►
From YouTube: OpenJS Foundation Node.js Security Working Group AMA
Description
The OpenJS Foundation is a member-supported non-profit organization that provides a neutral home for some of the most important project in the JavaScript ecosystem.
Learn more and join us at https://openjsf.org
A
Already
already
have
a
first
question,
so
hi
everyone.
Thank
you
all
for
joining
us
for
calling
one
of
us
on
the
phone
to
ask
questions
amazing,
so
excited
so
we're
kicking
off
with
this
episode
of
this
notes,
foundation
and
the
open
J's
foundations
security
working
group
to
discuss
any
you
know.
This
is
an
ask
me
anything.
A
So
this
a
you,
may
you
know
just
kick
any
questions
over
to
us:
I'll
introduce
quickly
just
who's
on
the
panel
today
we
have
Michael
Dawson
vladimir,
deter
crime
myself
and
right
at
a
nice
one
and
Rachel
Romanov
as
well,
and
so
first
of
all,
thank
you
for
joining
us.
If
you're
now
on
the
live
coal
or
they
recorded
one,
just
some
like
cleanup
stuff,
so
that
you
know
how
to
do
this,
if
you
want
to
shoot
any
questions
over,
basically,
we
have
this
forum
over
and
the
that
you
can
submit
a
Google
Form.
A
So,
basically,
if
you
find
the
open
JSF
on
Twitter,
there's
there's
a
Twitter.
She
digitally
find
it
probably
on
the
top
one
just
got
her
and
and
I
submit
the
question
you
can
also
basically
probably
tweet
towards
any
any
of
us
on
the
panel
here
as
well.
I
will
probably
monitor
and
ask
you
that
and
without
further
ado,
guess,
I
guess
I'll
go
ahead
and
let
the
folks
introduce
themselves
so
Michael.
Do
you
want
to
start
your
really
first
one
of
my
on
my
screen:
okay,
yeah.
B
I
I'm
Michael
Dawson
IBM's
community
lead
for
nodejs.
That
lets
me
spend
a
lot
of
time
in
the
community
I'm
a
member
of
the
technical
steering
committee
and
a
member
of
a
number
of
working
groups.
I
haven't
been
quite
as
active
as
as
as
recently
in
the
security
working
group,
but
it
is
an
area
that
I
have
an
interest.
As
people
said
to
me
yesterday,
you
know
you
can
see.
A
B
C
I'm
glad
I'm
way
less
than
everywhere
on
the
node.js
projects
that
make
sure
I
think
a
couple
years
ago.
Mike
helped
him.
So
we
took
some
wacky
vacation
and
half
of
the
working
group.
The
load
project,
actually
inactive
I
am
mostly
focusing
on
the
security
working
group
and
trying
to
add
some
instrumentation
friendly
features
into
nuria's.
You
might
know
me
for
the
sync
local
storage,
which
I
am
one
of
the
main
author
of.
C
C
Was
so
happy
to
get
that
measure,
it's
pretty
new,
it's
like
February
merged
and
when
I'm
not
doing
goofy
stuff
and
the
node.js
project
I
had
a
day
work
at
a
company
named
a
screen
where
we
actually
do
application
security,
so
I'm
someone
who
works,
full-time
and
nodejs
security
and
web
security
at
large,
and
that's
pretty
much
how
I
got
into
this
for
a
mah.
Oh.
C
A
I'll,
keep
it
short.
Some
I'm
part
with
together
with
Michael
and
Vladimir
under
security
working
group
for
node,
have
been
doing
a
lot
of
community
JavaScript
and
security
stuff.
You
know
all
over
the
past
recent
years,
I'm
a
developer
advocate
at
snake.
Where
would
you
def
first
security,
some
really
honored
I'm
happy
to
do
this?
Am
a
here
and
I
think
we
already
have
some
questions
and
maybe
even
one
on
the
tweet
for
you,
a
polymer
with
that
that
hacker
finger
coming
up
there.
A
B
I'm
happy
to
jump
in
on
that,
like
that,
the
security
working
group
actually
was
formed
and
I
forget
how
many
years
ago,
but
it
was
around
the
time
that
there
was
the
donation
of
the
node
Security
Project
database.
So
one
of
the
areas
that
it's
focused
on
has
been
you
know,
taking
vulnerability
reports
and
adding
adding
to
that
database.
It's
also
focused
on
you
know:
areas
where
we
can
provide.
You
know,
guidance
or
techniques
for
the
larger
module
ecosystem,
to
improve
security
or
to
make
things
easier
for
maintainer
x'
to
do
that,
what
it?
B
What
it
isn't
is
it's
not
necessarily
focused
on
node
core
security.
Things
like
vulnerabilities
that
are
reported
to
the
core
project
are
handled
through
the
the
TSE,
and
you
know
some
other
processes,
I'm
security
releases
again
or
something
that
you
know
is
handled
by
the
the
node
core
and
the
technical
steering
committee.
So
I'd
say
it
focuses
on
security,
but
not
for
a
node
core
itself,
not
necessarily
but
more
on
the
ecosystem
and
what
we
can
do
in
terms
of
the
node
ecosystem
in
the
modules
I.
