►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
Here
we
go
welcome
everybody
to
the
november
24th,
identifying
security
threats.
Working
group
meeting
I've
started
to
hit
record
any
new
members
any
any
folks
that
would
like
to
introduce
themselves.
This
is
your
opportunity.
B
All
right,
I
guess
I
can
I
can
go
a
couple
of
few
people
already
met
me.
I'm
lorenz
de
carley,
I'm
assistant
professor
of
computer
science
at
wpi
in
washington,
massachusetts
part
of
my
research
is
security
of
mpm
pipeline,
similar
ecosystems
and
and
that
interest
brought
me
to
those
meetings
and
to
to
interact
with
mike
and
david
in
the
past,
and
so
for
now.
I'm
just
happy
to
be
here
and
you
know,
listen
to
people
opinion
and
learn
more.
C
Hi
folks,
I
can
also
introduce
myself:
can
everyone
hear
me
I'm
not
sure
about
using
teams
cool,
I'm
matt
jarvis?
I
am
a
director
of
developer
relations
at
snake.
D
E
My
name
is
drew
davidson.
You
can
pretty
much
just
cut
and
paste
the
line
from
lorenzo
I'm
also
a
professor
I'm
at
the
university
of
kansas
and
we're
actually
collaborating
together
on
some
of
the
you
know
like
ecosystem
security
stuff.
So
you
know
similarly
really
happy
to
be
here
and
looking
forward
to
collaborating
possibly
terrific.
F
E
Yeah,
I
mean
I'd,
say
both,
although
you
know
it's
kind
of
like
to
me,
you
always
want
to
start
with
understanding
the
problems
before
coming
up
with
a
solution.
So
you
know
we
we
have
one
previous
published
work
lorenzo
and
I
on
typos
in
particular.
I
think
maybe
some
of
you
have
heard
about
that
work,
but
you
know
we're
continuing
on
sort
of
past
that.
So,
if,
if
there's
you
know,
if
there's
work
on
understanding
or
on
defenses,
I
think
you
know
we'd
be
interested
in
hearing
about
both.
B
A
Awesome,
since
we
have
kind
of
a
center
of
mass
of
new
people,
what
what
we
just
everybody
go
around
so
that
way,
everybody
knows
everybody.
I'm
mike
scaveda.
I
run
a
open
source
security
team.
At
microsoft,
I've
been
leaving
this
work
group
since
the
inception.
I
guess.
F
All
right,
so
I'm
david
a
wheeler.
I
work
at
the
linux
foundation
as
of
was
a
year
and
a
half
ago
now,
so
I've
been
interested
in
open
source
software
and
security
against.
You
know
secure
software
and
the
combination
for
many
many
years,
so
I've
been
trying
to
do
a
lot
of
work
in
this
space,
hopefully
helping
and
would
would
love
to
have
I'm
always
delighted
to
see
new
people
join
and
collaborate,
and
so
on.
Let's
see
here
who
didn't
speak
luigi.
G
H
Come
on
yeah,
I
guess
I
go
hey
guys,
I'm
dylan!
I
am
a
software
engineer
at
microsoft.
Focus
on
security,
stuff,
static
analysis,
stuff,
like
that
and
yeah
join
this
group
to
kind
of
increase
my
exposure
and
to
the
open
source
world
and
nice
to
meet.
You
all
welcome.
A
Cool
awesome
so
yeah.
This
is
probably
the
the
center
of
mass.
We
had
a
couple
people
that
usually
join
in
particular
amir
from
ostiff,
so
I'm
hoping
he
joins,
but
if
not
we'll
see
a
couple
of
them
after
so
we've
got
some
some
updates
for
today,
but
you
know
we
can
use
this
as
just
kind
of
open
discussion
certainly
add
more
topics.
A
We
can
go
through
these,
I
think
pretty
quickly,
but
I
just
want
to
give
everybody
update
on
where
things
work,
so
alpha
omega
is
acting
as
its
starting.
F
Point:
okay,
yeah
just
putting
away
yes
yeah.
Basically,
I
was
just
trying
to
know
for
those
who
are
new,
eventually,
project.
Alpha
omega
is
going
to
be
a
sibling
to
this
particular
working
group,
but
in
the
past,
openssf
has
always
been.
You
know
a
set
of
working
groups
with
projects
inside
them
and
so
in
some
sense,
you're
witnessing
the
birthing
of
a
huge
project
on
its
own.
A
A
A
It
looks
like
it
will
probably
be
a
two
product
managers
or
product
owners
or
whatever
you
wanna
call
them
one
for
alpha
one
for
omega
and
then
a
at
least
one
project
manager
and
then
a
couple
engineers
to
work
on
on
omega.
So
I
think
I
think
david.
I
think
we
landed
on
oh
david's
gone.
I
think
we
landed
on
five,
the
initial
higher
set,
I'm.
A
F
A
Yes,
there
are
links
down
in
you
know,
I
forget
it
I'll
just
add
dead
link
again.
F
Okay,
yeah,
while
you
add
a
link,
the
critical
projects
working
group
will
own
the
list.
I
I
I
don't
know.
If
you're
aware
of
this
michael,
but
over
in
the
best
practices
working
group,
we
had
a
little
bit
of
a
of
a
surprise
that
well
at
least
initially
unwelcome,
but
it's
okay.
