►
From YouTube: Alpha Omega Project Public Meeting (January 4, 2023)
Description
B
C
C
C
D
A
Oh
so
I
have
an
outline
of
a
deck
I
like
like.
We
usually
do
this.
We
can
stray
far
off
topic
pretty
quickly
if
we
would
like
this
is
really
intended
for
all
of
you.
So
you
have
questions.
Let's
just
get
into
it.
Happy.
First
of
all,
happy
New,
Year.
First
of
all,
I
want
to
mention
and
welcome
Jonathan
Jonathan
light
you
to
the
alpha
omega
team,
Jonathan.
A
Well,
when
he
comes
back,
he
can
introduce
himself.
He
was
a
Dan
Kaminsky
Fellowship.
He
was
on
the
on
the
Dan
Kaminsky
fellowship
at
human.
For
the
past
year,
he's
been
doing
a
ton
of
great
security
research
and
we're
really
excited
to
have
him
on
the
team
driving
at
scale
solutions
to
hard
problems.
A
But
you
know
this
is
really
great,
so
so
between
you
know,
Anna
from
from
from
City
and
Yesenia
who
joined
us
in
in
November
Jonathan,
and
then
all
of
the
wonderful
staff
that
that
we've
we've
staff
support
that
we've
gotten
from
the
Linux
Foundation
from
you
know,
David
and
Michelle
and
and
Jory
who's.
You
know
unable
to
get
away
from
us
and
and
Khalil
and
and
Jay
Bligh
who's
done
an
amazing
job
with
the.
A
Blog
getting
things
actually
out
and
done
has
been
awesome
so
to
all
of
them
and
and
particularly
Brian,
for
you
know,
keeping
us
keeping
us
moving
and
has
been
great.
So
thank
you
to
everyone
associated
with
this
project.
It
would
absolutely
not
be
possible
without
Ever,
every
single
one
versus
one
of
you,
so
go
back.
Jonathan
welcome
back
yeah.
E
D
E
But
I
realized
that
when
I
I
was
like
wait,
it's
been
quiet
for
a
while.
What's
up
and
I
joined
the
call
and
I'm
like
there's
no
I
see
people's
voices
moving,
but
I
don't
see
any
audio.
The
stupid
thing
was
the
zoom
output,
the
audio
to
my
microphone,
which
has
no
audio
output
and
it
of
course
yeah.
Of
course
it
would
so
yes,
hi
I
couldn't
hear
anything
for
the
first
five
minutes.
The
call
but
I'm
now
here
and.
D
I'm,
a
thrilled
to
have
joined,
I,
I,
think
I.
Think
I'm
excited
this
moment
to
announce
a
complete
change
in
priorities
for
Alpha
Omega,
we're
going
to
focus
on
the
hard
problem
of
getting
the
damn
video
conferencing
systems
to
stop
picking
random
devices
to
use
as
your
audio
just
because
they
haven't
seen
it
before
Jonathan.
Are
you?
Are
you
down
for
that?
Or
do
you
have
something
else
you'd
like
to
work
on.
A
E
D
D
I'll
do
this
slide
because
you
did
all
the
hard
work.
So
if
you
haven't
had
a
chance
to
look
at
our
annual
report,
please
do
so
it's
up
on
the
website.
You
can
ping
us
we'll
send
you
links
if
you
really
can't
find
it.
It's
actually
been
a
pretty
exciting
year.
Over
the
course
of
the
year
like
we
went
from
just
starting
out
and
figuring
out
what
to
do
with
money
to
like
actually
meaningfully
making
a
difference.
D
Seeing
studies,
teamwork,
reports
coming
back
from
various
people
and
that
played
out
really
well
Amazon
was
sufficiently
interested
in
the
work
that
we're
doing
that
they've
announced
funding
for
us,
which
really
is
just
great
to
bring
them
to
the
to
the
organization
and
to
have
their
support,
still
have
a
lot
of
things.
We
need
to
figure
out
always
listening
and
always
learning
I.
Think
our
sort
of
spirit
of
experimentation
and
learning
from
sort
of
iteration
will
continue
to
go
on,
but
really
just
a
tremendous
year.
D
A
A
A
and
we're
in
active
discussions
with
some
of
them
about
you
know
renewing
and
what
the
future
is
and
potentially
other
Alpha
engagements
all
of
the
updates
are
have
either
started
to
or
will
be
going
to
that
to
our
GitHub
repo
at
that
link.
So
if
you're
ever
interested
in
like
hey,
what
is
you
know?
A
A
On
the
tooling
side
we've
made
so
with
with
you
see
me
having
you
know,
joined
us,
we've
been
able
to
make
a
lot
more
a
lot
more
faster,
better
progress,
so
I'm
excited
to
hear
that
the
analyzer
is
steadily
improving.
