►
From YouTube: Alpha Omega Project Public Meeting (March 1, 2023)
Description
B
A
E
So
maybe
we
should
my
understanding
of
this
public
planning
meeting
was
more
for
an
opportunity
for
people
to
ask
questions
of
us
and
plans
and
things-
and
you
know
what
I
we
have
a.
We
have
public
meeting
notes,
but
we
don't
have
anything
for
today
can
I
propose
that
we
fix
that.
Yes,.
C
E
Okay,
let's
see
here,
I
have
added
myself.
E
Okay,
let
me
post
this
all
right,
so
I
mean
I,
don't
think
so.
My
understanding
of
this
being
was
not
that
we're
trying
to
have
a
it
says.
Public
meeting
I
think
it's
at
one
time.
It's
called
public
planning
but
I
think
it's
more
of
an
ability
to
for
people
to
ask
and
find
out
what's
going
on.
E
C
Yeah
I
think
that's
the
the
go
I
know.
Michael
usually
has
like
a
presentation
just
giving
like
project
updates
right,
but
I
think
wait
see
if.
A
So
Michael
posted
in
the
ID
defined
security
threads
group
that
the
meeting
following
this
of
the
identified
second
interest.
He
won't
be
able
to
join
that
so
he
has
someone
to
take
over
and
I
volunteered.
I
was
not
sure
about
this
one,
so
it
yeah.
Apparently
it
looks
like
that
he
may
be
unavailable
for
this
one
as
well.
Okay,.
E
And
missed
this
one
and
that's
you
know
if
he
had
to
do
that
without
any
prior
warning,
then
that's
totally
expected
or.
E
Okay
yeah,
because
usually
he
gives
a
brief
presentation.
Update
and
I
wasn't
prepared
to
do
the
same
for
him,
because
I
thought
he
was
doing
that
anyway.
G
D
E
Were
not
prepared,
yeah
I
will
also
note
that
you
know
what
you
know.
It
doesn't
take
me
longer
at
all
to
Riff
on
something
and
I
think
I
do
know
something
about
this
topic.
All
of
us
all
of
you
should
be.
All
of
us
should
be
able
to
give
the
brief.
You
know
what
is
aeo's
pitch,
hopefully
by
now
that
said,
I
have
to
admit
I've,
you
know
I'm
in
so
many
different
things.
E
There
have
been
some
announcements
of
some
reviews
and
including
things
that
are
kind
of
AO
adjacent
as
well,
so
we
can
certainly
talk
about
those
things,
but
oh
and
we
have
Sebastian
crane.
If
you
know
I'm
going
to
add
you
to
the
list
of
people
here,.
G
G
E
Yeah,
do
you
dude
I'm,
guessing
that
you
already
know
what
Alpha
Omega
is,
but
I
mean
we
can
go,
give
that
pitch
too.
But
there's
no
point.
If
everybody
here
already
knows
what
it
is.
I
think
we
do
so.
E
Oh
okay,
all
right!
Well,
you
know
what
I
I,
don't
think
that
we
need
to
rehash
that
unless
somebody
here
actually
wants
to
wants
that,
because
oh.
B
E
I'm
kidding
hey,
you
know
what
I
I'm
I'm
good
with
that
I
mean,
but
as
far
as
I
know,
Alpha
Omega
is
still
the
same.
Basic
construct.
Alpha
is
focusing
on
a
relatively
few
critical
projects
very
fun
to
really
improve
them,
and
then
the
omegas
all
the
analysis.
I
do
think
that
there's
something
that
is
slowly
transitioning
well
I
mean
transitioning
exactly,
but
at
least
for
now
a
a
tweak
in
the
Omega
Focus
and
Jonathan.
Frankly,
you
represent
it.
E
So
let
me
state
it
for
the
record
because,
although
I
think
we've
said
it
before,
I'm
not
sure
how
much
that's
written
down-
and
that
is
Omega-
is
all
about
the
larger
set
of
programs.
How
do
we
deal
with
that?
And
so
you
know
for
a
while,
we've
been
saying:
hey
we're
going
to
use
tools
to
find
vulnerabilities.
That's
still
true,
however,
and
Jonathan
you're
very
much
representative
of
this.
E
As
we've
talked
about
this
one
of
the
things
that's
not
happening
in
really
any
other
place
is
the
looking
for
those
cases
where
vulnerability
is
common
across
a
very
large
number
of
projects
and
trying
to
get
vulnerability.
Patches
proposed
to
a
large
set
at
once.
Currently,
you
know
pretty
much.
Every
project
works
independently
and
if
you
see
a
problem
in
one
program
you
report
it
and
it
maybe
it
may
get
fixed
in
one,
and
so
one
of
the
things
we
basically
have
added
to
the
Omega
toolbox
is
well.
E
We
already
said
that
we're
going
to
handle
a
large
set,
perhaps
the
better
way
to
handle
large
set,
is
to
scale
up
by
creating
these
more
Autumn.
You
know
in
a
more
automated
fashion,
these
vulnerability
fixes.
E
We've
said
that
in
some
circles,
but
I'm
not
sure
how
probably
that
discussion
has
been
made
and
really
it's
a
it's
a
tweaking
as
we
as
we
go
down
this
path
of
turning
Omega
from
an
idea
into
practice.
Tell
me
if
I
said
anything
wrong
or
you
want
to
clarify
something:
nope,
nope,
okay
and
and
by
the
way
I
keep
pointing
out
poor
Jonathan,
saying
he's
represents
it
because
you
know
in
our
discussions
you
know,
there's
a
huge
number
of
really
awesome
security
researchers
and
that's
great.