I
think
we
can
work
this.
The
great
mfa
project
is
supposed
to
be
distributing
tokens
we
found
out.
We
just
found
out
that
google's
coupon
codes
expire
at
the
end
of
the
year.
I.
F
I
I
I
don't
you
know
and-
and
you
know
I
was
gonna
say
hey-
can
we
extend
it,
but
apparently
they
were
already
extended
once
and
we
we
weren't
aware
of
the
time
frame.
So,
okay,
you
know
it
doesn't
matter.
What
can
we
do
now?
So
I
have
begged
the
critical
project's
working
dupe
to
come
up
with
a
draft
by
december.
F
2Nd,
don't
assume
that
that
list
it
has
to
be
the
final
one
for
alpha,
but
we're
basically
pressing
them
to
have
something
to
work
with
soon
and
then,
obviously,
you
can
refine
and
improve
and
that
sort
of
stuff.
A
F
Great,
I
can
I,
and
I
can
point
you
actually
to
the
draft.
You
can
see
the
the
I
love
that
sausage.
I
will
find
you
the
sausage,
so
you
can
watch
it
while
it's
being
made.
Basically
they
have
a.
They
have
a
list.
That's
about
130.
F
I
think
some
are
some
are
going
to
some.
In
fact,
I
know
have
already
dropped,
but
basically
they're
they've
gathered
data
from
lots
of
different
sources
here
and
the
top
ones
from
each
merge
together
and
then
have
the
working
group
walk
through
and
say:
yay,
nay,
that's,
perfect
stuff.
A
So
part
of
what
my
team
does
is:
do
concept
tooling,
so
we're
gonna,
open
source
or
actually
just
contribute
to.
B
Openssf
my
mic,
sorry
to
interrupt.
There
seems
to
be
a
lot
of
background
noise
coming
from
somewhere.
F
A
B
A
Cool
thanks
for
that
so
for
omega
purpose
of
omega
is
scan
the
entire
open
source
ecosystem
at
scale,
with
the
very
best
tools
and
then
triage
the
results
and
report
vulnerabilities.
So
it
is
not
to
to
juxtapose
this
with
a
lot
of
other
things.
It's
not
about.
A
Does
the
thing
use
a
no
have
a
known
vulnerability
or
is
using
a
known
to
be
vulnerable
dependency,
but
this
is
code
level
scanning
and
fuzzing
and
whatnot
to
see
for
for
new
vulnerabilities.
Does
this
thing
that
have
patterns
that
match
a
thing
so,
as
part
of
this
we're
going
to
open
source
or
sorry
we're
going
to
donate
to
open
ssf,
a
project
that
that
we
use
internally
for
this,
so
the
the
project
itself
takes
is
really
two
things.
A
One
is
a
container
image
that
has
pretty
much
every
security
tool
we
can
think
of
pre-installed.
A
This
is
called
tool
shed,
so
it's
got
things
including
code
ql
semgrap,
I
mean
you
can
see
that
see
the
list
there,
but
it
kind
of
goes
through
and
depending
on
what
kind
of
project
it
is.
It
will
download
it
pre-process.
It
run
each
of
the
tools
normalize.
The
results
and
then
leave
those
for
leave
those
in
a
directory,
basically
and
then
batch
infrastructure
to
basically
drain
a
cue
and
just
keep
keep
the
images
you
know
running.
A
So
each
image
is
ephemeral,
so
it
goes
away
at
the
end
of
the
scan
and
and
the
batch
infrastructure.
You
know
handles
all
the
scaling
and
stuff
so
we'll
we'll
release
we'll
get
both
of
those
out
and
available
in
the
plan
is
december.
A
I
have
to
have
one
of
the
devs
on
my
team
kind
of
do
that
like
getting
it
ready,
for
you
know
to
be
to
be
shared,
but
then
at
that
point
then
it's
open
ssf's
and
the
engineers
that
we
hire
will
do
the
care
and
feeding
and
if
they
don't
like
it,
and
they
want
to
rebuild
it
and
redo
it
that
that's
great
too.
I
just
wanted
to
see
the
effort
as
best
we
can-
and
you
know
not
start
purely
from
from
the
ground.
A
We've
used
this
to
scan
15
or
20
000
projects
pretty
successfully
the
the
biggest
limiter
now
is
that
that
the
the
team
size
we
don't
have
folks
to
triage
at
scale
and
whatever
problem
we
solve
for
microsoft,
isn't
you
know
we
would
rather
solve
it
for
the
industry.
F
Because
I
think
it's
correct,
but
that
doesn't
make
it
correct.
You're
you're
talking
about
unrestricted
capacity
for
open
for
scanning,
open
source
software
right.
A
Yes,
yes,
that
was
my
understanding.
Yes,
absolutely
so!
Well,
basically,
the
the
default
code
qr
license,
allow
technically
it'll.
I
think
it
allows
you
to
only
scan
projects
that
are
hosted
on
github
and
because
we
are
looking
at,
let's
say
the
package
on
npm
or
pi
pi
or
wherever
else.
I
can't
guarantee
that
it'll
be
on
github.
It
could
be
on
bitbucket
or
something,
and
so
the
commercial
license
for
codeql
allows
you
to
scan
anything.
A
You
want
the
what
we
have
is
we
have
a
license
that
basically
says
you
can
run
it
on
any
open
source
wherever
you
find
it
like
period.