We've
been
doing
some
refactoring,
just
bumping
two
versions,
but
getting
into
in
a
more
usable
state
for
for
more
people.
A
A
We
run
some
tools
or
we
do
some
activity
and
we
assert
that
that
activity
or
that
tool
run
has
been
done,
and
these
were
the
aggregated
or
interesting
results
of
that,
and
then
you
as
a
consumer,
can
base
a
policy
on
those
assertions.
So
you
can
say
I
I
I
want
to
know
if
any
of
the
open
source
projects
that
I
use
have
this
type
of
vulnerability
class
found
by
code
ql
in
a
fully
automated
way.
So
there's
no
there's
no
triage
necessary
for
that.
So
it's
a
it's
an
experiment.
A
You
shouldn't
rely
on
it.
Please
don't
base
your
business
off
of
it
or
you
know
things
like
that,
but
feedback
is
very
most
most
welcome
if
you're
interested
in
getting
you
know
getting
involved.
We
are
talking
with
guac
later
this
month
and
we
haven't
set
it
up
but
scorecards
as
well
to
figure
out
like
what
are
the
right
places
to
integrate
this,
and
you
know
how
does
this
need
to
iterate
in
order
to
become
something
real
and
useful
and
stuff.
D
A
We
last
year
we
started
putting
together
a
triage
portal.
We
kind
of
put
pause
on
that
just
for
priorities
and
time
it
looks
like
we're.
Gonna
move
that
forward
a
little
bit
more.
This
is
intended
to
be
a
place
where
security
researchers
can
go
to
essentially
upload
tooling
results
and
then
see
things
vertically
for
a
particular
project
across
multiple
tools
or
for
the
same
tool
or
class
of
vulnerability
or
whatever,
across
all
projects.
D
I
think
I
mean
it's
worth
talking
about,
like
you
know,
a
vision
that
we're
starting
to
to
hold
more
dearly
is
this
tool
chain,
ultimately,
should
become
part
of
people's.
You
know
any
projects
release
process
at
some
level
you
should
be
able
to
say:
okay,
we're
gonna,
go
run
a
bunch
of
stuff
and
see
what
it
can
find
and
then
make
assessments
make
you
know,
do
triage,
not
every
not
everything
it
finds
is
a
real
problem
whatever
like
that,
but
like
you
want
to
be
in
a
position
where
no
surprises.
D
A
Cool,
so
if
you'll
want
to
help,
if,
if
your
security
researcher
inclined,
you
know,
certainly
using
our
tools
and
telling
us
why
they're,
you
know
if
they
are
terrible,
please
tell
us
that
they
are
terrible
and
why
and
help
us
improve
them.
If
you
have
specific
improvements,
just
open
issues,
pull
requests
are
great.
A
A
C
A
F
D
D
All
right,
Jonathan,
I'm
gonna,
put
you
on
the
spot,
I'm
going
to
assume
that
people
know
of
you,
but
maybe
don't
know
exactly
what
you've
been
doing
and
I
think
I'd
be
very
interested
to
hear
you
talk
about
sort
of
the
scale,
PR
approach
that
you've
been
doing
to
find
classes
of
vulnerabilities
and
then
push
the
fixes
out
as
well
feel
free
to
just
chat
and
talk
about
it,
and
hopefully,
that'll
provoke
interesting
questions
and
conversations.
Yes,.
E
So
I
have
been
over
the
past
a
couple
of
years,
been
kind
of
excited
in
this
idea
of
automating
fixing
security
vulnerabilities
at
scale
and
I've.
Given
a
talk
about
this
at
black
hat
Defcon
and
then
a
spread
of
a
bunch
of
other
conferences,
the
best
version
ended
up
being
given
I
thought
it
in
Italy,
because
the
audience
I
don't
know
the
audience
was
great
there.
E
So
that
the
pull
request
didn't
you
know,
the
big
problem
that
you're
dealing
with
is
like
you're
trying
to
generate
an
automated
pull
request
and
you're
going
to
not
make
it
look
like
the
surrounding
source
code.
Right
you
want
to.
You
want
to
generate
a
pull
request
that
looks
like
the
surrounding
source
code.
E
To
open
rewrite
to
allow
me
to
look
at
the
code
and
the
surrounding
code
and
say
there
is
a
vulnerability
here,
because
I
can
see
the
data
flow.
That's
local
to
the
procedure
and
or
I
can
use
control
flow
to
say,
there's
not
a
guard
in
place
to
like
for
zip
slip
right.
There's,
not
an
adequate
guard
to
protect
against.
C
E
Slip
which
is
a
zip
slip,
is
a
vulnerability.
That's
a
past
reversal
vulnerability
while
unpacking
zip
archive
files,
and
so
you
can
say:
okay,
this
is
not
fixed.