E
On
the
other
hand,
when
we
started
talking
about
hey,
how
can
we
scale
things
up?
It
turned
towards
well
wait
a
minute,
although
there's
lots
of
researchers,
we
only
know
of
one
who's,
focusing
on
the.
How
do
I
create
a
large
set
and
Jonathan's?
Frankly,
the
expert
on
that
topic,
so
you
ended
up
being
the
person
we
pulled
in.
B
Know
so
there's
now
manoir,
you
know
this
Sebastian.
You
may
not
there's.
A
E
Right
and
now
we
we
are
aware,
I
mean
there's,
pros
and
cons
the
big
Pro
to
doing
this,
of
course,
is
instead
of
the
fixing
onesies
twosies.
We
can
start
fixing
broader
common
problems,
which
is
something
that
you
know,
I
I
think
is
not
just
me,
but
a
lot
of
people
think
has
value.
E
A
big
negative
that
Jonathan's
alluding
to
is
that
you
know
typically
each
suggestion.
Each
issue
is
written
by
a
human.
The
patch
is
written
by.
You
know
if
there's
300
different
programs
that
need
to
be
fixed,
that's
300,
different
patches,
written
by
300,
different
humans
and
instead
creating
automated
tools
where
we
really
really
focus.
The
big
risk,
of
course,
is
that
it
could
look
like
a
whole
lot
like
spam
and
that's
not
the
goal
so.
G
E
Trying
so
Jonathan
right
now
is
dealing
with
the
unenviable
task
of
trying
to
you
know,
work
with
larger
Community
to
make
it
clear.
This
is
not
spam.
We're
trying
to
fix
a
real
problem
in
a
scalable
way,
and
you
know
I
I
am
sure
that
we're
going
to
we've
already
gotten
some
pushback,
because
it's
new,
it's
different
and
frankly,
I
think
their
developers
are
rightly
worried
that
if
you
just
run
automated
tools
and
they
produce
garbage
that
they're
going
to
be
overwhelmed
with
garbage
I
think
that's
a
legitimate
concern.
E
I
think
that's
a
concern
that
can
be
addressed,
but
we're
going
to
have
to
you
know,
work
to
make
sure
that
we
address
it
and
that's
okay,
I'm
talking
about
your
what
some
of
the
stuff
you're
working
so
so
feel
free
to
correct
me
and
expand
on.
B
B
You
know
I
I,
built
data
flow
analysis
inside
of
open
rewrite
to
be
a
certain,
have
a
certain
set
of
characteristics
that
I
needed.
For
you
know
short
term
like
this
is
what
I
needed
for
the
Dank
Minsky
fellowship
and
I'm
like
this
is
not
sufficient.
I
need
more
so
yeah,
yeah
yeah.
So
that's
you
know.
B
At
a
high
level,
I
I
I
should
probably
put
together
a
document
for
the
meeting
today
discussing
some
of
the
proposals
for
like
best
practices
that
I
consider
around
automated
vulnerable
disclosure,
mostly
from
pulling
from
my
slide.
Deck
of
this
is
the
things
that
I've
learned
and
people
have
been
shot
in
the
foot
by
so.
B
Yeah
I
mean
I'm
dataflow,
traditionally
flows
from
argument
to
our
variable
argument
to
into
the
return
value
of
the
method
right
like
it
or
it
can,
but.
D
B
Taint
can
also
flow
from
the
argument
to
the
subject
of
the
method
call
yes,
subject
being
also
known
as
the
qualifier
and
so
I
I
currently
support.
You
know
flow
from
arguments
to
return
value
of
method,
but
not
argument
to.
B
I'm
working
on
that,
that's
the
current
thing
that
I'm
trying
to
tackle
is
side
effects
of
the
of
the
qualifier
side
effects
on
the
qualifier.
Okay,.
G
E
Okay,
yeah
Jonathan
I,
don't
know
if
you
can
see
what
I
am
writing
here,
but.
F
No
I
also
have
a
bunch
of
shiny
grass
that
I
made
for
I
I
was
working
on
adding
case
I
was
adding
control
flow
analysis
for
k-switch
statements.
H
B
So
previously,
I
generated
like
100
65,
pull
requests
to
fix,
zip
slip
across
the
Java
ecosystem,
I
also
fixed
a
vulnerability
called
temporary
directory
hijacking,
partial
path,
reversal
and
temporary
directory
local
information
disclosure.
So
those
are
the
three
things
that
I
tackled
with
automation.
B
You
know
long
term
would
love
to
support
stuff
like
SQL,
injection
and
stuff
like
that.
But
you
know,
data
flow
needs
to
be
more
complex
to
support
that,
so
the
data
flow
control
analysis
that
I'm
working
with
only
Sports
single
file,
not
multi-file
data
flow
and
control
flow
analysis.
And
if
you
really
want
to
tackle
SQL
injection,
you
really
need
that.
But
it's
a
bigger
problem
like
first
off
the
problem
of
writing
the
data
flow
and
then
there's
the
second
problem
of
actually
leveraging
it
to
actually
generate
a
fix.
B
I'm
using
so
open
rewrite
as
a
format
preserving
abstract,
syntax
tree
Transformer
and
yes,
oh
the
other
one
that
I
tackled
was
zip
slip,
which
is
so
that
was
that
right.