So
technically
it's
a
commercial
license
agreement.
It
was
kindly
donate
or
given
to
us
by
so.
C
Can
I
ask
a
quick
question
in
this
context
I
mean,
would
you
would
access
to
snake
in
this
capacity
be
something
that
would
be
of
interest.
A
Yes,
well
so
access
to
more
data
is
always
of
interest.
The
question
is
how
where,
where
does
it
plug
in
into
the
process?
So
knowing
that
when
we
scan,
if
we
take
npm,
I
don't
know
a
new
version
of
npm
express
comes
out
today
and
we
scan
it.
A
What
we're
looking
for
for
is
to
be
able
to
answer?
Are
there
critical
vulnerabilities
in
in
express?
Are
there?
Has
it
been?
You
know,
backdoored
other
kind
of
egregious
things,
yeah.
F
A
F
I
think
I
think
your
your
answer
to
your
question
is
many
many
words
too
long.
The
correct
answer
is
yes,.
A
Sorry,
I
do
want
to
be
careful
because
the
in
in
talking
with,
like
so
lfx
security,
you
know
in
talking
with
their
their
usage
and
their
kind
of
model,
is
to
be
able
to
look
at
an
existing
thing
of
express
and
saying.
Oh,
this
thing
already
has
no
vulnerabilities,
and
you
know
sneak
and
other
kind
of
data
sources
provide
that.
A
Looking
for
new
vulnerabilities
is
usually
a
different
conversation,
but
again
having
more
data
is
always
good.
So
yes,
but
I
just
wanna.
F
C
Can
paraphrase
what
you're
saying
there
is
that,
on
the
one
hand,
you're
interested
in
semantic
analysis
of
code
in
in
order
to
detect
new
vulnerabilities,
which
are
not
currently
cves
correct?
Right?
Okay,
so
I
mean
there's,
obviously,
there's
obviously
multiple
multiple
parts
to
what
sneaks,
what
sneak
provides-
and
I
mean
you
know
clearly
in
the
lfx
security
perspective,
we're
talking
about
package
dependency
analysis.
C
You
know,
composition,
analysis
in
terms
of
this,
this
dependency
that
you're
using
has
x
cbs
against
it,
which
is
one
which
is
one
part
of
of
what
we
do.
But
you
know
there's
also
the
sneak
codes
analysis
stuff,
which
is
which
may
be
interesting
as
well,
but
I
mean
either
way
you
know.
Clearly,
you
know
the
reason
I'm.
F
C
That
that
you
know
part
of
of
of
what
we
do
with
sneak
is
supporting
open
source
projects
anyway,
and
it's
something
we
want
to
grow
as
a
as
an
organization.
So
you
know.
F
A
F
A
F
I
I
think
the
answer
should
be
yes,
we're
interested
the
detail.
You're,
obviously,
are
are
already
aware
that
lfx
includes
sneak
and
clearly
it
seems
to
me
that
it
all
works
together.
Finding
the
vulnerabilities
that
nobody
knows
about
right
now
is
clearly
important,
but
finding
about
them
fixing
them,
but
not
getting
them
through
the
supply
chains
and
the
various
tiers
it
doesn't
really.
I
mean
it
just
means
that
the
fixed
vulnerability
stays
unfixed
everywhere.
So
clearly
that
kind
of
dependency
analysis
is
needs
to
be
happening.
G
Yes
and
sneak
has
a
really
good
database.
There
are
some
vulnerabilities
that
they
found
just
checking
github
issue
or
pr
that
have
nice
cve,
but
they
are,
I
mean,
exist
exactly
so.
Having
access
to
sneak
database
is
really
really
great
for
scan
interparty
dependencies,
and
I
don't
I
mean
I
ever
understood
the
mic
argument.
I
don't
know
if
we
want
to
cons.
G
I
don't
think
that
we
want
to
consider
and
new
vulnerability,
for
example,
vulnerable
dependencies
in
a
big
in
a
big
project,
but
at
the
same
time,
if
projects
start
to
use
for
any
reason
and
vulnerable
packages,
we
want
to
know
this
and
notify
this
so
scan.
Also,
the
third
party
packages
can
be
important,
maybe
not
in
this
tool
or
not
at
this
moment,
but
in
the
future
is
of
course
important.
A
And,
and
certainly
like
as
because
so
so
for
for
omega,
we
are
kind
of
bound
by
so,
if
we
have,
you
know
three
to,
I
don't
know
somewhere
between
three
and
30
million
projects,
that
you
know
we're
gonna
scan
at
the
tip
of
the
what
we're
gonna
see,
you
know
we'll
say
critical
vulnerability
found
in
x
and
someone
will
look
at
and
they'll
say
yeah
that
looks
right
and
they'll.
A
You
know
get
it
reported
and
be
able
to
like
bunch
up
and
say,
oh
by
the
way
you're.
Also
using
you
know
an
out
of
date
or
vulnerable
dependency
here
and
you
know
kind
of
want
to
provide
as
much
value
while
we
have
the
maintainers
attention
in
reporting,
you're
right.
G
So
there
is
the
risk
that
the
output
is
too
noisy
for
the
maintainers
also
and
when
the
alerts
or
the
reports
are
too
noisy,
usually
maintainers
or
developers,
don't
want
to
read
them
and
we
need
to
avoid
the
simulation
area.