We
need
to
inject
a
guard
there.
Okay,
now
the
guard's
ejected.
Is
it
sufficient?
Yes,
it
is
okay.
Now
we
can
generate
the
polar
crust,
and
so
you
know
that
that's
the
kind
of
work
that
I've
been
doing
over
the
past
couple
of
years.
E
We
dropped
support
for
HTTP
across
the
job
ecosystem
in
favor
of
https
only
which
broke
a
lot
of
builds,
but
it's
it
fixed,
the
gaping
home
the
supply
chain
and
the
entire
Java
ecosystem,
and
so
I
have
kind
of
always.
You
know
looked
at
these
problems
and
been
like
okay:
where
can
we
fix
it
from
the
root
cause
like
where
you
know
how
far
up
the
tree
can
we
fix
it?
Can
we
fix
it
the
root
cause?
Can
we
fix
it
at
the
supplier?
You
know,
if
not,
okay?
E
That
was
just
a
simple
HTTP
to
https
replacement,
sort
of
thing
right,
but
those
you
know
those
sorts
of
projects
of
like
okay.
This
is
everywhere.
Let's
go
clean
it
up,
let's
not
just
report
it
to
the
top
five
projects,
but
let's
go
and
like
tackle
it
across
the
entire
ecosystem.
Those
are
the
kind
of
projects
that
I
have
been
fascinated
by
interested
in
the
line
that
I
always
tell
people
is
I'm,
not
necessarily
really
good.
E
E
I
kind
of
when
I,
when
I
find
things
at
scale,
I
kind
of
feel
like
I,
have
an
obligation
to
deal
with
them
at
scale.
So
you
know
it's
like
all
right,
I've
become
aware
of
it
all
right
now,
I
got
to
do
something
about
it.
Well,
oh!
Well,
so
that's
that's
a
little
bit
about
me
and
I'm,
looking
forward
to
having
the
opportunity
to
continue
to
move
forward
on
these
projects
with
the
openness
Sif
and
you
know
the
alpha
Mega
project.
So
that's
my
resume
in
a
condensed.
E
G
So
I
have
a
question
to
this
General
Community,
as
in
so
as
Jonathan
was
looking
at,
and
he
was
mentioning
about
this
problem
that,
like
he's
looking
at
the
problems
where
things
can
be
scaled,
so
looking
at
small
changes
in
the
code
that
can
be
made
ubiquitously.
On
the
other
hand,
there
is
the
more
serial
like
in
it.
G
It
doesn't
work
when
you're
talking
about,
let's
say
a
SQL
injection
or
a
cross-site
scripting
like
those
kind
of
scenarios
where
you
can
make
us
the
same
change
across
the
board,
and
it
could
still
work.
So
it's
just
like
a
thought
question
of
how
often
do
we
see
that
side
like
where
there's
a
single
fix
that
can
be
spread
far
and
wide
versus
the
effort
is
asymmetric,
as
in
you
have
to
really
prepare
a
fix
for
a
particular
instance,
and
that
takes
time
and
that's
really
hard
to
steal.
E
So
I
mean
I've
thought
a
lot
about
this
sort
of
problem
and
and
like
one
of
the
so
zip
slip
right
like
it
was
a
great
candidate
for
my
research,
because
usually
the
the
location
of
the
vulnerability
is
located
to
a
single
procedure.
Call-
and
you
know,
even
at
best,
the
fix
for
that
and
on
using
automation
is
a
security
vulnerability
fixed
and
at
worst,
is
a
security
hardening.
So
you're
not
inducing
you
know
potential
additional
you're,
not
breaking
the
code
right
with
SQL
injection.
E
You
actually
don't
necessarily
have
those
characteristics
because
you
can
potentially
generate
code
like
if
you
wanted
to
automate
fix
it.
I
think
that
it's
possible
to
fix
SQL
injection
through
automation,
I
think
that
we
could
generate
the
code
to
do
that,
especially
with
things
like
data
flow
and
control
flow
analysis.
Well,.
G
G
So
are
there
any
ideas
of
of
like
how
do
we
and
we're
talking
about
like
having
a
portal
where,
like
a
tree
agent
portal
and
so
on
so
part
of
the
difficulty
that
I
have
faced
before
or
we
have
faced
before
is
when
we,
when
we
try
to
submit
a
pull
request
without
an
actual
fixed,
then
it
largely
gets
ignored
and
and
so
on.
So
how
are
there
any
ideas
of
like?
How
can
we
use
this
portal?
G
To
also
like
could
use
fixes
for
problems
on
behalf
of
the
maintainers
so
that
those
can
be
I
think
the
the
main
problem
is
that
that
the
maintainers,
the
open
source
project
maintenance,
they
are
not
updating
their
code
soon
enough
security,
hardening
or
security
vulnerability
definition.