A
I'd
say
we
aren't
running
for
a
long
time.
I
think
it
was
the
sense
that
2016
the
end
of
that
were
everything
got.
You
know
quite
busy
with
more
people.
I
remember
my
first
first
and
I
know
it's
accurate
working
group.
It
was
super
hectic
and
busy
in
a
good
way.
I
guess
I
kind
of
owe
it
back
to
get
get
busy
on
that
again,
but
I
mean
Michael.
A
Your
your
description
is
already
like
kind
of
like
relating
to
one
of
the
questions
we
have,
which
is
you
know
what
are
the
general
responsibilities
of
this
Noah
security
working,
we're
right
like
what
are
the
charters?
A
You
know
what
are
we
kind
of
like
tasked
to
do
and
I
think
you
had
like
a
little
bit
of
servation
sort
like
it's
kind
of
like
a
split
first,
there
is
the
ecosystem
security
working
group,
which
is
kind
of
like
what
we're
trying
to
become
more
like
ecosystem
responsibility,
like
you
mentioned
the
NPM
modules
and
so
on,
and
then
there's
the
other
side
of
it,
which
is
more
correlated
like
I,
don't
know
what
correlated
security
activities
you
know,
whether
that's
crypto
and
other
other.
It
does
do
it
right,
yep.
A
Sure
and
I
think
it's
also
worth
like
noting
I
guess
for
me
before
joining
things
I've
sent,
you
know
very,
you
know
very
big
and
massive
from
outside,
like
what
is
the
node
project.
You
know
how
do
we
get
involved,
it's
like
in
very
opaque,
but
it's
really
worth
noting
here,
like
a
lot
of
the
things
we
do
like.
Basically,
everything
we
do,
except
you
know,
critical
stuff,
like
you
know,
try
adding
the
vulnerability
reports
which
requires
its
own
a
discrete
way
of
doing
it.
A
Now
everything
is
pretty
transparent
so,
like
that
link
that
will
show
later
on
Twitter
and
what
Michael
had
just
provided
you,
that's,
basically
how
the
repository
everything
is
very
transparent.
Any
pull
requests
changes
any
issues,
any
things
you
want
to
chime
on
the
node,
a
script
working
or
is
also
is
also
having
this
one
monthly
one.
One
monthly
call
every
time
so
actually
have
one
next
week
on
Atherton
of
July.
So
if
you,
you
know
want
to
jump
up,
you
know
ask
any
questions.
A
You
can
also
add
questions
by
the
way
here
to
the
YouTube
chat
too,
as
well
offer
the
AMA.
So
you
know
it's
very
open
and
we're
always
looking
for
you
know
new
new
new
people
to
join
us.
You
know,
give
us
a
new
first
perspective
and
so
on,
so
there's
definitely
a
dad
to
the
project.
If
you
wanted
to
get
involved,
yeah.
B
I
think
that's
a
really
good
point
in
that.
You
know
I
hear
that
you
know
the
project
itself
is
quite
big.
There's
lots
going
on
and
can
be
a
little
bit
intimidating,
sometimes
for
people
to
get
involved.
Like
you
said,
everything
is
really
transparent,
but
sometimes
I
think
it's
more.
The
fear
of
the
unknown
than
anything
else
and
I
think
that
the
working
groups
in
general
are
a
great
way
to
actually
get
to
meet
a
few
of
the
people.
I'm
always
surprised
that,
like
how
few
people
actually
are
driving
things.
B
So
if
you
you
know,
if
you
imagine
that
you
know
it's
a
huge
project
with
lots
and
lots
of
collaborators
which
we
do
have
a
good
number
of
collaborators,
but
there's
lots
of
things
going
on
so
that
you
know
the
people
in
each
of
the
different
areas.
It's
not
like
you're
gonna
come
in
to
a
group
of
50
or
whatever
it's
usually
you
know
four
or
five.
You
know
regular
members
and
it's
a
great
way
to
get
to
know
them,
make
the
contacts.
B
And
so,
if
you
look
for
a
working
group,
that's
kind
of
in
your
interest
rate
area.
It's
a
great
way
to
understand
more
about
the
project
figure
out
that
it's
just
you
know,
people
and
you
know,
people
who
are
friendly,
because
the
project's
very
focused
on
making
sure
that
everybody's
friendly
and
you
know,
helps
new
people.
So
it's
a
great
way
to
get
in
and-
and
you
know,
we'd
love
to
see
more
people
who
are
interested
in
security
come
out
to
the
the
security
working
group.
C
C
When
I
see
new
contributors
coming
to
the
node
project,
highlighting
security
stuff,
we
haven't
seen,
fixing
bugs
we
haven't
seen
and
the
hard
part
of
the
job
is
who
to
make
them.
Who
do
we
make
them
know
that
they
can
regularly
be
involved
in
the
community
and
how
can
we
invite
them
and
I?
Think
that's
the
part
where
working
group,
as
you
said,
is
a
good
entry
point,
because
you
start
to
contribute.
You
meet
the
people
and
you
end
up
earring
node
and
getting
commit
rights
on
that
after
a
couple
more
years,.
