►
A
A
Anyone
really
I
I,
just
unfortunately
I'm,
not
logged
into
slack
at
the
moment
and
I'll,
have
to
figure
that
out.
B
A
B
I've
been
open,
but
I
don't
have
the
meeting
up
no
ice,
so
yeah
hang.
B
B
B
A
That's
what
I'm
going
to
figure
out
after
this
call
is:
what's
the
situation
with.
D
B
Yeah
I,
I,
definitely
heal
and
I
thought
I
thought
that
would
be
appropriate
for
be
open
after
that
black
to
suggest
that
when
people
are
creating
their
accounts,
they
use
their
personal
emails
instead
of
their
work,
email,
which
is
currently
recommend
using
the
working
mode
and
the
Google
layoffs
really
put
put
a
point
on
the.
Maybe
that's
a
bad
idea
of
doing
what
people
want
to
print
for
their
identities,
between
companies
mentally
or
if
they
want
to
stay
involved.
A
Sorry,
oh
I
should
add
myself
to
the
list
shouldn't
I
I,
don't
know
if
Dustin
is
coming
this
morning.
A
B
B
F
Sorry
one
second
gotta
put
you
on
speaker:
okay,
perfect,
so
I
spoke
to
Alpha,
Mega
leadership,
little
interaction,
funding
the
project
and
voting
on
things.
F
There
is
I
I
posited
this
thing
that
I've
been
positing
to
this
group
for
quite
a
while,
which
is
that
any
sufficiently
large
enough
artifact
server
in
the
job
in
the
industry
that
has
been
provided
for
free
and
is
not
ever
been.
A
part
of
a
purchasing
agreement
from
a
company
has
probably
never
been
audited
like
there's,
never
been
a
pen
test
performed
against
it,
and
my
proposal
to
Alpha
Mega
was
hey.
Would
we
consider
like
currently
the
audits
that
Alpha
Omega
are
performing
right?
F
Would
it
be
a
valid
Alpha
engagement
to
consider
performing
audits
of
major
artifact
servers
that
have
never
had
a
pen
test
performed
against
them,
and
it
was
not
like
an
immediate
yes,
but
it
was
more
like
I
mean
that
seems
like
it's
in
scope,
so
we
would
be
happy
to
review
a
proposal
for
such
a
a
request
for
money
or
Grant
or
whatever,
whatever
the
album
I
got.
You
know,
you'd
think
that,
because
I
work
for
them,
I
should
know
how
what
what
the
full
process
I
I
truly
do.
F
Not
so
I,
don't
know
if
I
have
the
time
currently
to
dedicate
to
completely
writing
up
a
proposal,
but
I'm
more
than
happy
to
be
part
of
the
process
in
helping
out
with
writing
a
proposal
for
hey
Alpha
Omega,
here's
a
bunch
of
like
artifact
servers
in
the
industry
that
could
use
a
pen
test.
F
Audit
that
are
like
you
know,
maybe
like
pip,
are
you
know
any
any
industry,
artifact
server
that
is
used
to
supply
the
the
industry
Supply
chains
and
then
maybe
include
in
that
scope
the
build
tools,
maybe
I'm,
not
certain,
but,
like
you
know
how
do
these?
All
these
systems
interplay
and
then
trying
to
hire
a
company
to
perform.
You
know
audit
to
these
tools
and
and
and
and
infrastructure,
and
then
you
know,
disclose
the
vulnerabilities
to
the
maintainers
and
try
to
get
them
fixed.
You.
A
F
All
that
all
that
full
that
whole
sphere
of
now
this
is
further
complicated
because
your
base,
you
know,
most
of
the
time
when
you're
engaging
in
a
pen
test
right,
you're
you're,
our
company,
coming
to
a
security,
firm
and
you're,
saying
hey.
We
would
like
you
to
pen
test
us
and
then
there's
a
bunch
of
legal
documents
that
get
drafted
up
that
basically
like
State.
What
a
scope
is
and,
like
you
know
what
is
allowed
to
be
audited.
F
What
is
not
allowed
to
be
audited,
and
you
know
it's
going
to
be
very
hard
for
us
to
try
to
do
this
with
an
organization
that,
like
doesn't
have
a
public
vulnerability
disclosure
policy
with
a
scope
document
predefined
right.
If
you're
you,
because
you
can't
authorize
hacking
against
a
system
or
an
infrastructure
that
you
don't
own
and,
like
you
know
the
openness
of
can't
do
that
so
so
we've
had
there
would
have
to
be
some
for
a
level
of
Engagement.
A
A
Open
source
technology
Improvement
fund,
if
I
remember
correctly,
so
that's
that's
His
Name
Escapes
me
just
to
the
second
I'm.