However,
you
look
at
it,
they're,
not
updating
their
code
so
because
they
are
just
busy.
So
how
can
we
reduce
that
that
workload
from
from
that
side,
any
ideas
on
them.
A
I
think
the
most
interesting
like
there
are
so
many
like
rabbit
hole,
Rabbit,
Hole,
I,
guess:
we've
got
a
rabbit
holes
here
where
the
like.
So
so,
if
you
think
of
a
graph
of
like
the
difficulty
of
effects
like
sub
or
the
the
complexity
of
effects
or
the
complexity
of
the
of
the
you
know,
had
a
reason
from
vulnerability
to
solution
and,
let's
just
say
it's
kind
of
some
sort
of
a
hyperbolic
thing.
A
So
you
have
lots
of
kind
of
low-hanging
fruit
there
and
then
you
have
the
impact
of
the
vulnerability
and
that's
kind
of
probably
the
other
way
where
a
very
small
number
of
vulnerabilities
have
a
very,
very
high
impact
and
there's
a
long
tail
of
lower
impact
ones.
And
if
you
like
mush
these
two
together,
you
probably
get
something.
That's
like
you
could
sort
it
differently,
but
you
have
high,
and
maybe
it's
not
maybe
I'm.
A
A
Like
I
think
is
is
really
hard.
Certainly,
parsers
can
be
really
hard
and
I
would
I
would
say
that
the
strategy
that
we
I
think
would
make
sense,
is
let's
make
all
of
the
let's
make
the
high
impact
easy
to
detect
stuff
go
away
so
that
we
can
stop
eventually
like
stop
worrying
about
those
and,
at
the
same
time,
do
the
research
now
so
that
in
five
to
ten
years
we
have
better
tooling
to
like
start
in
on
the
the
juicier
stuff.
A
I.
Don't
think
it
makes
sense
for
Jonathan
or
anybody
else
to
take
three
months
to
do
like
if
you
take
like
like
Specter
Specter
meltdown
all
that
stuff,
like
that
super
interesting
research,
is
that
the
kind
of
thing
that
we
would
have
spent
you
know
six
months
researching
into
well.
I
mean
probably
not
but
like
the
impact
was
huge,
so
I
think
things
like
that
belong
more
in
Academia
or
dedicated,
like
research,
institution
kind
of
thing,
I.
E
Mean
yeah
so,
like
there's
a
there's,
a
lot
of
like
my
my
mindset.
This
is
a
lot
of
low-hanging
fruit
that
researchers
have
kind
of
found
and
left
lying
around
in
blog
posts
and
stuff,
like
that
and
they've,
like
maybe
reported
it
to
like
half
dozen
projects,
but
never
reported
to
all
the
projects
and
like
this
is
the
kind
of
thing
that's
like
hey.
B
If
I
can
jump
in
and
try
to
take
another
crack
at
answering
manora's
questions
and
feel
free,
if
feel
free
to
disagree,
you
asked
earlier:
how
do
we
encourage
you
know
people
to
update
you
know
particular
vulnerable
components
to
a
version
that
isn't
vulnerable?
At
least
that
was
per
the
question
as
I
understood
it
there's
here,
there's
actually
already
quite
a
bit
of
work
to
encourage
this
direction.
B
You
know
for
individual
open,
so
Source
projects.
The
obvious
simple
way
is
to
enable
one
of
the
many
many
tools
available
to
warn
you
when
hey
wait,
a
minute
one
of
the
components
you're
depending
on,
has
a
known
vulnerability.
Please
update
GitHub.
Has
such
tools
built
down
get
lab?
Does
there's
a
lot
of
third-party
tools
that
really
dig
in
that
can
do
that.
B
The
one
of
the
problems,
of
course,
is
not
all
projects
use
these
tools,
even
though
I'm
thankful,
they've,
gotten
easier
to
integrate
and
really
I
would
argue
that
this
is
the
rationale
for
the
big
pressure
from
U.S
government.
Some
other
governments
are
are
looking
at
this
as
well
for
s-bombs,
basically
saying
hey.
B
B
B
As
long
as
we
acknowledge
that,
but
I
think
that
will
create
pressure
backwards,
to
encourage
projects
to
to
add
those
checks
and
for
you
know-
and
some
people
are
saying-
well,
hey
man.
You
know
where
you
know:
where
are
people
getting
paid
to
do
this?
Well,
this
provides
organizations
incentives
to
pay
projects
to
add
those
tools
to
detect
those
dependency
problems.
B
Now,
here's
the
challenge
that
assumes
that
there's
a
component
with
a
known
vulnerability
and
ideally
with
the
known,
updated
version
with
the
fix-
and
this
is
one
of
the
areas
where
Jonathan
basically
is
a
lot
of
experience
where,
if
all
you
have
to
do,
is
update
a
dependency.
