►
From YouTube: Alpha Omega Project Public Meeting (May 3, 2023)
Description
A
A
Get
started
in
just
another
minute
if
you
haven't.
Please
add
yourself
to
the
to
the
attendance
and
if
you
have
any
topics
that
you'd
like
to
talk
about
I'm,
imagining
today
will
be
mostly
just
open
q
a
so
you
are
welcome
to
bring
whatever
questions
and
whatever,
whatever
discussion
we
want.
B
I
figured
I
might
as
well
start
I.
I
was
needing
to
talk
to
you
about
the
I
know.
We
talked
about
making
training
for
Alpha,
Omega
and
I
talked
to
Tim
and
I
I
needed
to
talk
to
you
about.
If
you
wanted
to
make
that
a
part
of
Ls
main
curriculum,
we
needed
to
talk
at
some
point.
I
just
wanted
to
say
that
I.
A
I
totally,
yes,
I
think
when
we
I
think
AO
well,
the
O
side
should
have
training.
It
should
be
part
of
LF
I.
Don't
know
that
we're
ready
to
like
we're
ready
on
our
end
to
do
it.
But,
yes,
we
should.
We
should
definitely
chat.
B
A
B
C
I
like
that,
because
we
could,
if
you
have
a
certification
and
you
work,
want
to
work
on
the
project,
then
you
have
to
get
that
certification
before
we
give
you
access
to
the
triage
portal.
B
And
we
do
have
courses
that
would
tie
into
that.
Like
we
have
one
called
smashing
the
web.
We
have
two
called
smashing
the
web.
We
have
like
an
advanced
course
in
regular
course
that
we're
working
with
project
discovery
on
so
there
are
courses
that
could
tie
into
that
as
well.
Awesome.
A
C
Know
so
it
could
be
with
the
mobilization
plan.
There's
the
for
Education
there's
the
idea
of
getting
badges
in
GitHub
yeah.
So
that
could
be
a
verification
point
and.
B
I'll,
and
and
also
the
way
our
system
is
plugged
into
credibly.
So
when
you
actually
do
that's
how
you
actually
like
verify,
the
certifications
is
through
their
system
because
I'm
not
entirely
clear
how
it
all
works,
but
it's
very
highly
accredited
and
all
that
stuff.
So
we,
if
we
do
make
a
certification,
we
can
make
the
verification
through
credibly,
so
that
people
could
also
post
like
post
it
on
LinkedIn
nice.
B
And
are
smashing
the
web,
the
first
the
basic
course
on
just
how
to
do
like,
like
it's
basically
a
bug,
Bounty
type,
of
course,
yeah.
That's
free!
The
advanced
course
we're
gonna
not
make
it
free,
but
like
pretty
much
the
difference
between
the
Advanced
course
and
the
regular
course
is.
The
advanced
course
goes
into
like
automated
bug,
finding,
which
is
something
that
I
was
gonna.
I
was
talking
already
with
Jonathan
about
as
well,
and
the
free
course
teaches
you
how
to
do
it
manually.
Okay,.
E
So
is
the
free
course
it's
similar
to
like,
what's
available
in,
say,
like
portsmaker,
that
like
has
Hands-On
Labs
on,
like
let's
say
how
you
find
cross-site,
scripting
and
then
those
kind
of
stuff
is
it
yeah.
B
That's
more
application
security.
This
is
more
specifically
about
like
bug
finding
it's
like.
If
you
wanted
to
get
into
bug,
Bounty
like
how
would
you
go
about
doing
that
with
many
of
the
people
that
we've
surveyed
have
a
limited
knowledge
of
coding
so
like
trying
to
get
them
up
to
speed
with
what
they
need
to
know
about
code
and
how
you
could
use
tools
like
semgrab?
We
cover
set,
we
cover
some
grab.
We
cover
stuff
like
that
in
the
in
the
initial
course,
but
we
don't
cover
how
you
would
go
about
making
like
a
pipeline.
D
Hey
everyone,
I
I,
just
have
like
a
kind
of
like
beginner
question
on
security
and
open
source.
So
let's
say
like
an
Omega
project,
if,
like
I'm
working
on
it
and
and
let's
say,
like
I,
identify
some
vulnerability.
That's
in
multiple
repositories
like
what's
the
way
to
approach,
say
in
general,
like
these
organizations
and
if
I
make
put
this
information
since
it's
open
source
and
if
I
put
this
information
in
public.
D
Does
that
mean
like
I'm,
like
violating
the
rules
or
something
since
it
increases
the
possibility
of
someone.
A
Yeah,
and
so
this
is
a
super
timely
discussion,
we're
having
this
conversation
multiple
times
a
week,
because
we
we
have
the
tooling
to
find
lots
and
lots
of
vulnerabilities.
We
do
not
have
the
people
to
scale
out
manual
reporting
to
hundreds
to
thousands
of
repos.
If
you
find
it
in
five,
that's
different!
You,
you
know
you,
you
can
do
it
do
it.
Do
it
five,
but
you
know
at
a
certain
point.
A
You
know,
automation
is
key
and
I
think
we
would
all
agree
that,
like
there
isn't
a
there,
isn't
like
an
industry
solution
here
or
like
an
ecosystem
solution.