Of
course,
yep
yeah.
F
F
A
So
that's
that's.
Alpha
omega.
There's
a
lot
more
to
come.
You
know,
I'm
I'm
hoping
that
we're
up
and
running
in
january
and
but
as
part
of
this
and
you
know
that's
your
point,
you
know
I
think,
having
being
able
to
leverage
commercial
data
sources
or
partner
data,
whatever
you
want
to
call
them
like
sneak.
I
I
think
is
enormous
advantage.
So,
yes,
100
cool,
I
don't
see
a
mirror
on
the
call.
So
I
I
don't
have
an
update.
Oh
actually
dylan.
H
H
Automated
overview
page,
but
I
mean
it's
general
structure-
was
there,
I
don't
know.
If
there's
I
don't
yeah,
there's
nothing
really.
I
have
for
that.
At
this
moment.
F
H
No,
actually
it's
just
you
just
you
have
to
run
the
python
script
and
then
it'll
auto
generate
but
yeah.
So
I
guess
that's
what
we
get.
H
Yeah
yeah
definitely
yeah.
That's
super
simple!
We'll
do
that
yeah
I'll
make
sure
I
get
that
done
for
our
next
meeting
cool
awesome.
G
Yes,
I
mean,
as
david
brought
to
two
weeks
ago
now
we
need
to
be
sure
about
the
design
of
a
yaml
file,
and
I
have
prepared
this
board
please.
It
is
public,
there
is
just
a
password,
but
it
is
probably
you
don't
need
to
create
an
account.
G
Add
comment
ticket
what
you
prefer,
I'm
working
on
three
different
design,
and
then
we
can
choose
the
the
design
that
we
prefer.
The
password
is
this
one.
G
G
For
me,
the
file
should
contain
also
the
open
scorecard
result,
because
we
can
automate
the
scorecard
result
and
the
order
tool
result,
but
it
can
be
read
by
the
metric
dashboard
that
we
have
so
the
metadash.
We
don't
need
to
scan
every
repo,
but
the
magic
dashboard
can
check
if
the
yammer
is
present
or
not
and
use
it
so
from
from
my
perspective,
but
please
correct
me
or
add
a
ticket
in
the
dashboard.
G
For
my
perspective,
the
premise
mode
saw
where
the
jammer
is
a
output
file
for
them
antenna,
so
they
have
a
tool
to
create
it.
They
launch
it.
The
these
two
launch,
the
scorecard
and
the
cii
page
and
similar,
and
create
a
jumble
output
where
the
maintainers
can
add
the
missing
information
just,
but
they
need
to
justify
them,
and
then
the
metrics
dashboard
can,
in
this
way
check
if
a
particular
wrapper
contains
a
yaml
file
and
copy
the
information
without
launch
every
time,
the
scanner
and
the
tool.
G
In
this
way
we
can,
if
the
the
yaml
fine
became
a
standard,
the
dashboard
can
feel
more
a
project
and
and
have
a
better
database.
At
the
same
time,
the
maintainers
need
us
to
launch
a
tool
that
we
need
to
provide,
of
course,
where
there
is
the
scorecard
output,
the
cri
output
and
maybe
also
other
tool.
G
I
mean
according
to
the
tool
that
we
want
to
add,
because,
for
example,
there
are
a
lot
of
scandal
like
snake,
like
mpm
audit
and
similar,
that
can
have
that
can
give
automatic
information
that
are
really
helpful
for
the
maintainer
and
they're.
F
G
Oh
sorry,
okay,
probably
I
need
to
add
the
legend
or
something
similar.
The
point
is
that
if
the
file
is
about
an
input
and
output
is
an
input
for
the
metric
scorecard,
especially,
and
it
is
an
output
from
the
maintainers,
so
this
means
that
the
maintainers
launch
the
the
tool
to
create
the
yaml,
the
tool
launcher
scorecard
the
other
automatic
tool.
So
we
have
a
yamu
that
contains
some
information
generated
by
the
automatic
tool.
G
But
maybe
the
scorecard
cannot
cannot
obtain
some
information
like
if
there
are
some
ci
tests,
because
every
ci
test
different
so
right.
G
But
scorecard
is
a
tool
that
can
create
an
output
that
we
can
add
in
the
yaml
file.
F
Well,
no
scorecard
generates
an
output,
it
is
not
ossf
security,
it
could
be,
I
suppose,
but
that
is
not.
That
was
never
the
original
intent
and
the
I
guess
the
issue
here
is:
is
there
a
reason
to
have
a
merged
output
of
all
these
different
things.
G
I
think
that's.
The
main
reason
why
I
have
talked
about
this
is
that
if
we
want
to
maintain
and
improve
the
openness,
a
metric
dashboard
metric
website,
especially
with
more
projects,
probably,
we
cannot
scan
the
entire
git
above
gitlab.
So
if
the
project
already
have
a
yaml
file
that
contains
scorecard
results
and
contain
the
cii
information
and
so,
and
so
we
can
just
read
the
ml
file
and
add
the
information
to
the.
F
Method.
Okay,
I
don't
think
that's
true.
I
mean
they're
already
scanning
hundreds
of
thousands.
I
don't
think
they
have
any
know
of
any
problems
scaling
to
millions.