That's
relatively
easy,
but
if,
in
fact
it's
a
pattern
of
code
that
has
repeated
over
and
over
and
over
again,
because
somebody
copied
it
from
stack,
Overflow
or
somewhere
else,
or
it's
just
kind
of
the
obvious
way
to
do
it.
B
You
know
what
Jonathan's
been
able
to
do
is
find
ways
to
scale
up
across
a
very
large
number
of
places
where
it's
not
just
update
the
dependency,
it's
actually
within
the
code
itself
and,
unfortunately,
there's
a
lot
of
those
and
almost
nobody's
been
covering
this
ground.
So
it
made
sense
to
to
work
on
this,
because
it's
not
an
area
where
say
asking
about
s-bombs
or
or
inserting
dependency
analysis
necessarily
helps
you
out.
G
I'm
very
familiar
about
Jonathan's
work
and,
and
what
is
it
and
and
the
value
of
that?
What
I'm
trying
to
suggest
is
like
there's
I
mean
as
as
much
as
we
work
on
this
one
there's
also
the
hard
problem,
and
how
do
we
do
that?
So
one
of
the
things
that
I
was
thinking
of
and
that
that's
basically
I
was
kind
of
creating
a
pretext
to
to
bring
an
idea
which
is
working
with
the
Academia
and
and
like.
G
There
are
these
security
courses
that
have
been
introduced
in
the
Academia
and
they
look
for
like
real
world
exposure.
So
if
we
have
tools
that
have
detected
vulnerabilities
and
what
we
need
is
a
fix
that
we
can
then
pass
to
the
maintainer
so
that
the
fix
can
be
accepted
tree
as
an
accepted
quickly.
But
it's
an
it's
a
hard
fix
to
create.
So
it
would
require
some
manual
effort
in
order
to
do
that,
and
that
can
be
done
in
a
crowdsourcing
way.
G
And-
and
so
we
can
work
with-
let's
say
10
institutions
doing
their
security
course.
We
can
give
them
their
homeworks
or
homeworks
for
their
students
and
there's
tons
of
these
homeworks
that
we
can
create,
because
there's
tons
of
bugs
that
we
can
detect
and
then
they
would
be
done
there.
And
then
this
information
is
going
to
be
passed
as
a
conduit
through
to
the
security
Community
I
mean
that's,
that's
one
of
the
things
that
I've
been
like.
That's
my
new
year
thing.
People
things
are
happening
here
as
thinking.
G
But
anyway,
so
that's
the
idea
that
I
wanted
to
bring
in
as
in
how
do
we,
because
that's
an
asymmetric,
it's
a
hard
problem.
Can
we
do
a
crowdsourcing
model
to
try
to
do
that?
Now?
There
are
reasons
involved,
because
when
we
expose
these
I
these
information,
then
then
it
will
be
also
like
open
for
attackers
or
somebody
else
to
subvert
it.
G
But
it
looks
like
we
are
looking
towards
having
a
portal
of
some
sort
anyway,
whether
information
would
be
public,
so
in
that
case
it's
actually
we
become
more
riskier
because
when
the
information
is
out
at
that
point,
fixing
the
problems
or
the
detective
problems
as
soon
as
possible
is
the
key.
So
how
can
we
leverage
upon
crowdsourcing?
A
B
I
should
observe
that
I'm,
actually
in
my
copious
free
time
and
actually
an
Adjunct
professor
at
George,
Mason
University,
so
I
am
familiar
now.
There
are
some
interesting
challenges.
You've
already
mentioned
one.
How
do
you
keep
information
private?
Another
interesting
challenge
which
you
made
out
of
you
depends
on
where
they
are
in
their
in
their
studies.
But
if
it's
part
of
a
class
now
you
have
to
figure
out
how
to
grade
it,
which
is
a
little
interesting
and
professors.
Don't
scale
very
well
turns
out.
B
So
so,
if
it's
part
of
a
larger
granted
research
project,
then
a
whole
lot
more
becomes
available,
but
you
still
have
some
complications
there.
There
are
some
weird
things
that
are
different
about
incentives.
I
mean
the
fundamental
issue.
Here
is
that
for
academics,
what
matters
is
publishing
papers.
B
A
A
A
Posit
I
I
guess
that
the
amount
of
applied
stuff
in
there
is
relatively
small
I
could
be
completely
wrong
here.
So
tell
me
if
I'm
wrong,
but
like
as
this
kind
of
work,
is
super
applied
and
real
world
and,
like
there's,
there's
the
the
this
external
thing
that
I
made
better
as
a
result
of
this.