I
said
that
yeah,
so
using
data
flow
and
control
full
analysis
to
determine.
Is
this
vulnerable
to
zip
slip
and,
if
so
fix
it.
H
Right
to
see
that
that's
really
interesting,
because
obviously
passing
into
an
abstract
syntax
tree
is
difficult
enough.
That
compilers
are
a
field
of
their
own
and
to.
A
H
B
A
look
at
open
rewrite
because
it
they
preserve
all
the
white
space
and
formatting,
and
then
you
can
generate
new
asts
inside
of
the
tree
to
generate
a
diff
and
the
new
asts
will
match
the
surrounding
formatting.
E
Yeah
yeah
and
that's
really
I
think
the
key
step
here
is,
you
know,
creating
a
patch
that
we
know
can't
won't
be
accepted,
is
no
bueno,
so
you
know
being
able
to
make
it
fit
right
into
the
their
existing.
Software
is
key
to
this.
Yes,
yeah
and
I
I.
Think
Jonathan.
Although
it's
you
know
automated
creation,
I
think
the
notion
was
at
least
reviewing
yeah
I've
forgotten.
What
the
the
plan
was
for
for
review
of
these
proposals
before
they
they
started
going
out,
but.
B
The
changes,
the
diffs
yeah,
what
in
general,
was
like
a
best
practice
or
in
terms
of
like
in.
B
B
Myself,
as
a
as
a
you
know,
as
a
one-off
sort
of
event,
and
the
the
longer
term
goal
is
just
the
long
well,
short-term
goal
is
to
set
these
things
up,
as
continuously
running
campaigns
to
automatically
generate
pull
requests
into
the
future.
You
know,
and
that
will
mean
that
any
any
cases
of
these
vulnerabilities
that
actually
appear
in
open
source
moving
forward
will
just
get
cleaned
up
immediately.
E
But
I
think
the
goal
is
at
least
what
I
suspect
would
be
best,
and
so
let's
have
this
discussion.
This
is
a
public
discussion
would
be.
You
know,
just
like
certain
other
tools
that
are
highly
critical.
Usually
you
start
by
you
know
you
know
developing
it
and
then
releasing
it
out
to
a
test
Community,
for
you
know,
you
know
test
it
yourself,
small
test
community
and
then
you
grow
out.
In
other
words,
oh,
it
affects
say
500
projects
that
we,
okay,
we're
going.
E
D
E
We
don't
that
we
don't
cause
a
burn,
a
lot
of
bridges
and
cradle
off
ill
will.
B
E
I
I
think
I
I
I
know
that
you've
done
some
of
that
before
I.
Think
and
I
know
that
yeah
I
think
we
ought
to
be
careful
about
writing
a
lot
of
that
down,
because
I
think
that
that
I
think
that's
important.
I
think
that
we're
also
allay
some
of
the
concerns,
primarily
basically
that
most
developers
are
really
busy
they're
overwhelmed
and
they
don't
want
to
get
have
a
lot
of
useless
spam
that
they
have
to
trudge
through
and
I.
Think
that's.
E
The
main
fear
from
the
automation
is
that
is,
is
that
they're
going
to
end
up
with
all
these
automated
proposal
proposed
changes
that
are
garbage
into
their
time.
I
think
I
think
I
think
totally
we
just
have
to.
We
have
to
do
it
and
explain
how
we're
going
to
do
that.
C
B
Oh
clearly
defined.
That's
is
that
that
project
that
that's
the
licensing
project,
yes.
G
Yes,
apologies
for
our
regulates
I
just
want
to
learn
a
bit
more
I
just
joined
the
OSI
in
this
week
and
I'm
still
learning
so
he's
watching
for
now.
E
And
I
guess
the
other
thing
would
be
regard
coming
back
to
the
spamming
thing,
the
worries
about
spamming
and
overwhelming
you
know
I.
Imagine
that
we
want
to
again
do
incrementally,
do
it
in
batches.
You
know
whenever
there's
an
indication
that
hey
we
want
to
change,
50
million
programs-
you
know,
let's
you
know.
Basically
you
know
you
know,
do
rate
limiting
or
something
to
prevent
it
to
prevent.
F
H
Have
you
considered
some
kind
of
self-service
online
portal,
so
even
when
a
project
isn't
part
of
your
initial
sort
of
test
sample,
people
can
voluntarily
put
their
project
on
a
list
for
the
automation
to
run,
and
so
they
get
a
preview
of
what
this
kind
of
Technology
could
help.
B
So
for
security
fixes
in
general,
if
you're
curious
about
open
rewrite
and
modern,
they
have
their
own
SAS
and
you
can
opt
in
to
get
in
your
projects
included
in
their
data
set.
You
can
run
any
of
the
recipes
that
they
have
for
the
security
stuff
in
particular.
B
Maybe
the
idea
is
that,
like
I
mean
long,
so
the
the
long-term
vision
is
so
short
term
right.
Unfortunately,
in
order
to
fix
vulnerability
to
scale
across
open
source,
you
can't
you
have
to
generate
a
pull
request.
You
can't
you
can't
create
a
GitHub
security
advisory
privately
and
disclose
the
vulnerability
there,
because
GitHub.
F
B
Have
an
API
for
automating
the
process
of
opening
ghsas,
and
so
you
end
up
like
as
you're
fixing
these
vulnerabilities
across
open
source.
You
end
up
oding
a
bunch
of
projects
the
long
term.