C
Yeah
they
do
all
of
the
cncf
security
assessments
and
Audits
and
things,
and
they
basically
have
a
network
of
security
companies
that
they
work
with
and
have
like
pre-selected
because
of
familiarity
with
open
source
and
the
like
differences
in
doing
security.
Work
in
this
environment,
as
opposed
to
like
a
traditional
commercial
environment.
F
Cool,
that's
that's!
That's!
That's
really
good!
Okay,
so
I
will
I
will
ping
Amir
I
guess.
Does
anybody
else,
I'm
I'm?
My
schedule
is
packed
with
currently
with
mentee
I'm.
Currently
Alpha
May
is
currently
trying
to
hire
me
or
not
higher,
find
mentees,
and
my
schedule
is
currently
packed
with
interviews,
but
I
can
spend
some
time
working
with
someone
to
like
start
this
document.
F
Does
anybody
have
time
and
free
time
and
interest
in
engaging
on
trying
to
get
to
the
proposal
for
money,
or
you
know,
resources
out
of
Alpha
Omega
to
to
make
this
happen.
B
F
G
F
F
Yeah,
so
is
there
anybody
else
here?
Nobody,
you
don't
have
to
jump
at
once.
A
F
A
Yeah
absolutely
I
think
it's
a
great
idea
and
another
suggestion
from
Joshua
is
that
we
could
do
it
start
with
the
GitHub
issue
and
link
to
that
from
slack
and
email.
Yeah
I
think
that'd
be
a
great
way
to
establish
a
paper.
Trail
I
think
it's
a
great
idea.
I
think
we'll
probably
find
things
I
think
everybody's
done
their
best,
but
it's
always
good
to
have
an
external
set
of
eyes.
F
Here's
my
experience
when
I
just
some
background,
like
I
I,
found
the
security
vulnerability
several
several
years
ago
before
I
worked
cradle
accidentally
and
then
I
was
like
I
wonder
what
other
vulnerabilities,
because
it's
together
plug-in
portal
and
some
of
the
stuff
that
you
find
is
like
across
the
aircraft,
forgery
and
stuff,
like
that
at
the
very
beginning,
you're
like
these
are
like
very
simple
security
vulnerabilities
against
a
major
component
in
the
supply
chain.
F
Right-
and
it's
like
you
know,
and
and
I
presume
that,
because
you
know,
because
these
systems
are
built
by
people
that
are
just
you
know,
trying
to
get
something
together.
Sometimes-
and
you
know
they
will
handle
reports
that
come
in
they're
still,
you
know
they're
still
only
as
good
as
the
people
that
have
actually
looked
at
them
can
can
report
them
to
be.
A
E
Yeah,
just
this
is
mostly
announcement.
Packaging
cons
dates
have
been
set,
they're
going
to
be
the
26
and
to
28th
of
October
in
Berlin
and
I
need
to
get
the
PRN
after
this
meeting,
and
the
cfp
should
be
out
by
Monday.
G
A
E
A
That
would
be
great
a
lot
of
folks.
You
know
it
can
be
difficult
to,
under
normal
circumstances,
to
justify
travel
and
across
a
lot
of
travel.
Budgets
have
been
pulled
in
this
year
in
a
lot
of
places.
So
I
think
virtual
option
is
a
great
idea
to
help
broaden
the
base.
E
A
A
H
Low
on
the
agenda-
Joseph,
hello,
hello,
everyone
I
can
ensure
I
saw
someone,
you
got
some
rubber
Jewel
side.
We
are
working
on
oidc
ability
to
push
the
gem.
We
have
testic
environment
with
successful
test
for.
G
H
So
I
think
npm
already
have
this
ability
right
if
I
remember
well,
so
we
hope
we
are
going
to
join
this
train
soon
as
well,
so
in
short,
from
GitHub
action
using
YDC,
it's
possible
to
acquire
short
living
key
for
Bush
during
the
action
workflow
runtime.
H
So
there's
no
needs
for
any
OTP
since
that's
mostly
manual
workload,
but
also
at
the
same
time,
there's
no
need
to
lower
your
security
on
the
account
by
Design
disabling
this.
So
it's
working
totally
with
IDC
things
and
I.
Think
if
I
remember
well,
it's
written.
Currently,
the
implementation
is
not
a
GitHub
related
GitHub
actions
related.
A
It's
exciting
it
is.
It
is
good
news.
I'm,
like
that,
was
one
of
the
big
things
that
was
on
our
roadmap
in
the
Ruby
dependency
security
team
was
like.
We
wanted
to
help,
get
our
ADC
across
the
line.
