
starts
on
one
ends.
A
Yeah,
it's
just
I,
think
I
just
take
enough
to
a
week
or
two
discs.
I
think
there
is
a
good
idea,
maybe
maybe
have
another
call
early
January
see
if
we,
by
that
time
we
can
have
a
concrete
list
of
the
specific
work
areas
and
then
get
so
put
their
names
next,
which
one's
the
work
they
want
to
work
on.
H
Think
so
I
guess
like
the
one
thing
that
maybe
it
was
already
clear,
but
I
think
I
see
to
Erick
we
is
already,
which
is
one
is
core
and
one
is
the
ecosystem.
I
think
right
within
each
there's.
Plenty
to
do,
but
and
I
think
that
they
should
be
related,
because
it's
like
I
actually
think
it's
really
nice
to
actually
try
to
do
both
like
I
think
since
nobody's
actually
trying,
but
no
other
languages
like
to
try
to
do
this.
H
This
is
actually
pretty
cool
and
unique,
but
nevertheless,
I
think
like
one
can
probably
be
done
like
way
faster
and
easier
than
the
other
rights
or
their
policies
and
tooling
for
doing
with
core.
They
could
probably
use
for
the
rest,
the
ecosystem,
but
there's
like
other
hard
things
to
do
deal
with
what
ecosystem
would
come,
sounds
like
actually
contracting
authors
and
dealing
with
licensing.
All
those
other
things.
A
No,
the
one
thing
I
have
not
heard
and
I
just
want
to
clarify
to
make
sure
work.
Everyone's
come
on
the
same
page
on
it.
This
project
is
not
going
to
be
getting
into
the
business
of
going
out
and
actively
searching
for
vulnerabilities
and
doing
scanning
and
then
developing
the
patches
for
remediating
issues
right
we're
still
leaving
those
to
the
individual
corporate
players
that
are
already
in
Baltimore.
Well,.
N
It
depends
so
if
somebody
approaches
us
and
says
like
hey,
we
have
this,
like
the
fuzz
testing
thing
that
the
ghouls
right,
if
somebody
has
something
like
that
and
they're
like
we
need
to
be
able
to
work
with
the
community
to
disclose
these
vulnerabilities
to,
we
would
be
open.
I
think
that
we
should
be
open
to
working
with
them.
That
said,
all
of
that
should
work
its
way
through
the
same
processes
if
it
were
anything
from
the
outside.
N
Also
in
terms
of
writing
patches
for
vulnerabilities
working
with
the
maintainer
zuv,
each
of
the
open
source.
Libraries
is
something
that
we're
going
to
have
to
do
like
we're.
Gonna
have
to
reach
out
to
them.
We're
gonna
have
to
talk
with
them.
If
it's
easier
to
write
a
patch
than
didn't
try
to
get
them
to
do
it,
it
may
actually
be
worth
it
for
the
people
dealing
with
that
communication
to
write
it.
K
A
N
N
A
N
We've
actually,
like
you
know,
pursued
free
accounts
for
scanning
tools
that
feed
into
the
security
group
we've
applied
to
Google's
program
for
fuzz
testing
as
well
like
there
are.
There
are,
like
you
know,
official
programs
and
the
action
proprietary
software
that
we
get
free
licenses
for
that
we
actually
do
use
and
feed
into
the
security
group,
but
that's
all
specific
to
Khor
and
yeah
I
mean
if
this
group
wants
to
do
that
at
some
point
for
the
ecosystems
and
I
mean
I'm
sure
this
foundation
would
support
it.
I
A
B
A
A
N
I
J
I
B
Okay,
so
I've
a
once
a
week,
we
talked
about
mostly
there's
a
couple
things
we
talked
about.
One
is
so
there's
nsp
data
figure
out
what
it
is
receive
it,
what
we're
going
to
do
with
it,
and
that
will
depend
a
little
bit
on
what
the
data
looks
like
so
we'll
know
more,
hopefully,
next
meeting
the
other
things
that
were,
there
was
a
lot
of
things
that
were
discussed.
B
A
H
Yeah
I
guess
also
I
just
to
add
to
that
I
guess:
I
could
just
kind
of
not
the
issue,
but
it
seems
like
the
project
is
mature.
Now,
after
having
an
actual
bugzilla
like
thing
or
whatever
you
know,
Google's
actually
using
might
be
might
be,
might
be
a
good
way
to
suggest
you
to
security
group
to
do
instead
of
a
mailing
list.
But
that's
just
my
two
cents.