The
idea
is
that
we
can,
if
GitHub,
can
add
an
API
to
support
opening
ghsas
via
that
by
an
API
that
we
can
work
towards
privately
disclosing
vulnerabilities
at
scale
through
automation,
yeah,
I,
don't
know
that
doesn't
quite
answer
your
question,
but
or
maybe
it
does
I
don't
know.
H
Yeah,
that's
interesting,
I
suppose
what
I
was
referring
to
is
the
possibility
of
having
an
opt-in,
explicit
opt-in
to
this
program,
because
you've
mentioned
earlier
that
you
don't
want
to
go
and
sort
of
spam
everyone.
At
the
same
time,
you
want
to
start
out
with
a
small
sample
check
that
the
results
are
high
quality,
but
ultimately
some
people
will
want
to
have
a
go
first
and
kind
of
jump.
The
gun.
B
Is
there
a
place
for
that
to,
like
you
know,
give
those
to
certain
projects
ahead
of
time.
Yeah,
that's
not
unreasonable.
I
can
yeah
I
could
do
that.
That's
actually
pretty
simple.
There's
a
project
in
modern
called
modern
organizations,
and
if
and
it's
kind
of
tied
to
me
and
my
name
but
I-
could
create
a
list
of
projects
specifically
like
that
want
like
early
preview
like
ERS
to
to
like
be
part
of
that
feedback.
B
H
E
I
would
suggest
it
be
somewhere
in
between.
In
other
words,
you
know
by
all
means
Jonathan,
you
know
first,
look
through
filter
out
the
ones
you
know
aren't
wrong
and
then,
when
it
looks
like
it's,
okay
I
mean
you
know
I,
my
thinking
is,
and
it
sounds
I
think
this
is
what
you've
been
doing
anyway.
Is
you
start
releasing
it
to
a
small
set
and
then
to
a
larger
set
and
right
now,
I
think
the
thinking
has
been
that
small
I
mean
you've
been
picking
the
smaller
set.
E
If
I
understand
correctly,
but
I
mean,
if
there's
a
group
of
projects
that
are
especially
active
and
they're
interested
I
mean
they
could
certainly
be
included
in
the
small
in
the
the
initial
tranches
that
were
okay,
you
have
a
larger
set.
If
you
know
it
would
apply
to
but
I'm
guessing
you
want
to
start
by
sending
it
out
to
a
small
set,
see
if
there's
any
screaming,
complaining
and
then
grow
it
out.
This
is
about.
This
is
the
same
way
that
web
browsers
get
deployed.
You
know
Chrome
releases,
a
new
version
of
Chrome.
E
E
Yeah
yeah
there's
something
deploy,
I,
think
it
it
there's
a
anyway
there's
a
name
for
this
when
you're
going
to
deploy
it
among
a
very
large
set
of
of
things.
But
you
you
want
to
have
early
warning
that
there's
a
big
problem:
hey
I'm,
deploying
the
new
version
of
Chrome,
but
it
doesn't
work
if
you
have
an
HP
printer
attached,
I'm
making
this
up.
C
E
B
There
is
a
your
face:
deployment,
yeah
phase
rollout
or
something
like
that.
Yeah.
B
One
other
thing:
modern
I
said
this
in
the
AO
chat
but
or
the
private,
a
okay,
modern,
just
added
so
code
ql
index
is
like
30
000
Plus,
open
source
projects
and
I
had
that
list
of
projects
and
I
gave
it
to
Modern
and
said:
hey.
Can
you
create
parity
with
that,
and
so
they
are
starting
an
ingest
job
to
hopefully
create
indexes
to
parody
the
number
of
projects
that
open
rewrite
or
sorry
the
code
ql
indexes
my.
G
B
Security
researchers
write
a
code
to
Aquarius,
see
how
widespread
the
vulnerability
is
and
then
turn
it
into
an
open
rewrite
recipe
to
fix
it,
and
so
this
is,
this
will
make
it
easier
to
just
you
know,
start
with
an
open
rewrite
recipe,
or
you
know
make
sure
that
the
the
what
the
what
coach
you
all
finds
for
a
result
will
actually
be
something
that
it
will
will
parody.
Hopefully,
the
scale
of
the
fix
that
we
can
fit
the
the
vulnerability,
the
open
source
project
we
can
fix.
E
Okay,
so
I
I
just
did
a
lookup,
it
looks
like
phased
rollout
is
one
of
the
terms
used.
So,
let's,
let's
use
that
at
least
for
now.
Basically,
we
could
allow
a
project
to
opt
in
to
be
part
of
the
first
phase
of
a
phased
rollout.
So
at
that
point
you've
done
the
analysis.
You've
looked
across
a
very
large
set
of
projects,
but
that's
not
where
how
we're
going
to
deploy,
because
we
you
you
because,
even
though
you
can
see
exactly
what
the
code
change
is,
maybe
there's
some
weird
surprise
problem
with
it.
E
E
and
you
know
you
look
it
over.
Everything
looks
good,
you
know
or
or
it
could
be
10..
Let's,
let's
mean
make
that
simpler.
You
know,
you
know
so.
First
roll
out
to
ten
everything
looks
good,
you
hand,
reviewed
everything,
looks
good
they're,
the
first
phase
and
I.
Don't
have
any
problem
with
projects
opting
in
I
guess
the
only
concern
I
would
be.
Having
is
if
that
I
guess
most
of
these
most
of
the
ones
are
ones
where
it's
not
a
grand
secret,
that
their
vulnerabilities
are,
they
are
or
are
they
what
I
mean?