So
it's
great
it's
getting
done.
We
can
just
kick
back
and
relax
ation.
I
No
I
was
I
originally
and
muted
to
say
that
it
was
a
good
idea
to
plus
one
year
where
you
would
send
a
job
but
I'm
good.
H
I
was
about
to
say
as
well.
We
plan
to
prepare
some
infrastructure
for
first
insulin,
boarding,
smooth
and
boarding
and
swiping.
For
now
we
do
plan
to
maintain
official,
ruby,
gems,
publishing
action
so.
G
C
A
Really
cool
yeah
I'm
really
excited
about
that
one.
Like
the
the
work
we
do
on
MFA
made
a
big
difference,
I
think
in
terms
of
folks
working
at
the
CLI
and
working
in
the
GUI.
So
it
was
nice
that
we've
also
done
big
work
on
making
automation
a
first-class
Citizen
and
it's
been
exciting,
seeing
that
happening
with
npm
and
Pipi
as
well.
I
think
that's
going
to
make
a
big
difference
in
the
long
run.
Having
these
capabilities.
D
So
I
was
actually
interested
in
hearing
from
one
of
the
implementers
of
like
how
is
the
how
are
changes
in
these
trusted
publishing
States
handled
is
this
like
if
you
say
that
this
oidc
identity
is,
is
now
like
a
trusted
publisher?
How
do
you
change
that?
Is
it
just
logging
into
a
web
UI
or
something
else.
A
If
I
can
get
my
impression
of
it,
because
I
went
went
through
it
a
few
like
a
week
or
two
ago,
it's
set
up
to
be
a
very
flexible
system.
A
I
might
have
done
it
differently,
but
it's
a
very
flexible
system
which
leads
to
the
user
a
lot
of
discretion
about
how
they,
how
they
configure
it.
So
they
can
configure
that
the
the
issuer
is
GitHub
and
presumably
you
know
in
as
as
support
comes
online
for
forget
lab
and
the
like,
you
know
you
you
would
get.
Gitlab
is
an
issue
or
example.com
is
an
issuer
and
that
would
be
left
to
the
user.
H
I
think
for
now,
in
the
current
state
there
is
a
no
UI
around.
So
it's
just
some
manual
manual
run
with
configuring
all
the
entities
needed
on
the
rubygems
outside
manually,
but
definitely
there
will
be
UI
and
API
around
this
to
make
users
able
to
control
and
add
delete
providers
how
they
would
like
to.
A
But
it,
but
it
has
in
a
sense
so
yeah
most
most
of
the
implementation
in
terms
of
user
interface
is
focused
on
the
admin
user
interface.
At
the
moment,
the
UI
that
that
folks,
like
Joseph
use,
but
it
has
it-
has
at
least
been
reached
a
proof
of
concept
stage
where
Samuel
giddens
who's
doing
doing
the
work
is
able
to
do
this
in
an
environment,
basically
have
a
build
on
GitHub
issued
a
token
and
make
a
push
to
this
environment,
so
it
always
together.
A
Excuse
me
in
all
wires
together
successfully
I
still
think,
there's
you
know
work
to
go
and
definitely
it
would
be
along
with
the
MFA
work
that
we've
done
a
great
subject
for
something
like
what
Jonathan
is
proposing,
but
yeah
I'm
excited
that
it's
happening
basically,.
A
Okay,
if
we're
done
with
that
one,
is
there
any
other
business
that
folks
had
to
discuss
this
morning.
J
We
have
a
hey.
A
E
F
A
That
what
yes,
yes,
yes,
there
was
a
blog
post
on
the
open,
ssf
blog
about
it
and
Report.
A
So
there
was,
there
was
some
stuff
produced
from
it.
Perfect.
F
F
Not
what
I'm
doing
yeah,
also
email
kaheel,
that's
our
operations.
They
may
be
able
to
assist
you
I,
don't
know
if
they
can,
but
you
know
yeah
and
then
what
was
the
other
question
so
I
know
that
npm
implemented
the
2f
pay
requirement.
Has
anybody
else
done
that
or
is
it
just
npm?
That's
the
big
one.
Yeah.
F
That
so
for
publishing,
you
have
to
have
two
factors:
authentication
is
any
other
artifact
servers.
Gone
Gone
in
in
is
anybody
besides
npm
made
that
a
requirement?
Yes.
A
Ruby
gems
and
Pi
Pi
both
both
added
requirements
so
for
ruby,
gems,
it's
based
on
the
number
of
downloads.
If
I
remember
correctly,
the
threshold
is
180
million
lifetime
downloads,
yeah.
