►
From YouTube: Security WG meeting - Sep 4 2018
Description
B
A
The
other
nest,
but
I
guess
I'll
put
out
there
is
we
do
have
a
panel
at
noches,
node
plus
Jess,
interactive
next
week,
a
security
panel
where
we're
going
to
be
talking
a
bit
about
the
the
work
that
this
team
does.
So,
if
you
know
you
can
help
promote
that
or
if
you're
going
to
the
conference,
that's
something
to
consider
showing
up
to.
We
hope
that
will
be
interesting
and
it's
a
good
opportunity
to
learn
a
little
bit
more
about
the
security
in
general
and
what
the
security
working
group
is
doing.
A
C
Right,
so
you
believe
we
opener
to
get
some
contents
about
the
auto-generating.
So
there's
two
stuff
in
that
we
need
to
get
consensus
on
what
I
do
to
a
generating
idea
that
we
want
to
use.
Make
sense
like
we
got
a
few
thumbs
up
for
that,
but
I
think
like
I
thought
some
of
the
security
working
group,
people
I
think
maybe
was
just
do
it
again
as
a
reminder.
C
Part
of
that
is
that
yeah,
that's!
That
needs
to
wait
a
a
bit
of
time
like
the
60
days
until
we're
able
to
push
the
chain
so
I
think
we
can
probably
leave
it
as
the
agenda
for
the
next
time.
Just
to
like
one
clue,
it
and
I'll
go
ahead
and
just
try
to
ping
to
people
to
come
and
just
stick
your
mind
on
it.
I
see
if
we
can
get
a
full
go
away.
Okay,.
A
C
Just
oh,
it's
easier
for
us
to
do
this
auto
incrementing
stuff
and
not
have
to
manually
look
into
the
current
and
for
the
files
ideas
and
in
current
open,
PRS.
I
was
going
to
just
take
the
the
current
time
stuff
that
path,
I'm,
tiffy
micro
spent
level
and
just
converted
to
to
a
base
that
is
hiding
out
to
give
us
both
the
short
strings,
like
it's
not
too
long,
as
well
as
enough
room
to
grow
for
like
20,
50,
50
or
stylus
like
the
next
50
years.
So
I
think
that
she
should
cover
it.
C
A
C
C
C
Yeah,
it's
not
gonna
be
immediately
visible
through
the
DAT
that
we
want
to
have
there
that
this
is
like
an
an
old
or
anyone.
That's
you're
right
we're
going
to
lose
that
effect
and
we
can
opt
in
to
maybe
a
different
wait,
just
a
taste,
but
because
you
know
we
are
maybe
for
seeing
a
lot
of
vulnerabilities
have
all
three
vulnerabilities
on
the
same
date.
You
will
not
be
able
to
the
same
day.
You
know
we
will
not
be
able
to
do
it
automatically.
C
C
A
E
A
The
main
thing
that
made
me
think
of
this
is
even
for,
like
I
was
trying
to
see
if
there
was
a
vulnerability
for
a
core
module
and
from
the
number
like,
even
our
old
numbering
was
useless
for
that
so
other
than
like
opening
them
up
and
looking
inside
it
was
really
hard
to
see
like
four
based
on
a
CVE
number,
for
example,
couldn't
necessarily
see
that
oh
yeah,
we
have
a
CV
assigned
to
that.
We
have
an
entry
in
our
database
for
that
CBE.
C
A
D
Think
that's
a
great
transition
to
learn
or
next
topic
actually,
which
is
moving
venerated
to
its
database
to
its
own
repo,
so
I'm
probably
doing
that
next
week,
because
I
will
be
like
full-time
doing
that
Jason.
You
have
time
for
that,
and
I
really
believe
that
the
Ruby
advisory
repository
is
a
great
example
for
that,
so
I'm,
probably
I
will
probably
push
for
what
to
have
the
same
directory
structure
where
each
ecosystem
module
has
its
directory.
That
contains
it
vulnerabilities
and
we
could
have
exactly
the
same
thing
for
Commodores
right.