A
Github
private
developer,
vulnerability
reports
where
they're
used
can
absolutely
do
this,
but
they're
not
prevalent
enough
that
you
know,
if
you,
if
you
pick
a
random
project,
it
probably
won't
have
private
vulnerability,
reporting
enabled
we
did
just
to
plug
my
own
thing.
We
did
I
did
write
a
proof
of
concept
tool
to
you
know,
given
a
package
identify
all
the
different
ways
that
you
could
privately
report
from.
Email
addresses
to
tidelift
vulnerability
reports,
things
like
that.
A
You
know
so
that
that
can
certainly
help
it's.
It's
not
doing
anything
magical
that
you
couldn't
just
do
by
looking
at
security.md
and
read
me,
and
you
know
other
things
like
that.
But
it
saves
you
the
time
of
having
to
do
that
and
if
you
have
to
do
that
n
times,
it'll
save
you.
You
know
and
Times
of
of
work
I'll
put
a
link
to
that
in
chat
and
if
you
think
it's
useful
or
it's
like
80
useful,
please
let
me
know
what
would
make
it
the
other
20.
E
There
you
go
and
as
far
as
the
policy
level
goes,
I
mean
the
the
document
that
Jonathan
is
creating.
That
should
be
I
mean
it
should
be
like
a
good
guideline
of
like
when
you
find
and
actually
find
a
vulnerability.
How?
What
is
the
responsible
way
of
of
like
reporting
it
to
the
maintainers.
F
Yeah
I'm
I'm,
actively
working
on
a
specification
defining
how
to
automate
vulnerability,
fixing
at
scale
across
open
source
and
bulk,
generate
security
fixes
at
scale
to
report
to
a
bunch
of
projects
all
at
the
same
time
without
upsetting
maintainers,
but
also
doing
so
in
a
way
that
attempts
to
try
to
keep
it
private
traditionally,
I
have
just
opened
Public,
School
requests
and-
and
you
know
like,
but
I'm
I'm
doing
it
on
the
scale
of
like
you
know,
tens,
hundreds
or
thousands
of
pull
requests.
B
F
That
works,
you
can
I
mean
if
you're
trying
to
report
to
a
bunch
of
vendors,
they're,
better
search,
more
I
mean
in
I,
mean
I
could
be
completely
saying
this
wrong.
I
think
that
they
are
better
set
up
for
reporting
to
a
bunch
of
vendors,
for
example,
Oracle
Microsoft.
F
You
know
like
Apache
software
Foundation
like
if
you
have
a
vulnerability
that
spans
all
of
those
you
they're
better
placed
they're,
not
as
necessarily
well
connected
to
I
mean
they're,
also
leveraging
like
existing
connections
and
relationships
to
to
communicate
that
that
information
they
are
gonna
end
up.
If
you
found
like
a
bunch
of
projects
with
the
same
vulnerability
everywhere,
they're
gonna
have
to
do
the
same
legwork
that
any
one
of
us
would
have
to
do,
which
is
you
know,
go
go
to
every
single
project.
That
being
said,.
F
Well
kind
of
I
don't
know
there
was
a
vulnerability.
F
What
three
years
ago,
let
me
pull
this
up
real
fast.
There
was
a
vulnerability
in
some
C
code
that
was
vendored
a
bunch
of
places.
F
Certain
involvement
vulnerabilities,
three
eight
two,
three
zero
one-
it
was
a
CD,
it
was
a
is
an
R
host
name
array,
overflow
vulnerability.
It
was
a
2020
vulnerability
and
I.
Some
some
chunk
of
code
ended
up
being
like
vendored
across
multiple
different,
open
source
repositories
in
C
and
GitHub
used.
The
bulk
pull
request
generator
that
I
wrote
to
bulk
generate
fixes
for
that
across
a
bunch
of
Open
Source
projects.
So
that's
that's.
You
know,
then
that
was
Sir
coming
to
GitHub
and
saying
hey,
we've
got
a
problem
and
get
up
saying.
B
F
G
A
Hours
of
work
to
privately
report,
something
and
including
the
back
and
forth
on
average,
then
whether
the
finder
does
it
or
we
do
it
or
cert,
does
it
or
somebody
else
does
it,
it
still
costs
the
same.
And
honestly,
if
you
dumped
a
thousand,
you
know
issues
over
to
cert
I
think
they
would
come
back
and
say
sorry
like
we're
we're
not
a
like.
You
know:
I
I,
don't
think
that
would
be
the
issue
Clearinghouse.
If
you
had
one
that
would
be
fine
or
three.
A
That
would
be
fine,
but
yeah
at
scale
like
that's
yeah
I
would
I,
but
but
that
does
actually
raise
another
point,
which
is
you
know,
would
it
do?
We
think
that
it
would
be
useful
if
there
was
a
and
I'm
just
throwing
this
out
there
there's
no
promises.
This
is
just
ideas
and
brainstorming
like
do.
We
think
that
it
would
be
useful
if
there
was
a
funded
team
that
did
this
leg
work
where
they
were
essentially
a
funnel
for
validated
like
you,
you
have.