J
A
For
Pipi,
it
was
based
on
I
think,
essentially
a
sort
of
like
a
criticality
score
type
thing
where
they
base
it
on
the
number
of
dependents,
and
your
package
would
be
marked
as
being
critical
and
I
I
think
might
be.
I
had
the
hardest
time
because
they
swept
up
about
three
thousand
three
thousand
packages.
A
F
F
A
A
F
Yeah
I
I
wouldn't
make
the
assumption
that
all
the
the
login
has
been
moved
over
I
I,
don't
know
if
you
all
I
mean
game
Gamers,
Among
Us.
There
has
been
a
lot
of
people
being
not
through
not
thrilled
with
Microsoft,
requiring
that
you
have
a
Microsoft
login
account
for
your
Minecraft
account,
because.
F
H
G
H
G
A
There's
the
infrastructure
set
up
for
it
right
like
we,
we
had
the
mailers
in
the
source
code
that
can
be
repurposed
to
to
send
another
another
round.
The
thing
the
thing
that
sort
of
I
think
made
us
hesitant
in
the
past
and
I
think
this
is
true
of
Pi
Pi
as
well,
is
the
support,
first
of
all,
the
the
blowback
from
the
usual
tinfoil
hat
Brigade
and
the
other
part
being
the
support
burden
of
dealing
with
folks.
A
Who've
lost
the
device,
and
we
we
talked
about
that
last
year
in
the
context
of
setting
up
a
shared
help
desk,
but
unfortunately,
that
that
sort
of
founded
at
the
at
the
tax
stage,
as
being
seen
as
an
incomplete
proposal,
I.
F
All
right,
yeah
I,
in
my
experience,
right
the
more
to
the
more
2fa
solutions
you
offer
right
that
are
crossed
compatible
the
less
likelihood
of
lockout
you
have.
You
just
have
to
encourage
people
to
hear
you
know
give
us
your.
You
know,
give
us
multiple
ways
to
2fa
verify
you
and
I'm
like
I'm
thinking,
like
you
know,
my
immediate.
G
F
A
It
leaves
you
in
in
the
sites
of
gdpr,
which
is
yeah
for
a
small
Reaper,
not
worth
it
yeah,
so
I
in
the
documentation
when
we
rolled
out
we're
both
and
for
ruby
gems.
A
F
Right
I
would
like
to
propose
for
the
talent
of
this
meeting.
If
we
don't
have
any
of
the
topics,
which
is
fine,
that
I
co-opt
this
meeting
to
turn
it
into
a
slight
small,
like
group
of
us
chewing
on
creating
a
potential
initial
template
for
the
AO
proposal.
I,
don't
know
if
people
want
to
do
that
or
not
but
I.
You
know,
I've
got
the
rest
of
this
meeting
set
aside
so
I
can
I
can
I
can
chew
on
it.
If
I
can
I'm
trying
to
get
my
computer
booted
up.
A
I
will
I
will
respectfully
decline,
I'm
anxious
to
get
on
with
the
rest
of
my
day
since
it's
my
last
I
want
to
make
sure
that
I've
squared
away
everything
got
all
the
slack
logins
switched
over
and
so
forth.
Yeah,
so
I
might
take
the
opportunity
to
duck
away
I.
F
Respect
that,
if
anybody
else
wants
to
hang
out
with
me,
I,
would
appreciate
the
brain
share
of
of
this
whole
thing.
But
yeah
I
totally
respect
where
they're
coming
from
Jacques
I'm.
A
A
Yeah
robots
all
right
folks,
it's
been
real
I,
don't
know
if
I
will
be
in
Vancouver
next
week
we
will
see,
have.
A
The
flight's
been
paid
for
the
hotel's
been
paid
for
I
need
to
find
out.
A
If
it
is
then
I
guess,
oh
I
need
to
get
the
presentation
off
my
work
machine
or
uploaded
at
least
so
I
can
get
a
get
a
hand
on
it.
So
yeah
there's
there's
a
little
bit
of
a
little
bit
of
homework
to
do
today.
Oh
Lord
job
hunting
in
Vancouver
yeah.
Why
not?
It's
a
nice
city.
A
F
So
I'm
gonna
look
through
and
try
to
track
down
the
template
that
I
got
sent
from
Alpha
Omega
on
the
topic
of
I.
Think
there
should
be
a
template
somewhere
for
proposals.
F
F
I
I
have
seen
it.
Where
did
I
see
it
all
right,
I
think
it's
in
the
isn't
it
in
the
Google
Drive
like
the
open,
ssf,
Google,
Drive
I
know
they
have
a
copy
of
it
for
sure.
Oh.