A
That's
a
lot
more
since
you
will
mentioned
up
your
writing
a
lot
of
bugs
and
introducing
a
lot
of
bugs
gonna.
Take
you
up
on
that
and
maybe
I'll
connect
that
to
if
you
can
Sharon
tell
us
a
bit
about
this
bug,
bounty
program
that
the
node
foundation
has
and
what
is
it?
What
are
we
gonna
do
there?
How
is
that
related.
C
A
C
C
Rented
OS,
so
please
be
serious
and
depending
on
the
popularity
of
the
repo
and
the
severity
on
the
burg,
we
can
avoid
swings
like
I
think.
Last
week
we
awarded
two
hundred
and
fifty
dollars
for
us
here
you
see
issuing
a
very
popular
repo
and
that's
the
kind
of
thing
where
you
can
make
a
bit
of
money
and
fame.
They
making
the
world
a
better
place
where.
C
Also
are
blessed
by
another
sponsor
which
is
actual
one
which
provide
us
with
free,
high
current
programs.
So
you
can
find
us
on
hacker
one
ecosystem
or
a
cure.
One
no
disco
for
car
and
both
of
the
links
are
the
labor
of
the
new
GS
website
enter
the
security
tab,
so
I
have
just
good
news.
Is
that
all
click
security
and
all
the
links
will
be
there
and
you
will
be
able
to
spammers
with
a
lot
of
very
critical
vulnerabilities,
yeah
I'll.
B
Take
this
opportunity
to
poke
it
a
little
bit
more
painful
side
of
this,
the
bug
bed,
the
bug
bounties
are
great,
but
really
you
know
we'd
like
to
encourage
I,
think
working
close
with
closely
with
the
project
versus
looking
for
bugs
to
be
able
to
make
money
here.
You
know
it's
great
to
get
a
bit
of
a
bonus
there,
but
there
has
been
a
little
bit
of
friction
in
the
community.
B
C
B
So
yeah,
I
thought
I'd
just
see
like
Loran
an
invited
me
to
your
take
on
that,
because
it's
it's
great,
that
we
have
the
bug
bounty
in
place,
but
I
can
see
that
there's
this
there's
a
bit
of
tension
between
like
a
yeah,
we're
incenting
people
to
generate
work
for
a
different
group,
and
you
know
how
do
we
deal
with
that
going
forward?
That's.
C
Actually,
a
great
question
and
that's
actually
the
question
about
monetizing,
open
source
and
on
a
very
specific
part
which
is
okay,
you've
got
monetizing
people
for
their
daily
work
and
you've
got
monetizing
paying
people
for
saving
everyone's
production
or
infrastructure
by
fixing
the
critical
security
bits
and
that
the
question
is
money.
The
solution
is
pledging
I,
don't
really
have
a
solution.
C
Last
year,
a
three
years
ago,
I
was
invited
to
a
panel
and
all
the
society
named
the
maintainer
if
I
recall
properly,
and
we
did
a
daily
workshop
with
a
philosopher
about
who
will
maintain
the
maintainer.
Where
do
people
who
maintain
code
and
make
the
thing
the
label
and
walk
for
a
long
time
get
the
retribution,
because
we've
got
the
creature
on
the
internet
and
open-source
in
programming
to
reward
the
creator?
C
They're
all
my
first
creator
and
they
get
the
glory
and
they
get
to
sell
the
project,
for
instance
in
some
cases.
But
what
happens
for
the
other
people
and
writes
note
and
no
J's
project
as
a
few?
A
very
ultimately
active
member
I
think
if
we
render
commits
by
by
a
member
over
the
next
six
months
or
12
months,
we
will
realize
that
some
people
are
more
invested
in
are
very
invested
in
fixing
bugs
and
making
the
project
we
were
powerful.
C
C
B
C
So
I
would
like
that,
because
it
will
drive
toward
a
change
of
mind
in
the
backbone
tea
scene,
because
one
thing
is
actually
a
spot
and
you've
got
people
who
me
and
that's
that's
actually
a
thing
and
but
I
remember
a
longer
article
from
someone
who
shall
not
be
named
but
which
was
about
hey.
You
found
a
big
security
bug
in
my
huge
days.
B
C
Also,
it's
worth
noticing
that
it
depends
also
who
owns
the
repo.
So
in
the
case
of
the
nodejs
project,
it's
the
dynamic
we've
been
discussing
on
the
system
side.
We
we
happened
to
meet
birds
on
repos
that
belongs
to
commercial
organizations
that
are
not
community
maintained
and
actually
the
first
time
it
happened.
All
of
that
is
public,
but
the
the
company.
Actually
it
was
before
we
had
bug
bounties
for
a
bunty's
for
the
ecosystem.
The
company
actually
awarded
500
the
last
20
to
the
person
who
reported
it
and
I
guess.
C
The
dynamic
is
different
when
it's
a
community
project
that
is
maybe
unfunded
or
you
know
sponsored
by
the
employers
of
the
people.
Work
on
that
or
projects
that
are
not
fully
open
source
because
I
belong
to
a
companies,
are
not
community
driven
and
belong
to
a
company.