A
You
know
good
faith
belief
that
this
is
a
real
vulnerability
that
really
affects
something,
but
you
do
not
have
the
Cycles
or
for
whatever
reason.
We
think
that
that
might
be
better
for
a
team
to
do
this
stuff,
because
they
would
get
better
at
it
over
time
and
they
could
develop
tools
to
make
themselves
more
efficient
Etc.
But
essentially
you
could
feed
those
thousand
vulnerabilities
over
to
this
team
and
the
team
would
handle
the
rest
of
it.
A
You
know
finding
the
maintainer
reporting
it
doing
the
back
and
forth,
making
sure
that
cves
are
are,
are
issued
and
that
the
thing
gets
fixed
and
that
that
service
would
be
centrally
paid
for
by
let's
say,
open,
ssf
or
Alpha
Omega
or
something
else
do
we
think
that
that
service
would
be
valuable
enough
to
that's.
F
B
F
B
B
Would
it
be
valuable
if
we
had
like
a
paid
group
that
did
this
and
the
community
and
I
think
probe
has
the
the
like
the
paper
somewhere,
but
the
community
came
back,
it
was
kind
of
like
we
would
prefer
if
it
was
volunteers
and
yeah
and
we
we
made
a
whole
plan
last
year,
based
on
like
what
we
found.
But
I
was
part
of
the
team
that
went
and
talked
to
a
bunch
of
people.
I'm.
B
I
think
that
was
I.
There
was
yeah.
They
wanted
people
that
were
like
actually
involved
in
the
community,
not
like
a
bunch
of
randos
that
now
came
in
and
submitted
a
bunch
of
stuff
and
yeah.
So
like
we
made,
we
made
a
whole
plan
based
on
like
volunteers
and
instead
of
like
reporting
stuff
and
like
going
down
on
people.
B
And
it
was
one
of
those
things
but
I
that,
like
there
is
a
plan
that
exists
of
an
open,
ssf,
cert
but
I?
Think
it's
in
in
like
limbo
or
in
flux.
At
the
moment,.
H
I
believe
that
that
actually
there's
a
proposal,
I
think
it
was
brought
up
to
the
governing
board
to
decide
whether
or
not
to
fund
and
I.
Think
that's
where
it
is
currently
stated,
because
as
long
as
you
don't
as
long
as
you
don't
need
funding,
that's
one
thing.
But
as
soon
as
you
need
a
significant
amount
of
money,
but.
A
H
Think
originally
there
was
a
plan
for
funding
significant
funding.
It
wasn't
just
volunteers.
G
F
Many,
how
many
of
these
people
that
were
queried
actually
have
been
in
an
incident
like,
for
example,
the
people
from
es
lent
or,
like
you
know,
other
projects
that
have
been
actively
attacked
like
I
get.
You
can
ask
for
what
you
want
if
you've
never
been
through
it,
but
I
feel
like
if
you've
actually
been
through
an
incident.
Your
your
ask
would
be
very
different.
I.
B
Think
it
David
correct
me
if
I'm
wrong,
I
think
that
right
now
they
wanted
comments
on
the
rewrite
correct
before
I'm,
not
sure.
But
you
are
right.
Jonathan
I,
I!
Don't
think
that
we
talk
to
a
lot
of
people
like
we
talk
to
a
lot
of
people
in
the
community
like
the
colonel
people,
a
lot
of
packagers,
because
that's
what
I
know,
but
we
didn't
talk
to
like
eslin.
Specifically,
you
can
but
yeah.
G
A
A
mental
model,
the
mobilization
plan,
which
was
described
as
like
a
volunteer
fire
brigade
so
long
for
J,
happens
and
or
I,
don't
know
pick
on
Apache
Foo
happens.
Foo
is
super
complex
and
hard
and
touches
lots
of
different
things
and
the
maintainers
like,
oh
my
God,
like
I'm
overwhelmed
I,
don't
know
what
to
do
like
how
do
I?
How
do
I
manage
multi
multi-party?
Just
you
know
private.
You
know
private
and
coordinated
disclosure
like
I'm.
A
This
is
my
hobby,
not
my
not
my
job
and
that
this
this
body
could
come
in
and
provide
that,
like
professional
level,
support
to
make
the
problem
less
problematic.
B
I
A
I
mean
this
is
also
hard
like
I
I
I'm.
Any
any
movement
forward
is
good
in
in
all
these
things,.
B
I
know
that
things
that
we
wanted
to
do
was
talk
to
like
to
the
Apache
security
team
and
the
open,
SSL
security
team.
We
wanted
to
talk
to
existing
security
teams
and
see
how
they
see
it,
including
Google,
zero
day
team
and
the
bug
Bounty
community
of
interest,
and
even
we
wanted
to
also
talk
to
the
cert
and
red
hat
and
different
vendors
and
see
what
they
thought.
We
never
really
got
around
to
that.
Yet
we
talked
as
they
said,
to
Colonel
people
and
packagers
distros
people
that
I
work
with.
G
B
And
if
you
actually
go
into
the
plans,
you'll
see
that
the
tables
are
broken
up,
where
you
have
estimated
individual
hours
and
estimated
volunteers.