H
But
so
secure
one
reporting
security
at
no
JX
was
to
an
outsider
like
a
black
local,
so
I
have
no
idea
like,
for
example,
who
would
read
the
issue
if
the
person
is
the
right
person
responding?
If
other
people
have
comments,
so
I
think
like
having
an
issue
along
an
issue,
try
could
like
a
system
to
port
bugs
and
handle
these
cases.
It
also
means
that
well,
some
of
us
like
chime
in
on
other
people's.
E
So
the
other
thing
that's
nice
about
having
a
tracker
is
once
the
vulnerability
is
actually
disclosed
or
if
it's
decided
that
it's
not
a
security
vulnerability
that
the
issue
can
become
public.
So
that's
used
in
a
lot
of
other
projects
when
dealing
with
security,
stuff
e-mark,
an
issue
as
private
until
you
know
enough
about
it
to
decide
whether
whether
it
can
and
when
it
should
be
public.
B
Interesting
good,
so
I
don't
know
if
it's
obvious,
but
there
is
a
github
repo.
It
contains
vulnerability
information,
but
it's
completely
private
to
the
Security
Response
Team.
For
for
obvious
reasons
and
I
guess:
that's
I!
Guess
the
limitation
there
as
github,
doesn't
allow
you
to
selectively
make
public
individual
issues
so
I.
What
I'm
hearing
is
you
guys
are
suggesting.
We
need
some
sort
of
vulnerability
tracker
where
we
can
selectively
make
issues
public,
so
they
can
be
seen
by
the
person,
reported
them
and
then
eventually
become
completely
public
for
the
historical
record,
yeah.
E
H
Yeah
worth
I
think
this
also
like
would
really
help
feed
back
into
like
academic
research.
That
would,
you
know,
potentially
build
like
so
we
have
like
static
analysis
or
like
node,
and
if
we
like
knew
that
there
were
like
things
you
guys
found
before
and
like
them.
You
know
we
can
write
a
more
general
to
more
easily
to
josh
help
find
someone
kinds
of
fun
abilities
and
other
parts
of
the
code
base,
and
you
know,
like
you,
guys
we're
talking
about
the
ecosystem
right.
That's
you
can
met
them
like
that
scaling
out
even
more.
A
I
N
A
A
Is
there
going
to
be
a
need
to
segment
off
torque
of
that
too
limited
audience
not
like
you
know,
I
say
you
know.
I
may
have
access
to
vulnerabilities
that
deal
with
core,
but
I
may
not
have
access
to
vulnerabilities
that
deal
with
some
other
part
of
the
ecosystem.
I'm
project
I,
don't
necessarily
have
any
reason
seeing
their
vulnerabilities
or
right.
So
how
do
we
accidental
access
to
that
private
repo?
A
N
J
N
I'm
a
little
bit
worried
about
like
the
level
of
if
we
start
getting
a
lot
of
vulnerabilities,
we
actually
do
need
a
lot
of
people
with
access
to
the
data
in
order
to
just
effectively
bet
all
so
I'm
a
little
bit
worried
in
like
making
the
toolchain
really
complicated.
Just
because
it's
going
to
create
a
banner
well
actually
being
able
to
get
to
work
done.
I'm.
B
N
It
wouldn't
it
wouldn't
be
that
I
mean
like
well,
essentially
what
it
would
do
is
it
would
we'd
use
github
issue
tracker
and
things
would
get
posted
in
this
private
repo
and
then,
when
we
decided
that
we
needed
to
disclose
the
vulnerability,
we
would
have
the
bot
essentially
post
a
new
public
issue
somewhere
with
all
the
information
in
it.
So.
H
There's
like
if
you,
if
you
look
at
chrome,
CVEs
they're,
like
you,
know,
repeated
people
who
like
do
this,
because
they've
probably
pull
tools
and
they're
like
really
helpful
to
the
team.
I
think
like
you
want
leverage
like
security,
researchers
and
other
people
to
like
record,
like
almost
do
part
of
the
work
for
you
like
a
granular
idea
of
it
hub
repose
is
just
too
prescribed
in.
N
B
N
N
So
like
it's
actually
not
that
hard
for
when
an
email
comes
into
the
security
at
creating
an
issue
in
github,
and
then
it's
also
not
that
hard
for
a
github
ought
to
know
when
new
comments
are
posted
in
that
and
to
send
them
via
email
to
somebody,
and
when
somebody
responds
to
that
email
have
the
email
code
actually
post.
Another
comment
in
that
particular
issue:
I
mean
it's
code
and
it's
not
going
to
take
a
little
bit
of
time
to
write
exactly
not
that
hard.