I
mean
I
would
be
more
less
keen
toward
changing
the
dynamic
for
that,
because
there's
already
someone
paying
and
someone
handling
the
the
dynamic,
but
for
the
nodejs
project
yeah,
we
probably
have
a
story
here
that
we
want
to
write
together.
Yeah.
B
A
So
I
guess
we
already
have
if
you
wanted
to
like
volunteer
and
jump
up,
put
something
to
work
with
a
security
working
group.
Well,
we
have
one
idea
from
from
Michael,
like
maybe
we
have.
We
have
this
bug
bounty
kind
of
like
policy.
It's
it's
just
really
file.
You
know
that
we
culture,
so
we
can
read
through
that.
A
We
also
have
this
idea
of
trying
to
see
with
this
problem
of
like
open
source
and
maintain,
as
writer
is
a
friction
dur
and
we're
trying
to
make
their
lives
also
easier
as
much
as
we
can,
and
so
we're
trying
to
figure
out
how
we
can
use
the
hacker
1
as
a
platform
as
well
also
sorry
to
also
record
maintainer
x'
for
their
time
fixing
something
not
just
the
security
researchers.
So
if
you
have
ideas
there
as
well
and
how
to
you
know
make
that
work.
B
Think
there
was
a
comment
on
some
of
the
discussion
on
the
the
YouTube
chat
around.
There
are
some
challenges
around
basically
being
able
to
provide
a
patch,
because
that
you
know
we
have.
We
have
thought
about
the
the
responsible
security
disclosures,
but
that
part
might
actually
need
some
enhancement
as
well
to
allow
it
to
come
along
with
or
have
the
patch
I
guess.
Today
we
use
hacker
one
where
we
people
can
open
issues
and
in
that
issue
we
could
certainly
attach
a
patch
I
assume
right.
Yeah.
A
C
I
think
Bryan's
points
is
interesting.
I
think
github
is
rolling
out
a
feature
with
private
peers,
but
I
don't
know
how
that
works,
for
people
who
are
outside
of
the
organization
regarding
access
to
that
also
hi
Bryan,
who
is
another
member
of
the
working
group
but
yeah
I
think
right
now
the
only
flow
is
to
attach
a
patch
file
of
the
iq1
and
pry
it
from
private
search
as
a
repos
yeah.
A
That's
what
we've
questioned
so
far,
alright!
So
as
we're
talking
about
a
lot
of
out
like
you
know,
patches
and
fixes
and
maintain,
errs-
and
you
know,
open
source
security,
I'll
go
ahead
and
ask
for
this
panel.
You
know
what
a
search
out
some
challenges
that
we're
seeing
you
know
as
a
security
working
group.
You
know
that
works
in
this
space
with
with
the
community.
What
are
some
challenges
were
having
I.
C
Also
you're
between
the
hammer
and
the
the
metal,
meaning
that
you've
got
a
backbone
tree
coming
from
one
direction.
The
report
and
you
have
to
evaluate,
if
that's
valid
thing
and
sometime,
it's
really
hard
and
challenging
you've
got
maintainer
that
we
probably
that
might
you
know
you
or
might
take
time
to
and
sure
that
the
worst
case
scenario
in
during
the
worst
case
scenario,
usually
maintain
nails,
are
pretty
happy
and
we've
got
great
interaction.
C
There
was
sneak
big
in
that,
and
that
was
pretty
much
all
the
actors
in
vulnerability
management
for
no
js'.
No
npm
has
gone
this
way.
Github
is
doing
it.
Those
are
the
same
entity
and
things
are
changing
and
maybe
the
need
for
the
security
working
group
handling
the
report
for
the
wood
and
piano
system,
which
is
still
exponentially
growing
in
number
of
packages.
C
A
If
I
have
to
kind
of,
like
recap
that
there
is
a
fatigue
coming
up,
though
they
think
on
on
maintainer
as
as
well
as
the
working
group,
individuals
to
you
know,
there's
a
lot
of
contexts
week.
It's
not
it's
not
like
I
think
you
know.
The
context
is
when
you
trash
your
vulnerability.
It's
not
like
you
go
through
it.
You
spend
one
hour
so
and
then
you
know
it's
like
it's
an
end-to-end
thing
and
you
finish
it
and
so
on
there's
reaching
out
to
the
maintainer.
As
you
know,
then
you
know.
A
A
Take
that-
and
you
know
multiply
that
across
maybe
tens
or
hundreds
of
reports
that
you
know
might
have
you
know
in
your
queue
to
kind
of
like
crash,
and
you
know
the
context,
switching
and
that
work
is
I,
think
what
we're
finding
as
a
fatigue
for
for
the
individuals
but
nevertheless
super
important
and
so
chemic.
Your
second
statement
there
polymer
is
it's,
maybe
we're
trying
to
focus
it
because
for
a
long
long
time,
I
think
the
working
group
you
are
also
receiving.
A
You
know
reports
for
four
modules
of
have
you
know
tens
of
downloads
a
week
or
a
month,
and
you
know
it's
not
that
you
know
dirty
less
important,
so
we
took
them
on
as
well,
but
they're
just
less
impactful.