F
F
Oh
found
it
great
got
it
all
right:
cool
yeah
copy
link.
All
right-
we
got
this,
we
can.
We
can
chew
on
it
all
right,
cool,
oh
great,
awesome.
Okay,
all
right,
I'm,
gonna
screen
share
this
and
then
I
will
send
a
link.
Let's
see,
I'm
gonna
create
a
document.
F
In
give
me
give
me
give
me
a
second
dark
side.
No
excuse
me.
F
Okay,
I'm
gonna
send
this
share.
This
restricted
I'm,
going
to
start
out
with
everybody.
Anybody
who
has
the
link
can
be
an
editor
right
now.
I'll
probably
reflect
it
to
suggest
at
a
certain
point,
but
right
now,
when
we're
all
jamming
on
a
document.
A
F
Better
because
then
we
can
see
who's
made
the
contribution,
but
at
least
that's
not
possible.
I,
totally
respect
that
mission
of
Alpha
Omega
is
protect
Society
by
improving
criticals.
F
Foundations
that
cover
many
elements
is
published
core
ecosystem
Services.
The
selection
is
informed
by
the
work
of
the
open,
SF
critical
security
day-
okay
Grand
proposal.
First,
it
should
describe
the
product's
current
state
assume
we
know
very
little
about
the
project,
how
the
project
critical
and
what
okay?
This
is.
Some.
This
is
somewhat
targeted
at
going
after
or
performing
an
audit
of
an
open
source
project,
so
I'll
need
to
drag
we'll
need
to
add
some
stuff
that
clarifies
this
for
this
use
case.
F
30
fixes
currently
on
vulnerabilities.
F
F
F
F
So
I
I
thought
so
three
three
things
that
I
was
thinking
about
doing
in
this
sort
of
work.
Having
someone
having
someone
pen
test
the
infrastructure
right
like
the
repository
host,
Sony
pen,
testing,
the
build
artifact
build
and
upload
tooling
right
like
or
cradle,
it's
Gradle
for
npm,
it's
the
npm
CLI.
You
know
all
those
things
and
then
the
third
one
was
definitely
going
to
be
contentious
and
definitely
be
harder
to
pull
off.
Is
red
team
engagements
against
the
infrastructure
and
maintainers?
F
So
those
are
like
actual
attacker
sort
of
scenarios
where
we're
we're
hiring
a
firm
to
simulate
like
a
a
determined
attacker
with
the
intention
of
trying
to
compromise
the
the
artifact
servers.
Yes,
Randall.
I
As
a
community
man
or
as
a
community
member
I
can
tell
you
and
so
someone
that's
gathered
feedback
in
the
past.
I
wonder
if
set
using
the
word
pen
test
is
the
best
word,
because
some
people
might
have
direct
objections
to
that
and
I
wonder
if
you've
considered,
maybe
just
saying
that
we're
auditing
or
maybe
a
in-depth
audit
might
be
a
little
bit
more
or
easier
pillow
to
swallow.
Just
saying.
F
F
There
is
clear
box
testing,
which
is,
but
that's
only
if
you
can
get
access
to
the
source
code.
B
F
F
I,
don't
know,
I,
don't
know
what
the
other
term
is
like
black
box
testing
or,
like
let's
say
we're
going
at
like
you're
gonna
go
after
an
artifact
server
and
the
the
organization
that
we're
gonna
be
auditing
does
offer
source
code
or.
F
Make
the
source
code
of
the
artifact
server
public,
but
they
do
they
don't
like
the
public,
the
artifact
server
code
public,
but
they
they
do
have
a
they
do,
have
a
vulnerable
disclosure
policy
that
allows
you
to
perform
an
audit
right.
So
you
can't
get
access
source
code,
but
they
say
here
go
ahead
and
hack
us
and
tell
us
about
it
right,
right
and
in
either
of
those
cases
right
in.
F
My
brain,
what's
going
around
I,
know,
I
started
woke
up
this
morning
with
a
headache,
but
it's
you
know
yeah.
In
those
cases.
F
In
my
experience
right,
the
in
my
experience,
having
worked
for
a
repository
host
because
this,
the
repository
infrastructure
is
not
being
paid
for,
there's
never
a
requirement
to
do
these
audits
right.
So
even
the
effort
involved,
like
that
you
know,
I
have
worked
for
having
worked
for
a
potential
company
that
is
hosting
some
of
this
stuff.
F
They
don't
it's
not
a
a
priority
for
them
to
invest
the
energy
or
time
in
trying
to
get
an
audit
done,
even
if
it
was
given
to
them
for
free
and
they
didn't
have
to
pay
for
it
right,
like
that's
just
not
on
the
radar,
something
that's
important,
but
necessarily
so
even
trying
to
engage
with
them.