Because,
as
I
said,
most
of
this
plan
was
kind
of
done.
From
the
point
of
view
that
most
of
the
people
involved
here
were
going
to
be
volunteers
which
were
kind
of
the
group
that
is
the
cert
or
that
meets
with
the
cert.
So
yeah.
A
Oh
okay,
it
looks
like
so
if
I
were
to
just
in
in
looking
at
like
the
scope
like
this,
is
you
know
well
I,
I
guess
it
depends
and
that's
the
problem
is
that
with
volunteers,
if
you
get
an
hour
a
week,
you
know
that's,
that's
very
different
than
having
them,
for
you
know
a
day
and
a
half
a
week
right
in
terms
of
you
know
like
what
what
can
get
done.
H
B
A
Right,
okay,
so
let's,
let's
do
that
so
for
for
a
hell,
at
least
since
that's
that's
a
little
sphere.
I
have
some
control
over.
Let
let's
pursue
this
as
another
potential
kind
of
Last
Mile
reporting.
You
know
mechanism.
At
the
same
time,
though,
I
still
feel
uncomfortable
with
like
well,
it
would
take
us
five
hours
to
do
it.
So
maybe
we'll
give
it
to
this
other
group
and
have
them
spend
five
hours
like
it
doesn't
make
anything
more
efficient
or
better.
A
It's
just
it's
just
shifting
shifting
work
over
to
somebody
else
who,
like
you
know,
unless,
unless
they
really
are
going
to
be
more
efficient
at
it
than
we
could
be,
then
it's
a
zero-sum
game.
The.
B
The
big
thing,
the
biggest
thing
about
it,
if
I
can
mention
something,
is
shocking
about
all
of
this
is
that
a
lot
of
it
was
not
so
much
like.
We
thought
a
lot
of
it
was
going
to
be
like
a
fire
brigade,
but
from
our
initial
research.
They
wanted
more
of
like
help
us
prevent
this
from
happening
and
help
us
from
preventing
from
like,
in
other
words,
almost
post
incident.
So
if
you
read
the
plan
it's
in
there
but
yeah,
it
was.
G
F
Which
I
disagree?
You
don't
need
I
mean
I,
hear
what
they're
asking
for,
but,
like
you,
you
have
a
fire
department
because
happens
right.
This
is
like
you,
you
I
mean
I,
agree
that,
like
you
know,
you
have
a
fire
whatever
the
for
the
town.
It's
like
you
know,
I
set
codes
and
it
means
you
can't
have
a
certain
number
of
people
like
in
a
space
that's
bigger
than
this,
but
like
at
the
end
of
the
day,
your
fire
department
shows
up
because
there's
been
a
fire.
A
Correct
yeah,
it's
so
I
I.
What
I
suggest
is,
if
read
the
read,
be
because
it
does
clarify
like
what
this
is
and
I.
At
least
from
from
this,
it
seems
like
the
search
purpose
is
when,
when
open
source
maintainers
need
help,
the
cert
is
available
to
help
correct
but
dumping
a
thousand
vulnerabilities
on
the
cert
and
saying
hey.
Could
you
go
out
and
find
the
maintainers
and
get
make
the
right
thing
happen?
A
B
B
I'll
read
the
whole
thing,
and
let
me
also
say
this
not
to
like
be
like
that
about
it,
but
we
had
some
issues:
completing
section
two,
so
probe
and
I
ended
up
completing
it,
so
part
of
that
was
kind
of
like
after
we
surveyed
people
we're
gonna
develop
a
set
of
core
Services,
because
initially
we
kind
of
wanted
the
section
two
to
already
have
core
services,
but
we
found
out
that
it
was
going
to
be
really
difficult
to
define
those
core
services
with
everybody's
opinion,
because
there
was
a
lot
of
people
that
were
like
well,
we
already
have
the
security
team.
B
E
Cool
foreign,
so
if
we
narrow
it
down
to
the
vulnerability
reporting
thing
and
and
that's
what
I
think
like
Rambo
I
mean
my
interpretation
of
what
Campbell
was
mentioning
initially
and
what
I've,
also
seen
overwhelmingly
by
like,
like
speaking
with
the
maintainers
and
and
so
on,
is
that
there's
needs
to
be
some
compassion
involved.
It's
a
human
game.
E
So
so
there's
there's
the
fact
that
there's
like
somebody
as
the
reporting
side
is
a
human
being
and
will
be
responsive
in
when
there's
something
needed
and
will
be
also
coordinating
with
the
maintainers.
G
E
It's
it's
just
not
like
a
random
dump.
So
from
that
perspective,
the
the
who
I
mean
I
I
think
it's
a
very
important
point
that
the
reporters
also
need
to
be
it's
not
a
clearing
house,
it's
more
like
somebody,
who's
also
involved
in
the
discovery
and
the
triaging
process.