C
D
D
D
I
will
provide
you
npm
module
that
anyone
can
use
and
say.
Is
this
module
with
this
version
venerable
the
module
will
fetch
API
itself
and
do
the
same
that
check
by
itself.
But
if
people
want
to
query
that
that
simple
curves
all
they
need
now
is
the
API
key.
But
a
Liguria
is
willing
trust
me
builder
proxy,
to
have
anyone
being
able
to.
A
D
D
A
D
A
D
A
D
A
F
C
D
A
A
C
A
Now
he's
he's
definitely
getting
more
involved,
he's
also
getting
involved
with
the
benchmarking.
A
work
group
and
I
had
talked
to
him
before
he's,
like
I,
think
he's
back
at
he's
at
school,
but
he's
like
a
an
IBM.
Her
who's
was
often
at
school,
working
back
and
I
think
he
did.
Some
came
back
for
the
summer
now
back
is
at
school
stuff
like
that,
but
okay,
so
we
any
just
in
terms
of
the
agenda
there.
Any
tweaks
we
need
to
make
are
still
happy
with
that.
D
A
Any
mins,
okay,
that
sounds
good.
So
that's
what
we
had
on
the
agenda
for
this
week.
Anybody
have
any
other
topics.
They
want
to
talk
about
or.
C
We
try
as
yeah
it's
still
paused,
because
I
think
it's
only
resumes
after
we
cleared
up
the
entire
queue.
So
at
this
point
we
have
only
two
items
that
are
haven't
been
trailed
left
and
if
no
one
will
pick
them
up
already
do
that
over
the
weekend
or
something,
but
that's
basically
if
it
would
be
possible
to
resume
the
program
like
it.
C
E
C
Think
we
can
I
was
thinking
about
adjusting
it
since
we've
been
paused.
I
think
this
is
the
third
time
already
and
we
have
a
lot
of
workload
on
the
team.
So
I've
been
thinking
a
couple
of
times
whether
we
want
to
find
Kim
those
values,
but
we've
also
always
tried
to
add
more
members
to
the
trash
team
like
one
meeting
after
another.
So
what's
kind
of
like
that,
we
would
be
able
to
just
meet
the
times,
but
yeah.
E
E
E
F
C
C
E
F
A
D
E
D
E
D
E
I'll
read
any
other
questions.
I
know,
I
may
have
some
stuff
coming
up
in
the
future,
can't
nothing
yet,
but
well.
Actually
one
question
I
had
on
this,
too,
is
like
something
we
talked
about
a
while
ago
and
honestly,
this
would
be
dependent
on
having
the
staff
in
order
to
to
handle
the
workload,
but
we
had
talked
about
reaching
out
to
the
foundation
to
get
funds
to
actually
pay
bounties
for
vulnerabilities
and
top
node
modules.
E
C
D
A
Endure
yeah
I
think
that
you
know
that
it
can
go
anyway
from
each
project
as
completely
you
know
possible
to
stay
independent,
do
their
own
thing,
but
I
could
see
that
you
know
projects
would
be
like
well.
Why
do
why
well
I
have
to
work.
You
know
set
up
a
whole
working
group
or
team
or
whatever,
let's
just
join
a
common
one
as
well.
A
The
one
thing
I've
also
heard
mentioned
related
to
that
that
this
made
me
think
about
Reed
is
I,
saw
some
tweets
or
blogs
or
whatever
about
it's,
it's
great
to
post
bounties
for
people
reporting
things,
but
what
about
peeping
people
fix
things
because
you
know
for
a
commercial
product.
Okay,
you
know
it's
you're,
basically
saying:
let's
pay
people
to
to
help
us
report
things,
and
then,
if
there's
a
business
interest
for.
A
E
I
think
that's
totally
doable
for
remediation
purposes
that
definitely
can
be
written
in
into
this.
The
scope,
but
again
just
where's
that
money
coming
from
if
the
node.js
foundation
or
j/s
foundation,
whatever
the
final
name
will
be
yep
wants
to
give
money
paying
like
for
remediation.