If
I
were
in
school,
like
I
mean
I
feel
like,
that
would
be
a
lot
more,
a
lot
more
compelling
than
you
know
a
theoretical
like
network
security
course
where,
like
you
know,
I.
B
Don't
know
I
I
would
guess.
I
would
go
further
on
I
mean,
as
I
said
I'm
actually,
in
that
that
area
as
well
I
would
encourage
thinking
through.
How
can
we
Square
the
various
incentives,
because
in
fact,
I
have
overseeding
students
who
found
vulnerabilities-
and
you
know
developed-
fixes
and
worked
with
upstreams,
so
it
can
be
done.
I
have
also
found
it
very
challenging
to
do
either
their
goal
is
to
get
you
know,
papers
published,
in
which
case
that's
not
real
fixing
is
not
really
the
goal
or
the
goal
is
to
get.
B
So
if
anyone
has,
if
you
or
others,
have
ideas
about
how
to
improve
the
connection
so
that
it's
wins
for
everybody,
I
think
that
would
be
fantastic.
We
have
that
we
we've
had
some
challenges
doing
it,
even
though
we
have
had
some
successes,
more
connections
with
more
people
who
have
found
a
way
to
square
this
circle
better
would
be
fantastic.
E
E
A
D
I
think
that
you
know
we've
talked
about
this
right
is
that
you
know
it's
very
much
an
artisanal
process
right
now
in
every
sense
of
the
word
right.
The
people
who
are
coming
in
for
rewards
are
individuals
looking
for
some
stuff
to
do
and
getting
paid
for
it,
and
the
projects
that
are
typically
getting
helped
are
relatively
small
projects
without
a
resources
to
do
things
themselves
and
the
process
for
which
we
decide
and
approve
things
like.
That
is
a
little
bit
sort
of
hand.
D
Handcrafted
now
scaling
that
in
some
way
is
super
interesting
right
like
how
can
we
actually
start
to
get
crowdsourcing
of
fixing
I
I'm
I'm,
cautious
about
this
right
like
anytime,
somebody
says:
oh
we're
going
to
solve
this
problem
by
crowdsourcing.
It
I'm
like
you've,
just
decided
you
don't
have
enough
money
to
pay
for
something
and
now
you're,
depending
upon
a
bunch
of
like
volunteers
right
and
is
the
SOS
money.
D
Gonna
come
like
it's
gonna,
be
hard
for
somebody
to
make
a
job
around
being
an
SOS
fixer
right,
and
so
some
of
the
other
initiatives
that
you
and
Microsoft
and
Google
are
both
doing
around
open
source
maintenance
efforts.
Amazon
as
well
right
are
recognizing
that
you
know
this
stuff
doesn't
pay
for
itself.
It
has
to
be
done
so
I
would
love
for
us
to
see
ways
for
SOS
to
start
being
sort
of
tapped
into
getting
things
done
on
those
that
very
long
tail
of
smaller
projects
right.
A
That's
it
I'm,
just
thinking,
maybe
what
we
need
actually
like
I
would
love
to
see
it
like
a
page
that
has,
like
a
I,
know,
some
sort
of
architecture.
Time
like
thing
where
you
say
you
know:
how
can
you
like
what
what
are
the
incentives
around
participation
in
the
open
source
security
community
and
like
there's
like
bug,
Bounty
stuff
for
certain
projects,
Sosa
Dev
for
other
ones,
and
full-time
employment
for
others,
and
like
these
other
things
where
how.
E
Do
you
get
up
here
on
a
map?
How
do
I
I
live
a
life
while
doing
open
source
yeah
yeah,
because
I
mean
that
I've
had
that
problem
right,
that's!
That
was
why
I
chose
to
join
the
Dan
Kaminsky
fellow
or
I,
applied
to
the
Dan
Kim
Fellowship,
because
I'm
like
I'm
working
for
Gradle
but
I.
Have
this
idea.
I
can't
fund
it
like
I
thought
about.
You
know,
I
thought
about
how
to
do
code
throughout
queries
and
you'd
need
to
do
like
in
order
to
make
a
hundred
thousand
dollars
a
year.
E
That's
a
good
start
for
people
to
who
are
trying
to
figure
out
how
to
how
to
navigate
that
stuff.
I
also
want
to
bring
to
attention
the
internet
bug
binding
program
that
also
exists.
I,
don't
know
who
that's
I,
think
that's
a
I,
don't
know
who's
running
that
currently
and
who's
associated
with
that,
but
that's
another
one
that
is
trying
to
also
encourage
this
sort
of
work,
or
at
least
pay
for
that
kind
of
work,
post
posted
being
done,
Randall.
F
Yeah
over
the
Christmas
holidays,
there
was
some
talk
about
I
get
because
SKF
is
involved
with
a
lot
of
people,
and
some
of
the
people
that
are
involved
with
SKF
were
interested
in
seeing
SKF,
introduce
a
bug,
Bounty
platform
and
there's
a
significant
amount
of
money
available.