I
mean
they
just
run
it
a
bunch
of
times.
G
If,
if
we
have
no
problem
to
scale
the
metric
dashboard
to
scan
every
project,
we
can
of
course
drop
these
and
move
to
your
idea,
because
if
you
say
that
there
is
no
reason,
I
agree.
F
A
A
So
so
you
know
it
will
always
be
out
of
date.
I
guess
relative
to
this
scorecard,
while,
if
you,
if
you
only
use
it
as
an
as
an
input
up
here,
then.
A
It
seems
like
it
would,
it
would
complement
scorecard
and
other
in
other
data
sources.
Dylan
you
have
to
handle.
H
Yeah
yeah,
I
just
had
a
quick
thought
on
this.
I
I'm
after
hearing
like
a
lot
of
the
ideas
tossed
around
I'm
having
trouble
wondering
why.
I
I
think
it's
almost
possible
to
achieve
a
lot
of
what
all
of
you
guys
are
saying
by
and
in
my
mind
I
think
it
would
be
really
cool
if
we
just
started
this
tool,
I
mean
you
have
to
either
way
to
kind
of
do
what
luigi's
talking
about
you
have
to
do
both
components
of
it
so
like.
Why
not
like
why?
Why?
H
You
know
install
some,
whatever
extension,
that
where
they
can
or
just
create
a
yaml
file
and
like
fill
out
all
these
self-filled
kind
of
things
and
then
the
metrics
dashboard
it
it
can
stay
the
way
it
is
and
kind
of
collect
its
data
sources
from
scorecard
and
everywhere,
but
just
like
as
a
last
resort
for,
like
you
know
the
stuff
that
I
can't
find
it
can
look
at
security
yemo
for,
like
those
you
know,
final
kind
of
manual
updates
from
the
maintainer
and
then
and
then
after
all
of
that,
like
that,
could
be
the
whole
input
side
of
it
right
and
then,
after
all
of
that,
what
the
yaml
can
do
is
you
know
if
there's
stuff
like
there
could
just
be
like
a
feature
in
that
emo,
where
you
know
the
it
can
auto
populate
or
autofill
a
lot
of
fields
from
scorecard
like
if
it
you
know
if
it,
if
it
picks
up
on
that
and
that
doesn't
kind
of
disrupt
the
workflow
of
anything
else
in
my
mind,
so
I
I
just
think
that
it's
possible
to
kind
of
just
achieve
this
as
an
input
and
then
have
that
output
feature.
H
Be
like
a
convenience,
auto
populating
kind
of
thing
that
that
can
be
included
in
in
the
yaml
file,
because
I
do
think
it's
pretty
cool
to
have
like
directly
in
someone's
github
and
someone's
repository.
I
I
think
that
there's
a
lot
of
traffic
already
there,
where
people
actually
visit
the
main
github
page
and
if
they
just
see
this
yaml
file
with
a
whole
bunch
of
fields
populated-
and
you
know,
the
more
information,
the
more
data,
the
better.
H
I
think
that
would
be
a
cool
like
next
feature
to
add
on
to
to
get
a
lot
more
data
out
there
and
in
people's
eyes
in
the
general
open
source
world.
I
I
don't
know
that's
just
my
thoughts
on
it.
Yeah.
F
It
was
as
as
was
noted.
Originally,
it
was
only
input
that
what
happened
is
last
week.
It
was
suddenly
realized
in
the
in
the
direction
of
discussions
that
at
least
one-
and
I
think
several
people
when
they
it's
a
a
challenge
of
writing.
There
was
a
fundamental
misunderstanding
of:
was
this
an
input
to
the
tools
or
an
output
from
the
tools?
F
The
the
folks
who
started
assumed
that
this
was
an
input
to
the
tools,
but
several
folks
who
read
the
doc
said:
oh,
this
is
an
output
from
the
tools
and
the
comments
and
discussions
made
no
sense
until
it
was
finally
realized.
Just
you
know,
last
meeting
that
oh
we're
talking
past
each
other
yeah.
H
F
I'm
much
more
of
a
fan
of
the
of
the
tool
input,
because
if,
if
you're
gonna
have
as
a
tool
output,
that
means
you
have
to
get
agreement
from
the
tool
makers
or
have
a
converter
if
you're
doing
a
converter.
What's
the
advantage
of
a
common
format,
not
sure
I
see
it
if
we
do
want
to
have
it
as
a
tool,
output
and
as
a
tool
input.
F
May
I
suggest
that
those
be
two
separate
files,
because,
as
someone
who
has
tried
to
do
the
round
trip
I've
done
round
tripping,
it's
totally
possible.
It
is
also
a
tremendous
amount
of
code
for
no
gain.
You
basically
are
are
resigning
yourself
to
data
circularities,
and
that
is
not
a
good
place
to
be.
You
could
have
a
single
spec
and
define
one,
as
you
know:
oss
security,
yaml
and
osf
security
merged
or
something
but
you
know,
but
don't
don't
make
it
both.
F
H
I
agree
yeah,
I
think
I
think
the
input
is.
I
think
that
would
be
the
cooler
initial
kind
of
big
problem
to
just
solve
at
first.
It's
just
my
opinion.
I
know
everyone
has
their
own
opinion.
I
think
the
input
because
it
solves
that
problem
of
like
everyone
complaining
like.