E
B
B
B
Dash
Java
Dash
sorry
rewrite
Dash,
Java,
Dash
security
and.
A
B
E
E
All
right
so
I,
I,
guess
yeah.
This
all
comes
back
to
the
challenge
of
the
defender,
which
is
you're
trying
to
defend
the
software
without
helping
the
attacker
too
much,
and
it's
always
a
judgment,
call
and
trade-offs,
because
obviously
attackers
can
do
analysis
and
find
vulnerabilities
in
attack.
That's
what
a
whole
lot
of
them
do.
H
E
H
So
one
light
I
hear
is
that
the
git
history
often
has
a
lot
of
contact
details
which
can
be
used
to
make
private
disclosures,
even
when
GitHub
itself
doesn't
provide
that
option.
E
Yeah,
the
lack
of
private
disclosures
has
been
a
big
challenge.
I've
been
whining
at
GitHub
for
years
and
whining
is
probably
the
accurate
term
here.
They've
heard
from
me
too
many
times
the
tutu
group
as
well.
A
D
A
I'm
just
curious
David,
what's
the
what's
the
pushback
from
them
like?
What's
the
rational,
it
all
makes.
E
Actually,
the
previous,
you
know:
okay
they're
private
discussion,
so
there
hasn't
actually
been
a
pushback
to
be
fair.
It's
they're
not
saying
oh,
my
gosh,
we're
not
gonna,
do
it
instead,
it's
a
sounds
like
a
very
good
idea,
we'll
get
to
it.
B
Yeah
they're
they're
not
having
it's,
not
opt,
it's
not
opt
out.
Currently
it's
currently
opt-in
and
they
I've
talked
to
Gray
and
he
his
response
is:
we've
just
released
this
thing:
we're
not
going
to
make
it
something
that
we
give
to
everybody
and
meet
like
we're
not
going
to
force
it
on
everybody
immediately.
We
can't
do
that.
Yeah.
E
Let's
see
here,
okay,
I
just
did
a
quick
search
because
they've
been
saying
this
a
while.
So
and
my
apologies
I,
you
know
I,
don't
there
are
a
lot
of
things
to
keep
up
with
so
I
just
did
a
quick
web
search
and
I
found
that
you
know
they've
been
saying
for
a
while
they're
going
to
support
this,
so
it
looks
like
it
looks
like
they've
actually,
finally,
added
it
it's
in
beta,
you
have
to
configure
to
turn
it
on.
Yes,
yes,.
A
It
was,
it
was
introduced
in
the
GitHub
Summit
this
year
or
last
year.
Yes,
one
of
the
big
features
that
were
introduced
but
yeah.
It
is
now
opt-in
and
not
opt
out
and-
and
they
have
initially
had
some
I
mean
based
on
again.
Public
data
initially
have
some
success
on
some
people
obtain,
but
then
latest
taper
it
off
and
I
mean
some
of
the
stuff
you
need
to
probably
like
yeah
I,
don't
know,
I
mean
there's,
obviously
some
politics
that
or
or
some
understanding
this
that's
behind.
A
This
decision
is
just
from
from
somebody
like
myself.
Who's
outside
it
just
makes
sense.
So
I
I'm
just
curious,
like
if
you
have
some
insight
about
the
rationale
behind
them,
not
like
making
it
up
up
like
making
it
the
default,
and
then
people
opt
out
if
they
don't
like
it.
F
E
And-
and
you
know
what
having
operated
operational
systems
before
I
actually
salute
the
attitude
really,
there's
there's
nothing
worse
than
a
service
that
you
don't
directly
control.
That
constantly
makes
changes
that
screw
up
things.
That
cost
you
lots
of
time,
and
you
know
I
I
I.
Think
in
general
is
this
that
you
know
they've,
never
told
me.
Oh
my
gosh!
This
was
a
terrible
idea.
I
mean
to
be
fair,
it's
back
when
Microsoft
was
acquiring
GitHub.
E
This
was
actually
one
of
the
things
that
they
said
that
they
did
intend
to
do
so
even
before
they
were
bought
out.
There
was
an
agreement
that
they
were
going
to
do
this,
but
they're
rolling
it
out
carefully,
and
while
I
would
like
to
see
this
a
lot
faster
and
on
by
default,
that's
not
the
way
they
have
chosen
to
do
it
and
I
can't
fault
the
I'm.
You
know
the
conservative
nature
of
some
of
this
in
the
sense
that
you
know
this
is
their
General
nature.
E
Don't
I
I
wish
they
would
do
something
different,
but
I
understand
why
they
don't
so,
hopefully
they'll
turn
it
on
by
default.
I
have
no
trouble
with
them
turning
off
something,
but.
E
Someone
to
turn
it
off
that
makes
sense,
but
I
would
like
I,
don't
know
what
the
likelihood
of
them,
enabling
this
feature
of
a
project
is
for
enabling
this
feature.
If
it's
running
on
GitHub
and
it's
important
I
suspect
we're
going
to
find
that
answer
out
soon.
Ourselves,
Jonathan.
D
B
E
D
B
I
mean
so
the
the
we
proposed
we
Sandy
and
I
work
or
well.
Yes,
any
created
a
data
flow
graph
of
how
the
ideal
disclosure
flow
would
work
and
the
ideal
disclosure
flow
would
be
hey
maintainer.