You
know
less
impactful
if
they
know
there's
a
vulnerability
and
something
that
gets
you
know
if
downloaded
ten
times
a
week.
You
know,
that's,
not
gonna,
be
a
really
good.
You
know
return
on
investment
for
us,
for
example,
now
working
to
try
a
set
and
so
we're
trying.
You
know
we
try
to
do.
A
A
couple
of
things
are
like
rating
buckets
of
reports,
and
so
there's
like
no
low
and
medium,
and
maybe
how
I
kind
of
like
impactful
modules
and
now
I
think
with
your
kind
of
like
focus
here,
is
like
we're
trying
to
also
maybe
saved,
or
something
like
more
specific
to
the
open,
Jazz
foundation
that
we're
trying
to
kind
of
like
refocus
the
work
of
the
working
group.
Right.
Yeah.
B
Certainly,
for
me
it's
it's
that
you
know
the
point
you
made
about
the
landscape.
Having
changed,
you
know
at
the
time
the
time
the
formation
is
I
think
it
was
like
four
years
ago,
as
Lauren
was
was
recalling.
You
know
their
the
the
database
needed
a
home,
and
you
know
there
was
concern
over
having
a
sort
of
a
neutral
database
and
and
making
sure
that
there
was
a
place.
It
seems
like
you
know.
Time
goes
past
and
you
know
we're
more
comfortable
with
the
alternatives.
B
B
We
haven't
necessarily
been
able
to
keep
up
with
all
of
them,
so
if
you
know
just
generally
and
to
the
other
ones,
could
make
a
lot
of
sense.
I.
Think
in
terms
of
the
you
know,
having
joined
the
open,
J's
foundation,
security
still
is
is
a
challenging
I
shouldn't,
say
problem,
but
it's
like
it's
a
it's
a
fairly
specific
technical
area
and
I.
Think
not
everybody.
B
You
know,
potentially
with
a
first
priority
on
the
the
projects
that
are
part
of
the
the
open
GS
foundation,
because
as
a
as
a
group,
we
want
to
make
sure
that
you
know
we're
doing
the
right
thing
to
on
the
security
front,
but
also,
like
you
know,
defining
best
practices
and
and
things
that
are
applicable
to
the
broader
ecosystem,
to
make
maintainer
life
easier.
A
very
concrete
example
of
that
is
some
are
say,
help
to
define
you
know
baseline
responsible
reporting
guidelines.
B
You
know,
in
terms
of
you
know
how
you
should
let
people
report
security
vulnerabilities
to
your
project
he
participated
and
to
find
that,
through
the
packaged
maintenance
working
group,
which
is
a
great
step,
he
then
leveraged
that
to
a
PR.
We
have
in
a
proposal
going
through
at
the
open
J's
foundation
as
a
set
of
minimal
requirements
that
we'd,
like
all
of
the
projects
who
join
the
foundation
to
meet.
So
again,
you
know,
having
you
know,
it's
not.
B
So
I
think
that
there's
just
so
many
areas
of
security
that
are
very
specialized,
that
if
we
can
bring
together
the
companies
and
the
people
who
are
experts
in
that
to
figure
out
how
to
help
the
rest
of
the
ecosystem
that
that's
still
a
really
good
role,
and
so
it's
figuring
out
how
you
know
we
move
from
what
made
sense
four
years
ago
to
what
makes
sense
today
is
and
I
know.
There's
the
ongoing
discussions
there.
But
it's
good
to
chat
about
it.
Make
people
aware,
but
that
a
bit
more.
A
True
yeah
and
it's
really
good
you're
entering
that,
because
I
think
maybe
kind
of
like
a
hidden
value
in
that
work
of
like
having
that
kind
of
policy
for
the
further
like
broader
foundation
project.
Is
it's
a
group?
It's
a
good
reference
right
like
if
I'm
building
a
you
know
a
new
project,
and
you
know
I
I
want
to
see
what
you
know
what
other
fellows
are
doing.
You
know
in
this.
A
You
know
in
this
space
like
we
know
what
kind
you
know
if
I
want
to
see
what
kind
of
like
testing
tooling
they
have
or
like
what
kind
of
you
know,
other
projects
references.
You
know
I'd
go
to
the
and
and
look
at
her
package.json.
How
do
they
set
it
out?
What's
kind
of
like
what
kind
of
like
dependencies
they
use
and
so
on?
But
then,
if
I
have
the
same
question
for
security,
I
can
also
see
the
same
thing
right.
I
can
see
what
kind
of
security
guidelines
did
they
embrace
you
like?
A
B
A
A
A
B
One
from
my
perspective,
you
know
I'd
really
like
to
see
you
know
any
of
the
companies
who
have
a
security
focus
security
background
come
together,
you
know
and
discuss
under
the
the
sort
of
foundation
umbrella.
What
we
can
do
to
help
maintain,
errs
and
help
the
ecosystem
sort
of
raise
the
bar
even
just
a
little
bit
incrementally
I,
don't
think
I
have
any
of
the
answers
like
I'm,
not
in
in
in
in
that
specific,
like
I'm,
not
in
a
company.