Oh
hey,
you
know
your
metrics,
the
metrics
dashboard
or
this
scorecard
or
this
tool
doesn't
really.
You
know,
detect
everything
that
doesn't
really
look
fair
to
us.
H
I
think
that
gives
maintainers
a
fair
chance
to
do
that,
and
that
seemed
like
the
problem
we're
trying
to
solve.
I
I
think
the
output
feature
is
like.
I
think
that
would
be
like
a
cool,
secondary
goal
after
accomplishing
this
to
see
like
oh,
is
there
additional
data
we
could
populate
on
github
and
I
don't
see
any
reason
that
couldn't
be
like
appended
to
the
end
of
it
or
anything
and
just
kind
of
have
everyone
win
here.
I
guess
so
to
speak,
but
yeah.
G
G
Okay,
so
so
for
the
first
iteration,
we
consider
the
yaml
file
like
just
an
input
file,
so
an
input
for
tools.
So
the
maintainers
create
this
yaml
file.
We
can
create
a
wizard
tool,
so
we
can
add
the
maintainers
to
create
the
yaml
file
and
then
the
scorecard
can
read
this
file
to
obtain
some
information
that
maybe
can
obtain
another
way
or
there
are
false,
positive
and
also
this
means
that
if
the
scorecard
can
read
this
also,
the
metric
dashboard
can
read
the
yaml
file.
G
So
it
is
an
input
file
also
for
the
metric
dashboard
indirectly,
yeah.
F
That
can
also
look
at
that
file
and,
if
it's
formatted
in
a
way
that
we
can,
you
know
I'll
say,
for
example,
if
we
can
format
it
so
that
all
of
the
criteria,
all
the
criteria
of
names
and
each
of
them,
each
of
them
has
a
met,
unmet
statement
and
a
justification
text
for
each
of
them.
I
mean
I
can
easily
write
that
and
use
that
as
a
low
priority.
F
F
But
you
know
considering
this
as
a
low
value
of
truth,
in
the
sense
that
if
we
can
detect,
for
example,
there
are
no
licensed
files,
no
copying
files,
I
don't
care.
If
you
say
you
have
a
license:
yeah,
that's
a
terrible.
F
Still
don't
have
it
so,
but
but
you
know
that
that's
okay,
we
could
still.
I
don't
know
how
many
people
would
do
that,
because
it's
awfully
it's
typically
easier
to
use
a
web
form
than
to
enter
data
into
a
yaml
file.
F
But
you
know
I
could
see
maybe
somebody
in
the
javascript
world
who
has
lots
and
lots
of
tiny
modules
that
might
give
them
a
hand
hey
before
you
add
yourself
copy
paste
it.
It
copy
paste.
These
things
that
you
know
are
true
already
and
then,
when
you
start
your
badge,
it'll
get
a
leg
up.
Something
like
that.
G
Okay,
so
input
file
human
readable,
it
is
a,
but
it
is
also
an
input
file
for
tools
and
okay,
I
can
continue
the
document.
I
think
that
the
template
that
you
have
already
created
is
very
good,
so
I
think
that
now
we
just
we
need
to
formalize
this
first
implementation.
I
want
to
specify
this
factor,
so
we
have
decided
that
the
first
implementation
is
an
input
file
for
tools
generated
or
created
by
the
maintainers,
with
the
help
of
an
automatic
tool.
Maybe-
and
that
is
perfect-
perfect.
F
Okay,
yeah
yeah
yeah,
now
there's
an
interesting
thing.
You
know,
is
it
a
tool
operator
tool
input?
I
think
what
I
would
say
is
it's
something
you
check
into
your
repository
typically
hand
edited,
but
I
mean
we
can't
prevent
people
from
using
tools,
but
the
goal
is
primarily
for
this
data
file
to
be
an
input
to
analysis
tools.
Maybe
I
should
have
said
that
way.
G
No,
I
totally
I
I
I
haven't
agree
and
I
I
think
it
is
a
good
first
implementation,
other
questions
yeah.
We
can.
F
G
A
Cool
awesome,
the
one
other
topic
that
I
want
to
discuss
today
was
basically
how
to
not
report
security
vulnerabilities.
I
don't
know
that.
A
A
They
expressed
a
lot
of
angst
at
their
role
in
triaging
bug
reports
sent
in
by
the
public,
and
basically
it
came
down
to
a
lot
of
the
security
researchers
that
they
interact
with
are,
in
their
words,
abusive
and
threatening
very
personal,
like
completely
inappropriate
like
bonkers
stuff,
and
I
think
I'm
not
aware,
I
can't
I
just
in
my
head.
I
can't
think
of
reading
a
good
article
or
anything
like
that.
That
kind
of
called
this
to
light.
F
Oh,
yes,
there's
been
a
whole
bunch
of
them.
Actually,
dr
krobe,
he
can
he.
He
can
well
enlighten
his
pro
the
wrong
term.
He
he
can
point
you
to.
Unfortunately,
there's
this
is
actually
a
frankly.
The
problem
is
way
less
in
the
open
source
world.
My
opinion
than
on
commercial
space,
where
we
basically
have
a
lot
of
researchers.
Who've
decided
that
extortion
is
the
best
way
to
live
life.
G
F
You
know
for
the
open
source
ones,
they
can
basically
say.
Oh
you're
gonna
tell
the
world
about
a
vulnerability.