Saying
hey:
were
you
willing
to
give
you
this
for
free?
F
They
still
have
to
dedicate
engineering
hours
to
one
guaranteeing
that
they're
going
to
get
and
handle
the
reports
and
receive
and
actually
do
something
with
them
versus.
If
taking
this
hypothetical
artifact
server
organization
that
may
or
may
not
have
a
vulnerability
disclosure
policy
that
was
published.
F
You
can
because
that
that
that
organization
has
a
VDP
that
explicitly
spells
out
that,
like
Safe
Harbor
is
offered.
If
you're
performing
an
audit
within
this
scope,
you
could
potentially
engage
a
company
to
to
perform
an
audit
against
that
scope
without
the
organization
necessarily
needing
to
be
involved
with
the
approval
process.
G
F
A
I
did
a
bit
of
research
a
while
ago
into
artifact
servers
and
who
has
pot
like
what
the
policies
are,
that
each
of
them
have
I
can
dig
this
up.
One
second
I'm
gonna,
look
for
spreadsheets.
H
F
Here
we
go.
I
also
did
this
bit
of
work
here,
so
this
is
a
listing
of
all
of
the
different
listing
of
all
the
different
artifact
servers
in
the
industry
and
whether
or
not
they
have
a
safe
harbor
policy
associated
with
their
display.
G
F
Vulnerability
reporting
process
so
currently
there
are
only
two
organizations
that
we
could
most
likely
in
hire
a
firm
to
go
after
an
audit
without
needing
them
to
be
involved
right,
get
up
and
Gradle
the
other
ones.
Don't
have
Safe
Harbor
policies.
E
F
F
I
would
presume
that
it
has
mostly
to
do
with
awareness
of
the
concept
of
Safe,
Harbor
policy
or
and
or
like
I
mean.
Let
me
let
me
let
me
go
with
you
guys,
because
python
right,
Harlem
security
policy
reporting
issues
to
see
python,
whatever
it
doesn't
State
anywhere
right.
I
I
So
that's
where
I'm
coming
from
with
a
lot
of
this,
because
a
lot
of
people
like,
for
example,
the
kernel
guy,
went
on
to
explain
to
me
that
openssf
doesn't
understand
that
there
have
been
multiple
generations
of
security
and
security
has
been
addressed
in
different
ways
at
different
points
in
time
when
certain
things
are
recommended-
and
we
are
tone
deaf
to
that-
that
was
one
of
the
opinions
that
came
up.
So
that's
why
I
think
that
a
lot
of
what
we
should
do
is
not
be
like
hey.
F
I
F
I
But
I
think
I
I
just
think
the
state,
the
way
that
we
should
approach
it
is
so
you
know
I
think
at
this
point
everyone
can
agree
that
Safe
Harbor
is
kind
of
a
a
best
practice
that
is
pretty
much
industry
standard.
So
why
don't
you
have
one?
Is
it
because
you
don't
want
one?
You
don't
want
to
have
the
liability?
Are
there
legal
reasons,
or
is
it
a
matter
that
you
actually
need
help
writing
one?
If
you
get
what
I'm
coming
from.
F
Right
and
that's
that's
a
conversation.
That's
currently
going
on
I
mean
the
one
of
the
things
that
David
wheeler
is
working
on
is
hopefully
a
safe
harbor
policy
that
LF
legal
will
sign
off.
On
that
I
mean
David
Wheeler's
perspective
goal
is
to
write
one.
That
is
a
model
one
that
anybody
else
could
apply
and.
I
I
F
Right
but.
G
F
If
we
can
come
up
with
something
that
yeah,
if
we
can
come
up
with
something
that
that
fits
all
of
these
boxes
or
checks
all
these
boxes,
and
we
can
give
it
to
some
of
these
organizations
and
say
hey
here's
some
Safe,
Harbor
language,
you
can
use.
F
You
know
10-year
I-
think
that
I
think
the
other
problem
is
that,
like
having
safe,
harbor
language,
also
somewhat
predicates
you
on
needing
to
have
legal
like
provide
you
advice
and
most
of
these
organizations
that
are
smaller,
don't
have
Elite,
don't
have
lawyers
on
staff
or
in
in
their
circles
that
they
could
tap
into
to
provide
those
insights.
Well,.
F
Harbor
at
a
high
level
is
if
you
try
to
find
vulnerabilities
in
our
system
and
you're
doing
so
under
the
under
the
pretenses
of
research,
and
you
disclose
the
vulnerabilities
to
us.
We
waive.