That's
of
security
issues
is
definitely
a
possibility.
E
There's
a
couple
of
different
ways.
We
can
do
it
in
platform
to
make
that
doable,
but
we
can.
We
can
definitely
work
on
that
and
make
something
happen
if
that
is
something
that
you
all
have
the
DES
funds
for
and
want
to
actually
see
happen.
We
are
more
than
happy
to
help.
Make
that
happen
on
our
site.
Has.
E
But
the
remediation
part
that
so
actually
a
long
time
ago,
when
I
BB,
first
launched
I
think
they
actually
offered
bounties
for
remediation
of
issues
and
I
found
that
sometimes
the
patches
that
they
would
get
we're
just
terrible
quality
and
so
and
then
the
developers
had
to
argue
back
and
forth
with
them
all
right
on
the
quality
of
the
issue,
and
things
like
that.
That's.
E
It's
doable,
you
can
also
frame
it
in
a
different
way
and
not
have
it
based
off
the
the
security
bugs
themselves,
but
based
off
security
enhancements.
So
if
you
look
at
Google's
patch
rewards
program,
they
pay
for
security
enhancements
to
projects
and
they
pay
maintainer
x'
as
well.
So
if
they,
if
a
developer,
actually
improves
the
security,
a
project
in
scope,
then
Google
will
actually
pay
for
that
fix.
E
A
E
For
paying
for
for
bugs
that,
like
fixes
of
that
yeah
I
mean
Google
may
do
something
in
some
of
their
stuff.
I
need
to
go
back
and
look
and
see
I've
seen
people
do
like
stuff
on
bountysource,
occasionally,
like
you
know,
bounties,
for
fixing
bugs
in
general
for
things
as
far
as
like
hiring
a
consultancy
firm
to
help
with
that.
I
haven't
seen
that
done,
but
it's
definitely
something
that
could
be
done.
E
E
E
D
It
really
makes
sense,
but
the
world
to
pick
about
finding
open
source
is
huge,
so
I
know
that
someone
is
trying
to
set
up
a
license
with
with
a
legal
team
to
give
to
ensure
that
maintainer
of
code
gets
funded
as
I
could
so
I
I
can
I.
Can
him
to
know
if
they
started
to
brainstorm
about
what
about
vulnerabilities
and
security
in
that
context
and
how
someone
could
deserve
more
money
or
or
less
based
on
security?
Okay,
so.
A
A
A
E
C
A
B
C
That's
G
my
only
concern
that
just
not
safe,
you
know
the
effort
for
you
to
not
just
do
that.
Then
you
know
get
upset
with
it.
So
I
just
would
like
you
to
have
a
better
experience
for
that.
So
maybe
I'll
try
to
point
you
at
some
of
the
items
that
you
could
just
take
off,
that
we
kind
of
have
consensus
on
and
you
can
just
jump
in
and
Hulk.
B
So
the
thing
got
reviewed
and
I
kind
of
went
through
it
and
what
I
had
done
was
actually
not
up
to
the
mark,
because
when
I,
so
some
of
like
some
of
the
apostrophes,
which
weren't
being
seen
like
so
select
SQL
statements
and
all
so
it
didn't
make
complete
sense.
But
I
think
it
is
a.
It
would
be
important
for
some
way
to
you
know:
figure
out
some
markdown,
passings
or
network,
so
I
think
I.
Think
that
would
be
the
next
step
for
that
and
so
I'll
look
into
for
one.
B
C
G
C
And
I
think
we
are
probably
very
if
we
just
maybe
communicate
under
stuff
that
you
work
on
it,
so
that
you
know
we
can
give
you
some
ideas
to
work
on
and
I
haven't
off
the
top
of
my
head.
Some
other
ideas
as
well
like
I,
wanted
to
add
some
tests
to
the
reporting
tool
like
if
you
wanted
more,
you
know
no
logic,
stuff
and
I
can
prove
that
or
just
either.