Excellent,
we'll
lose
half
our
revenue.
Oh,
we
don't
have
any
revenue.
A
Yeah
and
it's
so
so,
and
I
I
think
perhaps
in
the
middle
are
kind
of
non-commercial
organizations
where
these
are.
These
are
people
that
either
are
volunteers
or
they
take
kind
of
a
nominal
salary,
or
things
like
this,
where
it's
it's
not.
You
know
to
be
clear:
it's
not
not
reporting
a
vulnerability
in
exchange
to
microsoft,
but
yet
it's
still
not
reporting
it
in
in
a
in
a
hobbyist
project,
either
so,
okay
I'll
reach
out
to
to
to
crow
either
way.
A
The
fact
that
this
is
still
a
problem
means
that
perhaps
there's
more
that
can
be
done
with
that
without
seeing
previous
previous
art
in
in
the
area,
I
don't
know
like
if
this
still
makes
sense,
but
you
know
I
think
it
would
be
like
what
I
would
want
to
read.
Is
you
know
hey
we,
we
talked
to
a
bunch
of
maintainers,
large
and
small,
maybe
even
some
commercial.
We
talked
to
some
security
researchers
to
kind
of
understand
this
problem,
and
this
is
this
is
the
reality
of
of
what
it
is.
A
F
Yeah
the
how
to
keep
people
from
being
jerks
is
hard,
so
I
I
think,
really
at
the
end
your
punch
line
work
with
the
vulnerability
disclosures
group.
I
actually
I
won't
bump
that
up
because
that's,
I
think,
that's
the
key,
because
we've
got
another
group
who
just
finished
writing
up
the
vulnerability.
Disclosures
working
group
just
finished
writing
up
guidelines
on
how
to
do
coordinated
disclosures
and
primarily
from
the
point
of
view
of
open
source
projects.
You
know
how
to
prep
for
this.
F
E
So
you
know
one
thing
where
maybe
we
could
help
on
the
on
the
academic
side,
as,
as
you
know,
sort
of
academic
researchers
is,
it
might
be
possible
to
like
put
a
student
on
this
survey
idea.
Do
something
more
broadly
to
say:
like
you
know,
can
we
have
a
student
go
around
talk
to
a
bunch
of
projects,
figure
out
the
prevalence
of
this
figure
out?
You
know
how
they
would.
Potentially,
you
know
react
to
this,
don't
be
a
jerk
kind
of
thing.
E
This
might
be
something
if
people
were
interested,
we
could
get
a
student
on
I'm
sure,
sort
of
having
open
ssf
behind
us
to
say,
like
hey,
you
know,
talk
to
talk
to
us.
We
sort
of
have
the
community's
best
interests
at
heart
here,
and
we're
sort
of
working
with
the
open
ssf
might
be.
B
Is
a
problem
as
I
want
more
inside?
I
think
that
it's
well
suited
for
what
draw
and
I
do-
and
you
know,
of
course,
as
academic
we
are
sneaky
people.
We
have
a
broader
agenda
which
is
to
write
a
paper
about
a
problem,
but
as
long
as
there
is
no
no
issues
about
that,
then
we
have
you
know.
I
think
this
sounds
very
interesting.
Actually,
okay,.
B
F
C
A
C
A
Yeah
but.
F
I
I
I
think,
unfortunately
there's
several
confluences
of
social
situations.
You've
got
a
lot
of
commercial
companies
who
have
ignored
vulnerability
reports
or
have
been
hostile
to
you
frankly
have
a
counterculture
in
a
lot
of
these
areas.
You
know
if
you,
if
you
start
listing
the
to
the
black
hats
and
defcons
and
so
on,
you
know,
you've
got
a
culture
of
oh
look.
How
clever
I
am,
and
the
point
is
to
be
clever,
not
really
to
help
people.
F
You
know
the
the
the
the
idea
is
to
show
how
cool
and
smart
you
are
and
the
idea
of
oh,
this
hurts
people
is
not
a
construct
that
seems
relevant
in
some
of
these
social
spheres.
I'm
trying
to
be
kind
to
this,
because,
in
fact,
I
I
respect
the
intelligence
of
these
folks
greatly.
I
don't
respect
how
they
treat
other
people.
A
And-
and
I
think
that
that
separating
out
the
this
is
a
critical
vulnerability
like
it's,
even
if
you
come
to
it
in
a
principled
way
of
like
I
found
this,
someone
with
bad
intentions
could
find
this,
and
if
you
don't
fix
it
soon,
then
I
feel
that
I
have
an
obligation
to
let
everybody
know
that
using
your
thing
is
dangerous.
I
think
you
could
have
a
principle
discussion.
Why
that
that's
that's
okay,
but.
F
Think
it's
entirely
appropriate
to
say
I
will
give
you
a
window
of
time
to
work
on
this
in
private
and
after
that
work
in
public,
because
otherwise
a
lot
of
organizations
will
never
fix
it
and
that's
a
bad
thing
for
society,
but
yeah
the
the.
If,
if
you
don't
fix
it
I'll
report
it
publicly,
it's
fine
and
normal.
F
It's
that
other
stuff
or
you
know
I
I'm
basically
the
threatening
moving
towards
extortion,
which
is
absolutely
not
okay.
A
A
You
know,
okay,
so
would
anyone
like
to
kind
of
own
this.