A
F
All
of
that
stuff,
so
that
you're,
not
in
violation
in
terms
of
service
you're,
not
in
violations
of
all
that
stuff
and
then
that,
because
you
waived
all
that
stuff,
there's
no
risk
or
there's
significantly
reduced
risk
of
the
federal
government
coming
after
you
for
a
violation
of
cfaa
or
whatever
the
equivalent
government
laws.
Are
you
your
country,.
F
That's
that
because
I
mean
I
know
so
within
the
past,
within
the
past
year,
I
think
it
was
announced
at
shmukon
2022.
F
F
G
F
I
I
So
yeah,
but
so
then
that
would
change
from
region
to
region,
correct.
H
F
No
no,
but
there
is
sisa,
has
an
initiative
out
where
they're
trying
to
force
all
government
entities
to
have
disclosure
policies
that
also
include
Safe
Harbor.
So
that
is
not
going
to
help
us
with
the
repository
house,
but
it
will
help
us.
It
does
help
with
government.
F
Fair
I,
don't
know
what
the
current
state
of
the
Season
Cesar
published
a
like
here.
You
work
for
the
or
you're
a
government
entity,
use
this
disclosure
policy
copy
and
paste
it.
If
you
don't
want
to
spend
the
time
doing
your
own,
but
that's
that's.
That
document
was
intended
for
the
use
by
government
agencies,
Fair
yeah,
but
I
think
Caesar
also
mandated
that
all
of
these
any
like
government
agencies
had
to
have
a
disclosure
Channel
like
had
they
had
to
announce
one.
I
F
This
is
the
one
that
I'm
working
on
with
I,
don't
think
I
have
anything
sensitive
in
here.
I've
been
working
on
this
one
with
David
wheeler.
F
Okay,
so
this
is
like,
so
this
is
the
disclose.io
one
right.
So
when
conducting
vulnerability
research
according
to
this
policy,
we
consider
the
research
we
can
talk
to
onto
this
policy
to
be
authorized
concerning
any
applicable
anti-hacking
laws
that
and
we
will
not
initiate
our
support
legal
action
against
you
for
act
for
accidental
good
faith
violations
as
policy.
A
G
F
Is
also
used
to
go
after
hackers
and
security
researchers,
because
often
when
you're
doing
research
you
it
requires
reverse
engineering
and
reverse.
It
may
also
involve
de-obfiscation
and
de-offification
has
also
been
tried
and
found
to
be
led
to
violate
potential
violations
of
dmca
exempt
from
restrictions
in
our
terms
of
service
and
our
acceptable
leaders,
policy
or
interfere
with
conducting
research,
and
we
waive
those
restrictions
on
a
limited
basis
and
lawful
helpful
to
the
overall
Security
Internet
and
conducted
in
good
faith.
F
Third
party
Safe
Harbor,
which
is,
if
you
submit
a
report
in
accordance
as
policy
which
reflects
a
third
party
service-
you
may
be
required,
or
have
an
obligation
to
share
certain
information
with
the
effect
of
third
party
yada
yada
yada.
J
F
For
is
required
by
law.
We
shall
not
share
your
information,
identifying
information
with
any
affected
third
party
without
notifying
you.
This
is
to
prevent
you
disclosing
to
us,
and
then
we
have
to
tell
someone
else
and
that
resulting
in
you
getting
legal
blowback,
because
we
had
to
share
the
details
with
someone
else
and
your
name
getting
associated
with
it
and.
I
F
Really
it's
more
like
you,
you
hack
me,
but
that
system
you
went
after
actually
I
don't
know,
but
you
didn't
know
that
and
I
need
to
tell
the
downstream
vendor
that
you
that
there's
a
vulnerability
in
the
downstream
thing.
You
won't
include
identifying
information
of
the
original
reporter
in
that,
so
that
the
downstream
vendor
can't
go
after
legally
the
Upstream
one,
because
they
don't
know
who
it
is
fair.
F
F
They're
they're
trying
they're
trying
to
limit
their
liability
by
saying
we're
only
going
to
do
we're
only
going
to
tell
the
person
they're
we're
gonna
only
give
them
their
name
if
we
are
compelled
to
by
law
which
may
happen
in
in,
like
you
know,
judges
can
force
and
compel
Microsoft
to
do
anything
right,
so
they
might
have
to.
They
might
have
to
cough
up
this
information
tragically
and
then
right
into
the
public
record
right
right,
fair.
F
Also
standing
out
here,
please
note:
we
cannot
authorize
out
of
scope
testing
in
the
name
of
third
parties
and
such
testing
is
beyond
the
scope
of
this
policy,
so
they're,
basically
saying
like
we
may
have
to
disclose
on
your
behalf
to
a
downstream,
but
this
is
not
considered
like.