We
found
a
vulnerability
in
your
project.
We
want
to
report
to
please
open
it.
Please
enable
automated
vulnerabilities
or
please
enable
display
or
private
vulnerability
exposure,
otherwise
we'll
open
a
poll
request
within,
like
you
know,
two
weeks
right,
14
days
from
now,
there'll
be
an
automated
pull
request
to
open
against
your
repository.
B
If
you're,
not,
if
you
don't
have
a
and
and
so
from
there
like,
we
just
we
can,
we
can
encourage
the
maintainer
to
open
it.
Otherwise,
we
just
open
the
polar
press
in
public.
C
And
I'm
just
not
sure
if
that
document
is
publicly
visible
at
the
moment,
because
I
know
Jonathan
you're
still
working
on
them.
The
one
with
the
the
data
flow.
That
Jonathan
was
just
speaking
about,
say.
C
No
question
I'm
just
saying
that
I
don't
think
that
document's
publicly
available.
Yet
no.
B
B
Flow
like
the
flow
diagram
was
to
describe
to
GitHub
hey.
This
is
a
feature
that
we
need.
This
is
why
we
need
it.
This
is
how
we
would
use
it.
Yeah.
E
Yeah,
and
indeed,
if
we
only
contact
them
when
we
have
something
to
report,
we
can
tell
them.
We
intend
to
report
something
to
you
details
to
be
TBD,
but
this
is
the
way
that
we
need
to
do
it
and
otherwise
we'll
just
file
it
publicly.
In
two
weeks.
H
H
All
right
so
last
year,
I
was
looking
at
Robert
Pike's,
quantifying
criticality
paper,
which
is
of
course,
a
an
element
which
is
quite
important
for
this
Alpha
Omega
project,
and
there
were
quite
a
few
typographic
kind
of
quirks,
probably
due
to
a
word,
PDF
export
or
something,
and
so
I've
Rewritten
that
in
latex
and
I
was
wondering
if
this
was
something
that
the
group
would
like
to
take
on
and
publish
so
I
can
share
it
on
my
yeah
Zoom
screen
share.
That's
what
it
looks
like.
H
B
E
B
H
I
couldn't
find
out
where
to
contact
Rob,
Rob
Pike,
and
considering
that
this
document
is
sort
of
providing
the
foundations
for
the
tech
team.
This
sort
of
the
the
long
tail
of
software
projects
that
you
know
the
important
ones
that
are
being
let
slipped
through
the
net
I
thought
I,
would
ask
here
and
see.
If
you
could
point
me
in
the
right
direction,.
B
E
Yeah
definitely
yeah
the
the
alpha
omega
uses
their
information
as
part
of
their
data
set
well
I
mean
we
have
already
so.
F
E
But,
but
for
changes
of
how
the
those
are
calculated,
yeah
go
back
to
the
folks
who
actually
control
that
I
will
observe
that
the
criticality
score
is
a
little
bit
of
a
misnomer,
because
it
really
it
it
uses
data
sources
that
you
might
not
expect.
E
It's
really
heavily
focused
on
popularity
and
and
and
on
things
like
changes
which
aren't
always
you
know
if
it
aren't
always
the
same
as
how
critical
it
is
in
sane
infrastructure.
If
that
makes
any
sense,
it
does
its
measure
best
to
measure
certain
things
and
it
you
know
it
sometimes
doesn't
measure
things
you
might
think
it
might,
because
some
things
are
very
very
hard
to
measure
turns
out.
H
Yeah,
okay,
thank
you.
So
I'll
have
a
look
at
the
that
other
group
of
the
working
group
within
the
open,
ssf
and.
H
E
Or
you
can
just
contact
the
criticality
score
folks
directly
I
mean
I,
think
there's
you
should
be
able
to
find
it
within
their
project.
Their
contact
I
mean.
If
you
can't,
you
know,
contact
the
criticality
working
group,
that's
where
they
live,
but
you
know
changes
for
a
particular
project
contact
the
project
directly
is
the
simplest
and
best
way
typically,
but
if
you
have
trouble
doing
that,
yeah
absolutely
go
to
the
working
group,
we'll
get
you
we'll
get
you
handled
right.
Thank.
E
H
Yeah
I
mean
latex,
has
a
learning
kit,
but
I'm
glad
I
put
the
time
in
because
you
know
I
mean
how
else
can
you
do
big
sigmas
with
logarithms
and
brackets
all
over
the
place?
It's
kind
of
necessity
at
that
stage,.
E
There
are
actually
other
Alternatives
but
carry
forth
and
and
do
good
so.
C
E
Yeah
clearly
in
the
mathematics,
World
I'll
attacks
all
over
so
okay
yeah.
So
anyway,
yeah
I
would
contact
them.
And
if
you
don't,
you
know,
if
you
can't
contact
the
project
contact,
the
working
group,
if
you
just
can't
get
anything
else,
get
a
hold
of
me
and
I
will
try
to
figure
it
out,
but
I
don't
think
you
should
need
to.
You
should
be
able
to
just
contact
those.
You
know
those
as
well.
Instead.
E
So
maybe
I
should
ask
a
question
for
Jonathan.
I
will
pretend
I'm
the
public
for
the
moment
here,
which
is
so
I
know
you've
been
working
on
trying
to
write
some
of
this
down
so
that
other
people
can
see
and
understand
the
plan.
You
know
if
nothing
else,
to
kind
of
reduce
the
worries
of
some
folks.