If
we
wanted
to
go
that
direction
so.
F
B
C
B
H
I
did
want
to
throw
a
quick
plug-in
just
because
it
was
mentioned
earlier.
We
do
have
a
doodle
Poll
for
the
the
meeting
on
the
education
dii
working
group,
I
posted
on
the
channel.
It
looks
like
next
Tuesday
the
10th
and
then,
if
you
want
to
get
up
to
date
on
the
information
I
also
added
the
slack
Channel,
we'll
kind
of
be
talking
about
running
these
kind
of
bug,
programs
to
the
underrepresented
groups,
organizations
and
universities
awesome.
A
There
was
something
that
I
wanted
to
follow
up
with
before,
which
is
like
yes,
it's
great
for
us,
or
a
Cron
job
or
people
or
whatever,
to
be
like
looking
at
like
scanning
a
whole
bunch
of
stuff
and
finding
things
and
getting
them
reported.
Obviously,
I
think
we
all
I
think
we're
all
in
agreement
that
it
would
be
even
better
if
the
maintainers
found
this
themselves
as
part
of
part
of
normal
PR's
and
fixed
and
like
we.
A
Never
it
just
never
existed
in
in
the
first
place
and
I
think
that
there
is
a
place
not
for
Alpha
I,
don't
think
it's
an
alpha,
Mega
thing,
but
definitely
open
ssf
in
trying
to
push
on
answer
the
questions
like
why
don't
more
maintainers
use,
you
know,
pick
a
code
scanning
tool
and
fix
things
when
they're
found.
Why
is
the?
A
If
we
can,
if
more
of
that
work
can
happen,
Upstream,
then
it
kind
of
it
never
becomes
low-hanging
fruit
because
it
never
gets
in
the
first
way
the
other
place
to
do.
It,
though,
is
in
the
platforms
themselves
and
I
mean
platform
like
so.
As
an
example,
I
know
the
munawar,
the
request,
you,
you
open
up,
HTTP
request
without
a
timeout
like
yeah,
you
could
hang
forever.
A
F
I'll
I'm
going
to
give
you
the
packager's
perspective,
please
no,
sir
yeah
from
a
package's
perspective,
because
we
run
into
a
lot
of
these
problems.
It
really
depends
on
Upstream.
It
also
depends
on
who
you're
talking
about
when
you
talk
about
saying
defaults
because
usually
there's
multiple
opinions
about
what
same
defaults
are
they're,
saying,
defaults
from
a
distro
level,
there's
the
same
defaults
from
a
developer's
perspective
and
a
lot
of
times
they
Clash.
F
So
it's
very
difficult
and
I
also
will
say
that
burnout
is
real,
not
in
that
not
in
that
aspect,
but
sometimes
just
trying
to
deal
with
a
lot
of
like
I,
don't
know
what
to
call
them.
Just
dinosaurs
people
that
resist
change
like
toxicity,
sort
of
behavior
and
it
just
it,
gets
very
tiring.
So
after
a
while,
like
even
from
a
package
level,
you'll
stop
reporting
just
from
the
sheer
fact
that
you
don't
want
to
get
insulted.
F
D
F
And
that's
the
and
that's
the
other
thing
about
tech
debt
is
that
it
it's
very
it's
very
complicated
because,
like
and
for
example,
it
may
be
a
very
good
one
on
Mac
OS
people
just
expect
for
things
to
work.
Homebrew
you
download
things.
They
just
need
to
work
in
Homebrew,
polar
opposite
customization
is
the
word.
Every
single
option
you
can
have
you
want
a
clown.
You
could
have
a
clown.
Basically
it's
your
choice.
So
it's
it's
very
like
it's
also
difficult,
because
I
think
audience
has
a
lot
to
do
with
it.
D
F
D
D
At
that
point,
caveat
and
tour
right.
You
are
consuming
stuff
at
the
end
of
the
day.
The
final
responsibility
for
risk
Falls
on
the
consumer,
the
end
consumer,
producing
application,
because
that's
where
everything
materializes
and
you
can
and
so
I'd
much
rather
know
and
then
be
able
to
make
a
value
of
decisions
and
I'd
like
to
be
able
to
model
those
decisions
better
with
things
like
Vex
statements.
I'd,
like
tools
that
help
me
do
code
coverage
analysis
to
understand
what
the
vectors
for
risk
are
right.
Where
are
those
concatenated
SQL
strings?
Coming
from
right?
D
There's
a
huge
difference
from
County.
You
know
those
all
concatenation
problems
coming
from
static
strings
in
my
code
versus
end
user
input
and
we
all
know
the
SQL.
It's
always
coming
from
a
user
input.