E
So
if
there's
like,
suddenly
one
thousand
vulnerabilities
and
it
is
dumped
to
a
Clearinghouse
and
then
that
that's
a
difficult
proposition,
but
but
if,
if
it
is
that
there
is
somebody,
who's
also
involved
in
the
discovery
and
therefore
is
is
more,
has
more
spin
in
the
game
and
and
basically
then
it
becomes
much
more
sensible
that
and
that
and
the
maintenance
are
more
responsive
and
towards
that
that
kind
of
approach
as
well.
B
B
G
E
So
I
would
like
to
know
about
like
how
the
triage
portal
is
is
coming,
and
so
it's
basically
because
we
are
also-
we
have
our
own
like
clear
portal
and
at
some
point
we
want
to
code
in
it
actually
like
I
I,
want
to
stop
developing
the
tier
portal
and
start
using
the
alpha
omega,
and
so
there's
there's
two
things
like
it
would
be
great
to
have
some
visibility.
At
the
same
time,
we
also
have
a
lot
of
anecdotal
evidences
of
like
what
works
and
what?
What
doesn't
because
this.
E
A
Totally
agree,
yes,
it's
it
will
be.
It
will
be
available
very
soon.
It's
just
bugs
at
this
point
in
in
trying
to
get
trying
to
get
it
available.
Although
you
said
I
think
Suraj
is
chatting
with
you
later
today
as
well.
So
yes,
hopefully
imminently
it,
will
some
something
will
be
available
to
start
kind
of
playing
with
and
then
at
that
point
we
would
love
your
input
and
presumably.
G
A
B
A
It
like
locally
now,
if
you
want,
but
yes,
you
know,
we
definitely
would
like
it
to
be
as
end
to
end
as
possible,
like
I
I.
Ideally
I
would
love
the
report
it
button
at
the
end
of
it
and
have
it
do
whatever
magic
is
needed
behind.
You
know
behind
the
scenes
to
get
things
out
and
then
track
it,
and
all
of
that.
E
So
we
were
planning
to
actually
like
deploy
it
like
next
next
week
or
so
around
that
time,
because
I
I
was
also
thinking,
I,
I,
don't
I
haven't
looked
into
that,
but
we're
also
thinking
that
it's
publicly
available,
so
it
could
be
deployed
and
so
on.
In
a
lot
of
setup
and
the
the
question
that
I
was
referred
to
is
like
at
that
point
like.
If
we
have
some
feature
requests
and
Etc,
where
do
we
go
to
do
that?
So
we
just
like
file
issues
in
the
in
the
repository
or.
G
C
Yeah
yeah,
you
can
go
ahead
and
put
issues
in
the
repository
if
I
can
find
some
time
between
now
and
Vancouver
I'm
trying
to
draft
out
the
mentorship
program
plan,
which
is
going
to
essentially
be
the
engineering
piece
that
Michael
was
talking
about
the
end
to
end
and
then
drafting
that
out
to
see
what
our
mentees
can
do
with
the
mentees
we
assign
to
those
pieces
and
then,
if
you
want
to
add
features,
or
maybe
collaborate
with
that,
that
is
something
that
I
can
share
with
you
once
I.
C
A
To
to
David's
question
the
relatively
new
effort,
so
open
S
is
okay,
so
yeah.
So
so
we
have
a
couple
things
that
we're
going
to
be
announcing
next
week.
I'll
give
you
the
preview
preview
number
one
is:
we
will
be
funding
a
security
audit
of
openssl
three,
a
3.1
technically
it'll
include
a
pretty
good
scope
in
terms
of
you
know:
Jonathan
you've
turned
into
a
keyboard
and
you
are
mute,
but.
F
D
E
A
The
world
we
deserve
anyway,
open
ssl3
security.
Audit
kicking
off
shortly
will
happen
over
the
summer
and
presumably,
by
the
end
of
the
summer,
we'll
have
a
public
report
out.
A
A
One
I'll
quote
about
in
general,
I
I
don't
want
to
because
we
haven't
signed
it
yet
so
I
don't
want
to
mention
specifically,
but
as
far
as
memory
safe
languages
go
we're
going
to
be
investing
a
a
nice
amount
in
improving,
essentially
advancing
memory
safety
in
very
practical
terms,
so
it'll
be
some
specifics
that
will
be
be
able
to
talk
about
next
week
at
openssf
day.
A
So
I'm
I'm
excited
about
that.
That's
what
we're
doing!
We
have
a
couple
other
say
alpha-ish
engagements
that
were
that
we're
discussing
some
of
them
are
around.
You
know
better
vulnerability,
reporting.
You
know
kind
of
scaling
out
what
we
do
some
of
the
last
mile
stuff
in
terms
of
reporting
things
like
that.
A
Me
do
you
want
to
mention
the
a
little
bit
more
about
the
mentorship
program,
just
for
those
that
aren't
aware,
although,
like
I'm
not
going
to
assume
anybody
knows
anything
so.
C
Yeah,
so
we
just
closed
out
our
mentorship
program.
Last
week,
Jonathan
I
reviewed
and
we
started
interviewing
some
of
the
candidates
for
it
we're
hoping
to
finalize
on
the
interviewing
by
May
17th.
C
So
our
candidates
could
have
details
when
was
it
May,
24th
or
something
so
at
least
there's
a
week
to
get
paperwork
and
documentation
signed.