B
That's
trying
to
you
know,
help
build
the
the
ecosystem,
security
level,
but
I
think
you
know
if
we
can
bring
enough
people
together
from
the
different
organizations
who
are
focused
on
that,
it's
kind
of
helping
to
figure
out
the
incremental
steps
we
can
take.
You
know
like
the
the
baseline
security.
You
know,
responsible
security
reporting
guidelines.
What
would
be
the
next
step
after
that
right
and
then
help
to
put
those
into
place.
C
Also,
there's
one
big
part
of
web
security
and
I
know
that
node
is
not
only
the
web,
but
it's
one
of
the
main
use
age
of
node.js.
That
is
often
for
good
and
people
talk
about
venerable
modules.
What
best
practice
writing
modules,
but
at
the
end
of
the
day
the
payload
weathers.
The
hacking
money
happens
is
often
in
secret
injections,
XSS
and
safe
code
evaluation,
and
that's
that's
where
I
think
I
want
to
see
the
node.js
project
I'm
the
node
community
go
to
is:
we've
got
huge
companies
and
small
companies.
C
They
all
have
no
J's
in
production
with
web
applications.
They
all
have
the
same
issue.
How
do
I
do
authentication?
Who
do
I
sanitized
input?
How
do
I
make
sure
that
the
things
that
goes
to
my
database
is
trusted
and
trust
him,
or
what
can
we
do
in
the
framework
in
the
runtime
in
the
ecosystem
to
reduce
the
mistake
area
from
everyone?
Can
we
make
the
use
of
the
modules
safer
by
default,
but
not
only
can
we
can?
C
For
instance,
there
has
been
a
lot
of
discussions
about
Cisco
policies
around
OGS
and
Dino,
and
they
are
great
because
I
prevent
a
process
from
doing
something
unexpected.
But
what
is
worst
is
when
a
process
is
doing
a
Cisco,
it's
a
load
to
containing
a
malicious
payload
and
in
that
direction,
I
think
as
a
community.
We
we
can
do
something
as
the
Java
world
did,
that
one
and
try
to
move
forward
into
making
everyone's
application
and
business
is
safer.
B
It's
the
the
thing
that
came
to
mind
a
little
bit
when
you're
talking
about
that.
It's
like
some
of
our
challenges
like
the
JavaScript
ecosystem,
is
great
because
we
have
so
many
choices
on
NPM,
but
it
also
becomes
a
challenge
because
there's
so
many
different
places
that
we
could
have
security
vulnerabilities
introduced
right
and
at
some
point
you
know
it
could
make
sense
to
have
some
common
components.
You
know
one
step
is
to
try
and
encourage,
say
some
projects
to
join
the
open,
J's
Foundation,
which
are
you
know,
gonna,
provide
help,
provide.
B
You
know
security,
qualities
of
service.
What
you're
talking
about
and
or
you
know,
considering
whether
and
there's
always
discussions
around
you
know
small
core
non
small
core.
You
know
in
some
of
the
discussions
we
had
at
the
recent
collaborator
summit
around.
You
know,
what's
important
to
make
note
successful
for
the
next
10
years.
We
started
to
get
into
a
discussion
of
you
know.
Maybe
something
like
a
standard
library
makes
sense
where
it's
not
part
of
core,
but
so
anyway,
just
you
know.
B
Thinking
of
ways
where
the
surface
that
we
need
to
make
sure
is
is
secure,
is
reduced,
might
be
another
sort
of
Avenue
to
think
about.
In
terms
of
you
know,
for
sequel
injection,
what
are
the
typical
ways
that
that
gets
through
and
is
there
any
library
that
could
be?
You
know
under
the
the
open
days
foundation
or
in
the
standard
library
or
in
some
way
where
it's?
You
know,
we
have
a
little
bit
less
of
a
surface
for
the
tasks
that
we
have
to
try
and
make
secure.
B
B
A
Was
gonna
say:
that's
a
lot
of
food
for
thought
from
both
of
you
and
that's,
though,
alright,
let's
go
back.
There
are
some
questions
that
we've
got
from
and
by
the
way.
Thank
you
all
for
sending
us
these
questions.
So,
let's
start
with
one
of
them.
So
one
is
I
wonder
if
some
of
security
issues
are
being
replicated
over
and
over
and
could
be
caught
with
a
pattern,
search
that
could
be
ran
to
catch
it
before
it
becomes
a
bug.
C
They
work
somehow
well
like
detecting
that
you
are
coding,
database,
cool
and
detecting
that
there
have
been
a
string
concatenation
before
from
RAC.
Yes,
that
works
for
them.
The
issue
with
that
javascript
is
the
most
dynamic
language
in
the
moistures
language
in
the
world,
and
there
is
so
much
that
static
analysis
can
do.
There
will
be
I've,
gotta,
say
I
always
say
that
funny.
But
if
there
is
something
weird
that
can
be
done
in
JavaScript,
it
will
be
done
and
it
might
even
get
popular
and
that's
the
thing
with
JavaScript.