Any
idea
when
you'll
get
that
first,
those
first
things
out
for
public
comment
or
at
least
wider's
widespread
comment.
The.
B
Song
about
automated
vulnerability,
disclosure,
yeah,
I'm,
I'm,
sure,
okay,
so
the
plan
there
is
to
do
it
a
little
differently.
It's
I
mean
my
I'm,
basically
gonna,
take
my
black
hat
talk
and
turn
it
into
or
the
best
practices
chunk
of
the
black
hat,
Defcon
talk
and
turn
it
into
a
document
that
says
here
a
set
of
best
practices.
B
I
think
that
one
of
the
things
that
I
would
love
to
see
is
one
of
the
one
of
the
things
coming
out
of
this.
This
work.
B
Could
be
a
a
set
of
processes
and
policies
around
automating
vulnerability,
fixing
at
scale
across
open
source
such
that?
If
you
follow
these
norms
and
best
practices,
you
can
flag
your
your
campaign
or
you
can
have
your
campaign,
get
signed
off
and
say
these
F.
This.
This
campaign
follows
this.
Best
practices
like
these
sets
of
best
practices
that
the
open,
Star,
Security
Foundation,
is
has
blessed.
F
B
So
you
know
it
it
it
it
puts.
It
puts
some
some
weight
behind
like
this
is
not
just
somebody
just
doing
this.
This
is
somebody
that's
doing
it,
but
with
following
a
set
of
best
practices
that
have
been
agreed
upon
by
an
industry
group
working
group.
E
Okay,
that
makes
sense
so
yeah
I
think
you
know
that
process
makes
sense.
It's
just.
We
want
to
make
sure
that
we
get.
You
know
some
sort
of
rough
consensus
on
that
publicly
before
we
do
too
many
of
these
things.
I
know
you're
simultaneously
actually
implementing
campaigns,
and
we
don't
really
want
to
stop
that,
because
just
writing
documents
in
the
end
isn't
what
what's
helpful.
It's
the
actual
activity
right.
B
Yeah
it
you
know
it's,
it's
just
I
think
that
if
we
can
come
up
with
a
set
of
guidelines
that
determine
that
a
certain
process
is
more
or
less
blessed
by
the
open
ssf
like
we
can,
we
can
have
my
cam.
You
know
the
campaigns
we
do
as
AO
follow
that
Bezos
best
practices,
but
others
can
feel
free
to
engage
in
those
sorts
of
campaigns
to
you
know
you
know,
but
you
have
you're
gonna
just
be
cross
industry
and
it.
E
Won't
be,
you
know
us,
be
us
right:
okay,
yeah,
yeah,
making
it
more
General.
Really
it
is
an
awesome
Direction,
so
yeah
I
don't
want
to
kill
that
it's
just.
We
definitely
want
to
have
review
and
all
that
good
stuff.
While
we
prepare
to
have
things
that
apply
that
process
yeah.
D
E
B
B
A
B
Where
they
have
a
lot
of
Grant
like
languages
that
share
enough
similarities
to
one
another,
that
you
can
shoehorn
like
other
languages
into
the
asts
of
java
and
then
dump
it
back
out.
So,
for
example,
like
you
can
write
kotlin
or
you
can
have,
you
can
have
kotlin
be
represented
by
the
Java
AST.
You
can
manipulate
that
AST
and
then
dump
that
back
out
and
have
it
be
kotlin
again
or
JavaScript
or
python,
and
so
that's
that's.
B
The
vision
is
that,
like
ideally
most
of
these
security
fixes,
hopefully
potentially
possibly
will
be
cross-language
compatible
because
it
will
all
be
plugged
into
open
rewrite,
which
will
have
this.
You
know
cross
language
like
cross
language
support,
ideally.
A
That
that's
ideally,
is
the
operative
word
here
yeah,
so
I
worked
at
kubernetes
and
Community.
They
have
this
like
Central
ASD
and
where
the
multiple
languages
into
the
same
AST.
But
when
we
were
building
analysis,
it
was
different
analysis
built
for
different
languages,
because
it's
not
I
mean
the
asts
could
be
the
same.
A
The
analysis
isn't
so
like
they
had
like
languages
that
shared
stuff,
but
then
there
are
other
stuff
that
are
unique,
like
the
analysis
that
you're
writing
for
cc,
plus
plus,
is
very,
very
different
from
what
you're
doing
for
Java,
even
though
they
were
sharing
a
same
like
umbrella,
IST
that
that
they
have
created
so
I
mean
I,
I,
think
focusing
on
the
on
whether
languages
can
be
represented
by
same
ASD.
A
That's
that's
a
different
goal
which
may
apply
for
rewriting,
but
when
you
are,
when
you're
actually
doing
this
like
serious,
like
control
flow
data,
flow
related
stuff
languages,
they
have
their
own
nuances
now,
Java
and
kotlin
can
share
a
lot,
but
Java
and
C
Java
and
python.
Definitely
not
Java
and
python
I
mean
because
they're
vastly
different
languages.
A
So,
even
if
their
asts
look,
the
same
means
nothing
at
all
in
terms
of
in
terms
of
what
what
the
underlying
thing
is,
so
so
in
in
C,
for
example,
any
variable
is
addressable
right,
I
mean
you
can
do
an
and
X
or
whatever
in
Java
you
can,
and
so
how
do
you
write
the
same
analysis
in
in
both
of
those
cases?