This
is
not
going
to
end
well,
but
you
know
that
you
know
understanding
the
code
paths
and
giving
people
the
tools
that
allow
them
to
take.
The
package
are
not
going
to
shift
they're
not
going
to
move
fast
enough.
D
But
what
do
I
do
right
now
right,
I'm,
sitting
here,
standing
on
this
shoulders
of
giants,
but
the
Giants
have
been
drinking
for
10
years
and
don't
want
to
stop
what
do
we
do?
Maybe
not
drinking,
maybe
they're,
just
sick
I.
Don't
know
the
metaphor
is
tough
but
I
don't
want
to
align
any
of
the
individuals
who
built
the
things
that
we're
depending
upon?
That's
not
the
point.
It's
that
you
know
there
is
no
free
way
to
fix
those
things,
and
you
know
to
my
early
Point
SOS
isn't
going
to
fix
them
either
right.
So.
A
A
You
know
if
you
take
50
open
source
maintainers
that
have
an
identical
problem
and
identical
challenges
in
or
identical
like
activity
levels,
they
may
have
50
different
reasons
for
that
activity
level.
Some
of
them
it's.
You
know
this
is
free
work.
If
corporations
are
benefiting
by
this
I
want
some
I
want.
I
want
cash
out
of
it.
Until
you
give
me
cash,
it's
not
important.
Other
people,
it's
like
no
I,
have
a
family
I.
Just
don't
have
time
for
this.
A
It's
it
was
a
college
project,
whatever
reason
other
ones
that
I'm
drowning
in
stuff.
It's
life
happened
like
whatever
it
is,
whatever
the
reason
is
and
and
I
think
we
would,
we
should
be
very
careful
not
to
paint
too
broad
of
a
brush
stroke
in
that
and
thinking
that,
if
we
just
did
X,
we
could
get
a
significant
portion
of
those
projects
to
to
do
differently.
E
E
To
Michael
and
Michael
here,
yeah
yeah
a
little
bit
and
also
like
I
I,
mean
this.
How
have
I
gotten
where
I
am
currently
well
I
have
done
a
lot
of
work
in
open
source
that
has
not
necessarily
completely
been
entirely
sanctioned
by
my
employer
right,
because
I
find
this
to
be
fascinating.
I
find
this
to
be
passionate
or
I
was
distracted,
and
you
know
not
passionate
about
what
I
was
doing
at
work
and
got
distracted
and
engaged
in
open
source
security.
E
E
I
need
to
I
need
to
make
sure
that
I'm
spending
the
time
on
this
thing,
and
and
like
you
know,
or
for
security
researchers
like
I
spent
a
week,
this
I
spent
a
week
last
what,
before
the
holidays,
engaged
in
in
a
constant
back
and
forth,
with
a
maintainer
of
snake
animal,
trying
to
convince
him
that
he
should
secure
snake
ammo
by
default
and
stop,
and
then
I
ended
up
on
a
call
with
him
in
the
middle
of
my
vacation
to
finally
come
up
with
a
point
where
we're
like.
Okay,
like
this
is.
E
This
is
a
thing
that
we
can
do
to
make
this
more
secure
that
doesn't
break
a
bunch
of
your
end
users.
That's
like
a
lot
of
dedication
to
a
single
library
or
single
project
to
convince
them
how
to
fix
the
dang
thing
in
a
way,
and
this
is
a
bit
of
vulnerability.
That's
been
known
for
six
years,
this
remote
code,
execution,
vulnerability
in
the
animal
parcel
has
been
known
for
six
years.
Right
and
I.
Don't
see
this
as
any
different
in
a
lot
of
ways
from
like
existing
open
source
problems.
E
Right
like
how
do
you
get
more
people
in
the
in
the
industry
to
contribute
to
open
source?
Well,
you
got
to
convince
them
that
they're
they're
not
going
to
get
fired
because
they're
engaged
in
open
source
work,
or
they
can
do
it
in
a
way
that,
like
you
know,
their
employer
is
not
going
to
be
entirely
upset
with
them
right.
I
know
exactly
you
got,
I
mean
you
Michael
and
Michael
have
managed
to
figure
this
out.
A
E
A
E
B
E
B
I
think,
frankly,
a
little
sympathy
to
the
current
end.
Users
is
really
valuable.
Sometimes
I
find
that
the
obvious
fix
well,
hey,
we'll
just
rewrite
the
whole
API
and
everyone
will
switch.
No,
they
will
not
or
it'll
take
you
10,
10,
15
years
of
unnecessary
pain,
I
think
sometimes
when
you're
at
that
point
step
back.
Is
there
a
way
to
do
this
without
causing
the
pain
not
always,
but
often
you
can
and
I
I
think
a
little
bit
of
extra.
Looking
at
that
consultation,
a.