E
Yeah,
definitely
I
mean,
I
think,
there's
there's
two
parts
of
this
and
the
one
that
I
would
be
most
interested
in
is
like
there's
a
lot
of
folklore
about
this
happening.
Extortion
and
sort
of
like
sort
of
your
your
little
mean
add-ons
to
the
regular
process,
and
I
think
we'd
really
be
interested
in
formalizing
that
and
like
kind
of
getting
into
it
and
then
the
other
side
of
it-
and
I
don't
know
if
you
were
thinking
about
this
part
lorenzo-
was
also
kind
of
like
the
best
practices
part.
E
That's
probably
more
of
a
discussion
right.
That's
that's
not
so
much
something
yeah.
E
A
Awesome
that
sounds
terrific,
so
I'll
leave
in
your
hands.
Let
me
know
if
you
need
connections
or
or
any
support.
B
B
Slack
I
I
am,
but
I
I
don't
think
I
subscribe
to
all
the
relevant
channels.
Is
there
one
in
particular,
so
so
there's.
A
The
vulnerability
disclosures
channel
like
copy
link,
maybe
I'll,
do
that.
F
Okay
yeah,
so
I
I
think
basically
michael
we've
already
got
enough
on
our
plate.
Alpha
mega
is
going
to
keep
us
busy.
The
vulnerabilities
working
group
disclosures
working
group
is
exactly
the
right
people
and
I
think
that
right
right
now,
officially
they're
supposed
to
be
working
on
a
paper,
but
I'm
not
sure
how
much
really
action
there
is
on
that.
The
the
what
they
actually
did.
The
guidelines
is
a
subset
and
I'm
not
sure
how
many
people
are
excited
to
try
to
write
the
big
thing.
F
So
I
a
focused
on
this
and
I'm
not
so
sure
that
we
need
the
survey
to
start
writing
the
paper.
But
if
we
frankly,
even
if
we
could
just
have
anecdotes
of
examples
of
things
not
to
do,
that
would
be
a
great
start.
And
then,
if
somebody
does
a
real
survey,
does
the
research
finds
out
the
examples
and
then
comes
back?
We
could
then
refine
that
don't
be
a
jerk
paper
with
the
deeper
insights
from
of
the
additional
research.
F
So
I
think
we
basically
we
can
hit
that
a
little
bit
now
as
a
quick
draft
with
anecdotes,
do
research
and
then
fit
and
then
have
a
better
version
updated
as
a
version
too.
E
Yeah
I'd
argue
that
even
having
something
preliminary
to
discuss
during
the
survey
to
say,
like
you
know,
is,
would
this
work
for
you.
You
know
how
much
do
you
think
that
this
has
already
been
sort
of
adhered
to?
Ad
hoc,
like
that,
might
make
the
survey
more
compelling,
and
you
know
maybe
use
data
for
a
good
data
for
a
version
2.0
of
the
best
practices.
F
Okay,
so
that
that
so
michael,
do
you
mind
sending
this
off
to
the
vulnerability
working
group,
particularly,
I.
A
Will
I
will
ping
them
right
now
on
slack
and
just
let
them
know
that
drew
and
lorenzo
are
gonna
are
gonna
reach
out
and.
F
Take
it
from
there.
Well,
I
I
think
it's
more
than
that.
I
think
we
we're
asking
them
to
do
something.
We
want
them
to
write
a
paper.
You
might
wanna.
Do
it
also
with
the
mailing
list?
This
remember
the
slack
goes
away
after
10
000
messages
across,
so
it
doesn't
stick
around
anything.
You
want
to
stick
around
slack's,
not
such
a
great
thing.
F
A
F
A
I
had
one
other
quick
one
which
is
lorenzo.
I
know
we're
chatting
about
type
of
squatting
and
and
things
like
that,
the
we
made
some
updates.
We
actually
had
some
internal
interest
on
the
typo
squatting
stuff
that
we're
doing
if
it's
relevant.
A
We
moved
out
the
typo
squatting
stuff
to
a
separate
library.
I
think
we
yeah,
we
expanded
the
the
mutators
so
things
it
should
be
finding
better
stuff.
Now
we're
going
to
continue.
We
have
another
team
that
internally,
that's
using
this
as
part
of
a
service,
so
they've
got
they've
got
a
couple
engineers
that
are
going
to
contribute,
so
we'll
probably
probably
see
more
more
updates
to
this
other
than
a
couple
months.
B
A
D
A
Here
we
go
squats
yeah,
so
the
the
the
library
you
should
just
be
able
to
you
know
kind
of
plug
in
somehow
or
there's
a
cli
as
well.
So
you
can,
you
can
do
either
one.
B
Okay,
so
what
I'm
going
to
say
is
that
this
sounds
very
interesting.
We
do
have
a
project
which
is
looking
at
building
sort
of
a
more
complex
model
of
table
squad
thing
so
down
the
road
we
may
have
some
patches
or
some
additional,
whatever
you
commutators
or
plug-in
for
this
tool,
and
once
we
have
something
interesting
and
make
sure
to
reach
out
cool.
A
There,
if
there's
nothing
else,
thank
you
everybody
for
your
time.
I
appreciate
it
and
for
those
of
you
in
the
us
happy
thanksgiving
tomorrow
for
everybody
else,
happy
thursday.