It
is
a
12-week
program
where
you're
going
to
be
working
with
myself
and
Jonathan
on
on
the
engineering
side,
which
is
what
Michael
was
mentioning
earlier:
just
kind
of
formality
the
formalities
operationalizing
the
workflow
between
the
different
components.
C
Getting
you
know
once
you
analyze
a
package
being
able
to
send
that
package
up
to
the
triage
portal
and
then
the
the
researchers
able
to
assigned
and
move
forward
and
Report
the
issue
if
it's
needed
and
then
on
Jonathan's
side
of
some
of
this
security
researching
and
I'll.
Let
him
talk
about
that
piece
if
he's
done
with
the
his
keyboard,
so.
G
F
Tldr
looking
for
people.
F
To
work
with
me
on
recipes,
toothpicks
vulnerabilities
of
scale,
and
we
interviewed
a
yeah,
so
we're
just
just
we're
just
we're
just
yeah
we're
going
to
the
process
of
interviewing
mentees
and
hopefully
going
to
find
some
people
that
maybe
have
a
mix
of
security
background,
but
I'm
predominantly
looking
for
compiler
knowledge.
So
yeah
yep.
D
A
A
We
continue
to
get
reports
in
from
each
of
the
Alpha
engagements
that
we
do
so
rust,
python,
eclipse,
jQuery
and
node,
so
those
are
all
in
the
GitHub
repo.
So
can
you
see
good
progress
there.
A
But
a
bunch
of
those
have
hired
full-time
folks
to
to
do
the
work,
so
we're
we're
excited
that
that
will
you
know
pay
off.
You
know
continue
to
pay
off
over
time.
A
Assurance
assertions
and
I
think
I
mentioned
this
last
time
if
you'll
have
not
seen
it
and
are
interested,
I
can
do
a
demo
or
whatever.
If
not,
here
is
the
the
link
to
it
again.
The
purpose
is
provide
facts
in
a
policy
framework
about
the
security
quality
of
a
particular
package
so
that
you
can
set
up
your
own
gates
to
flag
disallow
or
make
make
whatever
decisions.
A
You
want
based
off
of
objective
information
about
a
package
that
is
not
currently
available
through
other
means,
so
you
know
it's
it
like
everybody
can
do
like
cve
checks
and
everybody
can
do
scorecard
dates
and
things
like
that.
A
But
you
know
I,
don't
want
sem
grep
or
code
ql
to
find
SQL
injection
in
a
non-test
directory
of
any
package.
I.
F
A
That
would
be
really
hard
question
to
answer
today
without
building
up
effectively
Assurance
assertions.
So
that's
part
of
AO
we're
kind
of
looking
for
at
least
I'm.
Looking
for,
like
you
know,
volunteers
and
use
cases
and
hey
I
really
want
to
use
this.
Can
it
just
do
X
in
that
kind
of
that?
That
kind
of
thing
like
turning
it
from
a
proof
of
concept
into
something
real?
A
I
Hi,
so
how
do
you
envision
seeing
this
youth?
Is
this
I
I'm
just
checked
out
a
package
and
I
thought
I'd
look
at
a
kubernetes,
so
I
typed
in
kubernetes
to
search
and
I
came
across
several
things
that
mentioned
kubernetes
and
I
was
thinking
all
right.
Well,
how
would
I
make
use
of
this
I
see?
Some
of
these
are
not
actively
maintained,
which
is
helpful.
A
Yeah
exactly
so
so
I,
so
it's
all
it
doesn't
solve
all
problems.
It
doesn't
solve
The
Last
Mile
back
to
back
to
you.
You
know
your
your
organization,
your
values
or
whatever,
like,
if
you
for
for
this
case,
for
that
particular
you
know
one
bit
not
being
actively
maintained.
A
It
would
be
a
reasonable,
like
organizational
policy
to
say
I,
don't
want
to
use
any
packages
that
aren't
being
maintained
or
I
want
to
pay
special
attention
to
them,
or
something
like
that.
So
you
know
the
fact
that,
like
you
know
so
so
for
this
one
you
know
eight
so
I'll
post
a
link
to
the
one
that
I'm
I'm,
obviously
looking
at
here,
actually
now
I'll
just
share
it
and
then.
A
You
know
number
one
being
able
to
see
that
as
a
you
know,
through
an
API
means
that
you
can.
You
know
you
can
suck
this
in
and
do
this
in
whatever
whatever
systems
you
want.
But
more
importantly,
you
know
having
the
underlying
assertion.
So
this
is
the
latest
assertion
that
I
have
so
that.
So
this
is
just
scorecard
data,
but.
I
E
C
F
A
Playing
the
long
game
yeah,
so,
okay,
so
let's
just
give
it
this
way
the
Lincoln
chat,
oh
yeah,
I
already
posted
it
the
so
you
got
okay.
So
to
answer
your
question,
how
do
I
see
this
being
used?
I,
see
this
organizations
to
set
up
a
policy
that
says
of
all
the
open
source
that
I
used
I
want
to
rank
them
in
some
way
or
I
want
them
to
pass
this
these
things
and
they
can
they
can
organizations
can
make
up
whatever
policies
they
want.