C
A
A
B
B
So
it
wasn't
like
you
know
the
linter
you
put
in
your
pre-commit
hook
and
it
tells
you
and
you
just
update
and
my
experience
at
least
well,
I
don't
know
if
that's
changed
is
that
the
the
static,
an
allows
analysis
off,
took
a
fair
amount
of
work
after
the
fact
to
understand
that
was
a
really
a
vulnerability
or
not
and
and
so
forth.
That's.
B
B
B
C
Think
that
the
answer
it's
HTTPS
mm-hmm
so,
basically
of
basically
you
want
to
encrypt
communication
and
you
don't
want
to
obfuscate
anything
because
security
through
obscurity
actually
doesn't
work
at
all.
But
you
want
to
encrypt
the
data
set
to
make
sure
that
only
the
issuer
and
the
the
Intendant
consumer
can
know
what's
inside
it
and
and
avoid
unsafe,
safe.
The
encryption,
Louisville
officer
so
and.
B
C
Since
you
have
things
like,
let's
encrypt
or
even
hosting
providers
attend
all
that
I
mean
if
you
put
your
code,
I
think
on
a
Roku,
it's
SSL,
it
takes
it
appears
by
and
you
don't
even
have
to
pay
for
your
certificate
as
it
was
the
case
like
six
years
ago,
I
think
I've
read
that
Firefox
is
trying
to
slowly
by
default.
Disable
HTTPS
part.
B
A
Sure
so
I
mean
it's
we're
kinda
like
summarizing
here,
so
I
think
if
you
TPS
is
kind
of
like
a
by
default
thing.
If
you
go
to
the
HTTP
archive,
that's
just
a
cart
org.
You
can
see
they're
running
a
lot
of
like
over
over
time
kind
of
like
reports,
so
you
can
see
the
adoption
of
HTTPS.
Generally,
you
know
around
the
web.
I
mean
that's
really
interesting
to
see,
has
some
like
J's
related
metrics
and
performance,
so
this
is
definitely
gonna,
be
I,
guess
our
conclusion
here,
just
HTTP
by
default.
A
This
even
sounds
to
me
a
bit,
maybe
like,
like
the
OWASP
s--
go
it's
project,
you
know
like
those
vulnerable
by
default
kind
of
project
where
someone
would
want
to
see
you
know
world
like,
but
maybe
maybe
from
like,
not
the
vulnerable
by
default,
but
is
secure
by
default
right.
They
want
to
see
where
the
or
the
guidelines
to
follow.
Is
that
what
you
make
of
it?
That's.
B
Right
the
challenge
I
think
and
why
there
isn't
already
an
easy
one
we
can
just
point
to.
Is
that
there's
lots
when
we
say
an
application?
There's
lots
of
variation
right.
So
in
this
case
it
mentions,
like
you,
know,
electron,
so
maybe
there's
one
of
those
for
electron,
but
then
there's
probably
also
one
with
building.
You
know.
A
B
Web,
you
know
see,
law
is
building
something
with
express.
You
know
using
graph
QL.
There's
probably
you
know,
you
know
a
bunch
of
different
examples
that
that's
I
guess
another
area.
I
think
you
know.
Maybe
we
can
think
about
how
the
foundation
can
help
is
like.
How
do
you
find
those
things
right
like
if
they
exist
all
right
out
out
there?
How
do
we,
you
know
and
I'm
so
I'm
I'm
in
JavaScript,
I'm
doing
something
I'm
security
conscious
so
I
know
that
I
should
be
looking
out
for
certain
things.
B
How
do
I
find
those
right
like
you
know,
and
what
should,
though,
that
list
be?
Even
you
know
so
that
that's
something
that
I
think
that
you
know
group
of
people
who
are
interested
that
that
it
always
comes
down
to
like
the
foundation,
doesn't
do
anything
out
on
its
own
right.
It's
not
that
the
foundation
has
a
huge
staff
of
people
who
were
gonna,
go
out
and
write
these
things,
it's
that
it
can
be
the
focal
point
and
provide
resources
like
you
know,
repose,
and
you
know,
use
of
slacks
and
videos
and
stuff
like
this.
A
You
know
maybe
ala
a
small
plug
is
I,
maintain
historical
or
some
node
security,
it's
kind
of
just
curated
kind
of
like
links.
So
you
know
if
you
want
to
swing
that
around
toward
a
foundational
thing
if
we
want
to
take
ownership
versus
if
someone
wants
to
just
update
it
and
send
a
pull
request
to
a
project
you
know
of
that,
can
help
it
others.
You
know
just
go
ahead
and
do
that
yeah.
B
That's
exactly
the
kind
of
thing
like
if
it.
If
there
were
new
people
wanting
to
get
involved
and
having
it
in
a
sort
of
neutral
location,
made
sense
and
would
grow
contributions.
That
would
make
total
sense
if
it's
just
gonna
be
continued
with
you
doing
all
the
work
that
you
know
where
it
is
maybe
makes
total
sense
as
well.
Yeah.
A
No
I
don't
want
to
us.
Do
that
all
the
work
myself.
So
if
someone
wants
to
I
about
that,
definitely
so
more
questions.
Let's
see
we
have
something
on
malicious
modules
are
malicious
modules,
as
common
as
they
used
to
be
I
feel,
like
I,
haven't
heard
of
many
lately.