You
just
cannot
so
that
that's
something
that
that
that
I
am
just
like
I
want
to
bring
in
from
my
experience
in
the
industry
and
also
definitely
in
the
Academia.
A
That's
one
thing
about
Java
analysis
that
you're
doing
I
mean
we.
We
have
solutions
for
actually
not
even
data.
Our
data
flow
is
primitive.
For
that
matter.
We
have
abstract
interpretation
in
in
Java
that
that
does
this
kind
of
stuff.
We
discuss
some
of
that
in
during
the
CNS
form
like
regarding
this
thing
so
specifically
like.
A
What
exactly
are
you
doing
for
SQL
I
mean
I,
know
that,
like
for
zip
sleep,
you
had
a
specific
vulnerability,
it
was
using
a
library
or
something,
and
then
you
were
like
modifying
that
Library
call
or
modifying
the
parameters.
Etc.
That's
what
solved
it
with
SQL.
You
were
thinking
of
rewriting
query
strings
that
are
formed
by
string
concatenation
into
prepared
statements,
but
that's
going
to
solve
the
whole
SQL
problem
or
yeah.
E
A
Mean
that's:
that's
the
the
plan.
Are
you
looking
into
a
broad
scope
like
that,
or
are
you
looking
into
a
specific
cve
for
SQL
that
was
established,
which
is
what
you
typically
do
like
specific
CB
that
got
published,
and
you
see
that
that
CV
is
applicable
to
many
like
more
than
one
repositories,
and
then
you
write
automated
automated
stuff
for
that.
But
in
from
what
we
are,
what
we
discussed
about
SQL
you
seem
to
be
like
looking
into
a
more
common
problem
than
a
specific
CBE
or
anything.
A
So
is
that
what
you're
doing
with
SQL
or
is
it
yeah
I
mean
I'd
like
to
understand
a
little
bit
more?
Maybe
we
need
to
have
a
separate
discussion.
B
Yeah
at
a
high
level-
it's
it's
mostly
focused
on
so
so
I
haven't
started
anything
for
SQL
right,
the
the
at
a
high
level.
The
idea
would
be.
Can
we
do
taint
tracking
from
like
user
supplied
arguments
to
the
location
where
those
those
strings
are
getting
appended?
If
we
can,
we
know
that
that
string
value
can
get
tainted
by
an
attacker.
Let's,
we
can
rewrite
this
to
be
repaired
statement
instead,.
D
B
A
Sure
and
I
I
showed
you
examples
that,
like,
for
example,
we
can
fix
this
kind
of
stuff,
but
not
in
all
cases.
You
can't
do
that
in,
like
you
see
like
when,
when
you
do
inter
procedural
stuff,
it
gets
complicated
pretty
quickly
so
that,
even
if
you
can
follow
the
teams,
you
cannot
really
use
that
to
like
rewrite
an
SQL
query,
rewriting
an
SQL
query,
which
is
now
formed
by
a
query
string
tools.
A
Then
we
formed
as
a
prepared
statement
is
a
is
a
whole
new
whole
different
ballgame
because
it
might
actually
require
you
to
change
apis
and
then
stuff,
and
you
don't
want
to
do
that.
It's
not
that
simple.
When
you
go
beyond
the
procedure
boundary
within
procedural
boundary,
we
can
create
with
pretty
much
confidence.
I've
shown
you
examples
and
in
our
case
like
when
we're
doing
a
like
in,
inter
intra
procedural
change
or
within
the
procedure
that,
like
success
rate
for
that
is
like
nearly
like
85
90
of
the
cases,
you
can
do
that.
A
If
you
do,
inter
procedural
on
average,
then
the
success
rate
becomes
like
25
30
percent
because,
like
the
data
flow
gets
complicated,
pretty
quickly.
A
But
the
specific
problem
that
you're
solving
I
showed
you
examples
and
then
such
that
we
have
already
done
that.
So
maybe
that's
that's
where
something
that
we
we
can.
We
can
work
or
well
yeah
collaborate
regarding
that
and
yeah.
That's
a
discussion
to
be
had
yeah
that
we
should
be
having
in
future.
D
B
You
know
that
that
makes
a
lot
of
sense.
I,
I
agree
with
you,
no
I,
you
know,
I
I
generally
agree
right
like
the
way
that
you
you
take
any
problem.
That's
massive
you'd
find
the
simplest
solution.
You
build
on
it
and
add
more
and
more
sport
right,
like
I
I,
built
data
flow
and
control
flow
analysis
for
open
rewrite,
but
only
to
the
scope
of
what
I
actually
needed
in
order
to
make
the
the
stuff
work
right.
B
E
We're
nearly
at
time,
but
my
expectation
how
we're
going
to
move
forward
is
that
we're
going
to
use
a
variety
of
tools
to
find
a
vulnerability.
Yes,
okay,
many
different
ones,
and
then
once
we
see
a
pattern,
that's
likely
to
be
in
other
places.
That's
when
we
you
know
so.
Basically
you
know
tools
like
coverity
many
other
tools.
They
can
find
a
problem
which
is
awesome,
but
the
next
step
is
oh
wait.
This
seems
thing
seems
to
be
all
over,
and
so
now
we're
talking
about
things
like
you
know.
Why
do
data
flow?
E
E
Make
any
sense?
Yes,
you
know
because
I
agree
with
you
trying
to
rewrite
a
massive
data
flow
engine,
for
you
know
you
know
analysis
across
doing
whole
program.
Analysis,
that's
a
whole
different
ball
game
and.