A
This
is
more
of
a
framework
with
some
opinions,
but
organizations
can
have
completely
different
opinions,
maybe
being
actively
maintained
is
just
not
at
the
top
of
anyone's
list
that
what
you
really
care
about
is
that
it
doesn't
have
public
CVS
or
that
it
actually
has
a
license,
declared
or
doesn't
have
SQL
injection
or
whatever.
A
A
I
Looks
good
I
see,
there's
an
API
section
and
you
can
also
do
meta
links
to
the
specific
uuids.
So
I
can
see
this
being
integrated
into
workflows
or
quality
checks,
policies,
yeah.
A
So
I'm
gonna
put
some
link
to
one
with
more
data,
which
is
might
be
more
interesting,
so
this
is
so
you
know.
A
couple
of
these
we've
made
sure
was.
Was
you
know
fairly
complete
this
Cheerio
package?
You
know,
in
addition
to
you,
know
like
okay,
so
it
was
scanned
for
for
malware
critical
findings
with
static
analysis
and
then
for
each
of
its
dependencies
in
that,
in
that
second
tab
showing
you
know
how
of
the
dependencies
that
we've
analyzed
how
they
fare
against
the
different,
the
different
policies.
A
G
A
Should
be
go
yeah
yeah,
if
you
just
search
for
like
go
Dash,
they
are
technically
GitHub.
Packages
is
I,
think
I,
don't
know
if
I
have
any.
I
A
Have
any
go
packages
that
are
not
also
GitHub
packages.
I
package
doesn't
mean
NP,
it
just
means
like.
It
technically
means
a
package
URL,
so
it
can
be
GitHub.
It
can
be
npm,
it
can
be
go
intensive,
GitHub.
A
D
Yeah,
this
might
be
like
a
slightly
off
topic
question,
but
I
was
wondering
like
what's
the
down.
What
is
there
any
downside
to
doing
large
scale,
pull
requests
if
you're
doing
like
a
security
fix?
How
is
the
test
cases?
F
No
to
answer
your
last
question:
first,
no,
the
idea
is
that
you
should
always
generate
code
that
doesn't
fail.
Ci,
hopefully
right
I
mean
so
I've
been
using
a
technology
called
open
rewrite,
which
is
a
format
preserving
abstract,
syntax
tree
Transformer,
and
the
idea
behind
it
is
that
we
can
generate
security,
fixes
that
manipulate
the
underlying
AST
and
generate
new
code
that
match
the
surrounding
formatting.
F
So,
even
if
the
CI
build
has
something
like
a
style
linter
on
it,
you
should
theoretically
pass
that
because
you're
generating
code
that
matches
the
surrounding
formatting
and
then
ideal
I
mean
the
one
thing
that
I've
run
into
issues
with
in
this
work
is
like
I.
Will
bulk
generate
several
thousand
pull
requests
to
fix
a
vulnerability
and.
F
Thank
you.
So
much
can
you
can
you
contribute
a
unit
test
and
my
answers
generally?
No,
it's
really
hard
to
generate
code
to
fix
your
vulnerability.
I
can't
also
understand
your
code
well
enough
to
also
include
a
unit
test
to
verify
the
change.
It's
like.
That's
a
that's,
an
even
more
complicated
problem.
So
in
general
it's
pretty
easy
to
fix
the
code
and
do
so
in
a
way
that
well,
okay,
it.
F
It
is
now
easy
to
do
so
to
fix
the
code
in
a
way,
that's
former,
preserving
currently
only
for
Java,
because
open
rear,
only
Sports
Java,
but
they're
working
on
adding
support
for
python,
kotlin
and
they'll
be
expanding
the
sport
of
like
other
languages
soon
but
yeah
I,
don't
know
and
manoir
is
doing
something
similar
with
opener
Factory
and
you
guys
have
Python
and
do
you
do
do
you
guys
do
format
preserving
or
you
just
fix
the
code
so.
E
E
It's
Java
python
on
Google,
but
off
topic
off
topic.
One
other
interest
to
me
is
I.
I
just
found
a
YouTube
video
just
yesterday.
Somebody
doing
a
bulk
fix
on
zip
slip,
vulnerability
and
also
receive
like
five
thousand
dollars
of
bug.
Bounty
and
I
thought
it
was
you,
but
it
wasn't
so
I'll
share
the
video
with
you.
Yes,.
E
In
in
Java
and
so.
E
A
Foreign,
everybody
gets
eight
minutes
back
now.
Don't
thank
me
all
at
once.
Thank
you.
All
very
much
I
appreciate
the
conversation
looking
forward
to
next
month.
If
you
guys
will
be
in
if
you,
if
any
of
y'all
will
be
in
Vancouver
next
week,
I
will
be
there
for,
for
the
day
on
I'm
on
Wednesday,
so
hope
to
see
you
there
otherwise
see
you
around
thanks.
Paul
thank.
F
Kind
of
fun
when
you
do
SUB
domain
scans
of
of
like
the
openness
Zev
and
you
find
like
different
domains
that
are
not
not
necessarily
obvious
to
that
are
present,
but
but
you
can
track
them
down.
