►
From YouTube: Security WG Meeting
Description
A
We
have
a
light
agenda
today,
but
it's
here
it
goes
as
usual.
Please
you
can
open
the
minutes
of
the
meeting
on
another
tab
at
the
same
time.
Is
there
any
announcement?
Someone
wants
to
be
doing
today
and
I
actually
have
one
which
is
issue
number
four,
nine
four
remaining
everyone
that
next
month
in
a
month
today,
the
vulnerability
database
will
be
removed
from
the
main
report
of
the
working
group
to
move
to
their
own
repository
and
security.
Advisories
advisories
does
anyone
else?
Has
another
announcement
to
make.
A
A
A
Regarding
the
funding
from
current
base
for
bug,
bounties
leerin
suggested.
We
closed
a
topic
in
favor
of
503,
which
defines
the
guidelines
of
criteria
for
distributing
bunty's
to
security
researcher.
Should
faith
free
for
3d
camera
replace
this
issue
in
the
agenda.
Should
we
keep
the
first
issue
in
judge
and
that
does
anyone
has
an
opinion
on
that
I.
C
A
C
A
C
D
A
A
And
last
item:
I
added
it
to
the
agenda
le
today.
It's
an
issue
open
by
either
is
a
key
advance,
the
variability
research
tool
and
they
want
to
check
how
we
could
ensure
large
disclosure
of
annuities,
because
they
are
true,
basically
I'm,
not
sure.
If
Heaven
is
here
today,
you
told
me
might
be
training.
A
Let
me
just
turn
that
so
advanced
to
me
might
be
joining
the
Corbett.
Yes,
not
yeah,
so
the
question
is:
could
we
find
a
process
to
handle
large
disclosures
of
vulnerabilities?
We've
done
that
once
infirmary
with
prototype
pollution
last
year,
but
we
are
in
the
situation
where
somebody
could
be
reporting,
20,
40,
50
vulnerabilities
at
once,
and
even
though
the
workforce
in
the
ecosystem
triage
team,
it's
sometimes
challenging
to
endure
everything
at
once,
meaning
checking.
If
the
vulnerability
is
varied.
Contacting
every
package
owner,
we
contacting
every
package
owner
and
help
them
fix
the
issue.
A
D
Have
a
little
bit
of
repair
condors,
certainly
I.
Think
the
buffer
issue
is
something
that
has
been
very,
very
widespread
and
might
result
in
to
a
lot
a
lot
of
vulnerabilities
being
found
at
the
same
time
as
far
as
I
know,
in
newer
node
versions,
this
use
is
completely
not
possible.
In
most
all
his
old
code
will
break
eventually
for
the
better
I
guess.
B
D
E
So
I
want
to
say
that
multiplication
like
button
does
not
work
inside
and
not
one
of
the
dedicatory,
so
it
works
only
for
the
top
level
code.
It
isn't
wrong
if
some
dependency
that
you
use
uses
in
the
duplicate
buffer
constructor
without
an
extra
option
flag.
So
John
is
a
fan
of
things
like
you.
Don't
have
talked
about
that
and
there
are
still
a
lot
of
modules
which
I
used
the
buffer
constructor
and
the
using
overall
News
issues
not
going
down
just.
D
B
A
F
Think
we
should
be
more
concerned
about
people
running
vulnerable
code
than
people
being
warned
about
vulnerabilities,
particularly
cuz.
This
one
is
so
easy
to
fix.
It's
not
like
you
have
to
like
there's
a
one
to
one
replacement
for
the
buffer
constructor
to
bring
you
call
it's
not.
There's
not
gonna,
be
technical
issues.
I.
F
F
B
A
G
E
A
A
A
Because
we
could
be
warning
package,
containers,
button
and
safe
use
of
constrictor,
but
if
she'd
simply
internal,
really
not
dynamic
and
never
really
impacting
the
output
of
the
package,
no
its
inputs,
they
would
just
let
us
say,
that's
no
responding,
because
there
is
no
exploitability
scenario.
Yeah.
B
So
I
guess
you
know
the
thing
that
we've
done
there
is
like.
We've
also
started
throwing
errors
when
it's
run
is
annoying
and
I.
Think,
even
if
it's
not
even
if
it's
not
actually
vulnerable,
like
they're,
not
exposing
it
an
honorable,
it
would
be
nice
of
us
to
go
help
them
fix
that
and
get
that
error
out
of
their
system.
Additionally,
bringing
that
contactor
of
their
module.
Sorry,
additionally,
bringing
the
context
of
look.
This
is
gonna
break
hard
like
this
is
gonna,
be
a
hard
break
it.
B
F
It
would
help
one
of
my
concerns
with
the
problem
of
like
it
seems
like
we're
a
little
bit
concerned
to
push
on
to
maintain
errs
this,
this
job
of
updating
the
code.
If
we
don't
know
that
it's
a
vulnerability
but
I
have
to
say,
for
my
perspective,
it's
it's
their
responsibility
as
a
maintainer
of
software
to
make
sure
that
car
doesn't
have
vulnerabilities.
F
Hopefully,
some
group
of
external
people
are
gonna,
go
through
their
code
and
see
if
the
buffer
or
usage
is
or
is
not
a
vulnerability,
and
that
group
of
people
doesn't
exist.
He's
going
to
do
that
for
free,
so
I
know
chakra
the
donee
kita,
the
the
m12
dot
X
actually
removes
the
the
vulnerable
buffer
constructor
right.
You.
E
F
E
I
use
it
she's
too
high,
so
I
think
that's
the
next
step
and
if
we
could
do
is
to
contact
high-profile
packages
and
get
the
paying
the
patient's
nationals,
I
shall
list
of
those.
So
perhaps
after
that
also.
B
Yeah
and
I
mean
that
sounds
like
yeah.
If
I'm
understanding
correctly,
that
sounds
like
the
path
to
get
it
room.
Deprecated
fully
is
make
modules
that
use
it
just
like
a
little
bit
of
a
catch-22
there,
where,
like
virginity
I,
guess
where
we
have
to
actually
make
sure
we're
not
going
to
just
destroy
everyone
as
soon
as
you
know,
they
upgrade,
but
the
same
time.
You
need
people
to
not
be
using
it
to
do
that.
That
kind
of
corrects
kind
of.
B
B
E
B
A
A
F
A
A
B
Making
the
indices
you
know
the
vulnerabilities
landed.
Is
there
a
specific
way,
we'd
like
to
approach
getting
those
entities
into
the
Advisory
repo,
because
since
then
they've
not
existed,
we
could
probably
start
doing
that
sooner
since
there's
not
like
currently
any
contract
there.
We
could
probably
do
that
sooner.
I
didn't
get
that
into
the
just
announced
migration
to
new.
Advise
the
new
advisory
jury
found.