What
do
you
think?
What
is
lately.
C
C
Yeah
I
think
stories
about
that
now
marry
shoes.
Module
are
just
something
part
of
the
landscape,
you
see
what
I
mean
we,
we
learn
to
live
with
them
and
they
don't
make
the
headlines
anymore,
but
I
think
they
are
still
here,
but
also
they
went
to
other
ecosystems
like
there
have
been
a
photo
pie-pie.
The
type
of
question
nightmares,
yeah
great.
A
C
B
Yeah
it
to
a
PHA,
but
you
know
an
NPM
is
more
on
alert
for
them,
and
so
I
have
some
hope
that
you
know
like,
like
vladimir
said,
they're
they're
still
going
to
be
there,
but
that
it's
a
more
challenging
environment
for
them
than
it
potentially
was
at
one
point
and
end
users
as
well
are
more
aware
that
you
know
you
need
to.
You
know,
understand
the
software
that
you're
using
and
put
into
production
it
kind
of
fits
into
the
larger
sort
of
OSS
challenges
of
you
know.
B
Not
only
do
you
need
to
be
aware
of
it
from
the
security
standpoint,
but
you
don't
trust,
maybe
that's
from
the
trust
side,
but
also
from
the.
If
you
want
it
to
be,
if
you're
a
critically
dependent
on
it
and
you
want
it
to
be
there
tomorrow.
So
it
may
not
be
a
security
vulnerability,
but
if
it
just
ages
poorly,
that
can
be
just
as
big
a
business
risk
to
you
as
security
vulnerability.
C
When
you've
got
a
PR
coming
from
someone,
when
you
never
know
as
a
Geetha
back
home,
that
has
been
inactive
for
six
years
or
that's
brand-new
and
the
croud
introduced
a
vulnerability,
even
if
that's
hidden
in
a
big
thing
might
be
malicious.
If
there
have
been
a
publish
on
NPM
that
has
not
been
pre
faced
by
commits
on
github
and
you've
got
like
your
incoherent
activity
between
NPM
and
and
and
github,
then
you
can
expect
malicious
when
it's
a
long
time
maintainer
of
a
package
that
got
popular
that
had
been
maintained
for
two
years.
A
B
Say
I
mean
I,
think
you
should
answer.
First,
okay,
I
was
just
gonna
say
that,
like
my
only
my
only
thoughts
or
thoughts
moving
forward
is
is
I
still,
don't
quite
think
we
have
it
figured
out.
You
know
how
we
bring
the
right
people
get
the
right.
Critical.
Mass
security
is
obviously
an
important
topic
for
all
of
the
ecosystem
for
the
users,
the
maintainer
z',
and
I'm
still
just
want
us
to
figure
out
how
we
we
under
the
umbrella
of
the
open,
jeaious
foundation
or
the
node
project.
B
You
know,
have
a
very
sort
of
vibrant
and
active
community
who
are
coming
together
to
work
on
the
problems
together
and
I.
Don't
think,
we've
quite
figured
that
one
out
so
I'm
still
trying
to
think
of
different.
You
know
different
ways
that
we
can
do
that
I
fit
that
you
know
it
fits
right
into
the
discussion
we've
had
about
like
how
do
we
refocus
the
the
working
group?
B
I've
got
a
proposal
on
collaboration
spaces
at
under
the
open
J's
foundation
to
provide
a
venue
for
people
to
come
together
and
and
sort
of
collaborate
on
topics,
but
it
really
all
depends
on
getting.
You
know
the
the
passionate
and
interested
people
to
come
out
and
participate,
and
so
for
me,
that's
you
know
on
this
front.
That's
still
one
of
the
areas
for
us
to
think
about
and
and
figure
out
how
we
get
that
that
work
all
going
and
I
know
as
volunteers.
It's
really
hard,
but
that's
one
of
the
things
top
of
my
mind.
A
Agree,
yeah
I
definitely
join
that
cold
that
you
know
this
isn't
like
just
a
call
to
like
join
the
working
group.
If
you're
passionate
about
security.
Definitely
you
know
we
love
to
work
with
you,
but
you
know:
there's
a
bigger
project
here.
There's
like
there's
a
build
working
group.
There's
a
package
maintenance
working
group
there's
so
many
things
were
you
know
topics
were
if
you
are
passionate
about
this
is
definitely
you
know
kind
of
like
a
call
from
us
to
ask
you
to
know
everything
is
very
transparent
and
open
in
the
note
foundation.
A
A
All
right,
I
guess
we
are
wrapping
up
any
any
last
words
from
either
of
you.
A
Yep,
okay,
so
thank
you
all
for
for
joining
us.
Thank
you
for
pushing
out
the
questions
towards
us,
so
we
can
discuss
those
items
that
are
dear
to
your
heart,
hopefully
offering
to
see
you
next
time
and
you
can
always
bring
us
and
find
us
on
the
non-security
working
group.
Prep,
oh
and
just
being
us,
if
you
have
any
other
questions
as
well,
have
a
great
day
everyone
and
thank
you
Michael
whatever
and
Rachel
for
joining
us
thanks.