H
H
H
So
so,
basically
I
mean
I,
think
I
I,
don't
know
if
it's
formally
called
a
c
synthesis,
but
we
got
a
letter
from
a
lawyer,
I
think
technically
legally
we
could
fight
it
because
we're
not
using
it
that
way,
but
we
decide
you
know
what
in
general,
we
try
to
work
with
folks.
We
try
not
to
you
know.
Unless
there's
some
strong
reason
we
try
to
be
cooperative,
and
so
yes,
we,
the
plan,
is
to
change
the
name.
H
But
since
that
decision
was
made,
Wednesday
I'm,
sorry
I
think
that
was
decision
was
made
two
days
ago.
Yeah,
you
know,
I
mean
you
know
we
we
just
we
we
just
got
it
I
think
we
were
I.
Think
we
got
the
letter
on
Monday.
We
decided,
you
know,
that's
not
worth
fighting
and
we'll
change.
The
name.
I
may
not
be
getting
the
dates
right,
but
I
mean
we're
talking
a
few
days
so
so
give
us
a
couple
of
days.
H
You
know
I'm
sure
it
could
be
done
somewhere,
but
things
take
time
so
and,
to
be
honest,
it
probably
wouldn't
be
a
bad
idea
to
have
a
temporary
temporary
redirect
so
that
you
know,
because
that
helps
encourage
people
to
use
the
new
name
as
opposed
to
here's.
A
mystery
fail.
No.
H
I,
don't
know
who.
H
It's
it's
generally
for
downloads,
but
if
you
want
to
download
drivers
from
weird
dodgy
places,
because
you'd
like
your
Hardware
to
work,
welcome
to
it
I.
H
Yes,
but
that
doesn't
matter
because
they'll
just
demand
that
you
download
a
client
and
download
the
file
because
that's
how
they
serve
it.
Yeah.
H
F
F
I
I
also
don't
know
why
more
I
I
think
the
ASF
has
the
policy
or
has
had
the
policy
for
a
long
time
that
binaries
are
offered
or.
I
F
H
I
am
not
I,
have
no
Authority
and
I
mean
I,
know
Apache
software
Foundation
can
do
what
it
likes.
Oh
yeah
I
mean
they're
friends
yeah,
but.
F
H
All
right
so
in
any
case
we're
on
our
we're.
This
is
obviously
not
related
to
the
topic,
so.
D
H
You
want
to
continue
this
conversation.
That's
great,
but
I
think
we're
kind
of
hijacking
this
for
an
unrelated
discussion.
F
G
H
But
in
all
honesty,
if
you
see
an
issue
like
I
suspect
that
FTP
probably
was
just
you
know
they
PR,
it
probably
just
adds
it
by
default.
I
guess
there
is
an
advantage
in
that.
It
says
that
we
don't
have
one
yeah.
D
H
F
H
So
you
know
interesting
yeah
and
that
this
actually,
though,
does
bring
in
the
issue
that
we
talked
about
earlier,
which
is
just
because
it
ends
in
openssf.org.
That
does
not
necessarily
mean
that
we
control
the
service
behind
it.
Slack
openssf.org
is
a
great
example
of
that,
where
correct
we
use
slack,
but
obviously
we
cannot
just
say:
hey
go
attack
slack,
even
though
we
use
it
I
mean
that
doesn't
I'm
kind
of
hoping
that
that's
kind
of
obvious
anyway,
really
you
hope.
F
H
F
H
F
F
Anything
nobody's
updated
their
scope
document
in
a
while,
hey
Gradle,
you.
G
H
Oh,
it
is
a
good
idea,
but
I
mean
that's
true,
for
all
things
keep
all
things
up
to
date.
That's
turns
out
to
be
hard
and
again
talking
about
you
know
the
theoretical
versus
the
real
world.
F
Yes
and
the
way
that
I
did
this
for
Gradle
when
we
did,
that
document
is
I
said
everything
under
this
subdomain
so
star
dot
gradle.org
is
in
scope,
except
for
these
things.
Yeah.
H
That's
dangerous
because
if
you
go
out
of
scope,
you're
going
to
accidentally
appear,
you
know,
I,
I
I!
Think
it's
you're
better
off
doing
it
in
a
way
that,
if
it,
if
it
goes
out
of
date,
which
is
going
to
be
a
certainty
it
will
it
no
matter
what
you
will
make
a
mistake,
making
it
so
that
your
mistake
is
likely
to
lead
to
not
bad
behavior
I
think
is
the
important
part,
but
basically
the
default
should
be
the
safe
answer
where
you.
H
Well,
that's
you
know
what
I
have
heard
the
I've
heard
that
you're
right,
but
it's
in
a
pain
in
the
ass
a
whole
lot
in
my
life,
so
yeah
and
you
know
what
way
we
can
find
ways
to
automate
this
more
I
think
that
would
be
entirely
plausible
but
yeah,
but
let's
but
anyway,
let's
keep
that
conversation
going,
but
not
right.
Now,
right,
right,
no
I,
agree
all
right!
I'll
talk
to
you
later,
oh
play.
Please
do
take
care
bye.