We
are
not
authorizing
you
to
go
after
third
parties
and
using
our
policy
as
something
that
that
you
said.
Oh
well,
Microsoft.
Let
me
do
it.
F
That
being
said,
they're
in
my
digging
and
I-
don't
remember:
I
haven't
done
a
bunch
of
this,
but
in
my
experience,
Amazon
I
think
has
some
blanket
policy
and
a
person
Microsoft
does
too
that
like
so
this
there's
this
whole
problem
having
to
do
with
scope
right
because,
let's
take
take
a
cloud
service
provider,
which
is
the
exact
example,
you
provided
right,
I'm,
paying.
G
F
On
that
right,
I
authorize
you
to
test
it,
but
you
accidentally
find
a
vulnerability
in
Amazon's
infrastructure.
Correct
right,
I
have
authorized
you
to
find
something
in
my
infrastructure,
but
you
have
gone
outside
the
scope
of
that
and
so
I
think
that
Microsoft
and
Google
and
Amazon
have
all
released
and
said.
You
know
you
can
provide
scope,
permissions
up
the
chain
of
your
supply
chain
and
you
don't
need
to
engage.
You
don't
need
to
engage
with
us
in
that
work.
I
Applies
more
to
people
that
are
like
tinkering
like
those
people
that
are
trying
to
find
like
where
they
messed
up
setting
up
the
cloud
like
the
one
guy
that
found
that,
if
you
change
one
number
in
the
Google
Cloud
panel,
you
could
pull
up
other
people's
accounts
and
do
whatever
you
want
with
it.
Kinda.
F
I
F
J
No
just
I'm,
just
I
I'm,
not
too
familiar
with
the
with
the
topic,
so
I'm
just
enjoying
fly.
F
F
No,
it's
foreign.
J
F
F
Probably,
where
what
ecosystem
is.
F
F
F
F
Actually
might
find
this
useful
for
some
of
the
work
that
you're
doing
I
don't
know.
You've
got
a
larger
team
of
people
around
you
than
not
so.
The
tax
voted
on
Tuesday
to
ratify
a
proposed
disclosure
policy
that
I
authored
in
with
the
open
source
security,
vulnerability,
disclosure
working
group.
That
is.
F
One
so
this
one
is
the
model
out
on
vulnerability
disclosure
policy,
and
this
now
because
it's
been
ratified
by
the
attack
is
the
if
any.
If
any
working
group
wants
to
use
this
as
their
disclosure
policy
for
outgoing
reports,
I
mean
it
applies
to
any
work
coming
out
of
the
open
source
security
Foundation.
Ultimately,
the
person
who's
doing
the
work
to
find
the
vulnerability
can
choose
if
they're,
like
I'm.
G
I
F
Okay,
they.
I
F
F
You
know
I
should
also
start
including
emails,
so
the
so
the
the
thing
that
we
can
also
potentially
draft
up.
F
Edit
to
get
us
a
starting
point
right
to
State
hey,
we
want
to
engage
in
this.
This
we
want
to
engage
in
in.
We
want
to
engage
in
in
potentially
auditing
your
security,
but
we
need
you
to
have
a
safe,
harbor
policy
for
us
to
do
that,
and
so,
if
we
can
come
up
with
an
email
that
communicates
that
it
might
be,
it
might
be
a
good
starting
point.
G
I
By
a
company,
but
you
want,
but
you
want
to
know
something,
so
this
is
what
I
get
from
the
community.
A
lot
of
people
have
security
teams
and,
like
there's
a
difference
between
hey,
let
us
help
you
do
this
and
hey.
Let
us
help
your
security
team
get
the
ability
so
that
they
can
do
more
things,
which
is
I.
Think
what
you
got
to
walk
all
I'm,
saying
John,
is
that
you
got
to
walk
that
line.
I
Because,
like
at
gentu,
for
example,
you'll
run
into
people
that
are
very
security,
opinionated
and
I'm,
not
going
to
say
they're
wrong,
but
they
come
from
different
generations
of
security
and
yeah
like
realize
that
Gen
2
does
not
have
an
installer.
So
these
are
the
people
you
talk
to
in
that
community
and
and
there's
other
communities,
because
I.
I
Imagine
that,
like
npm,
has
a
security
team
I'm
sure
that
cargo
has
a
security
team
and
I
think
that
we
need
to
make
sure
that
we're
not
saying
hey
your
security
team
isn't
doing
their
job
or
or
anything
that
implies
like
that.
So
let
us
do
their
job,
because
some
people
will
take
that
the
wrong
way
is
all
I'm
saying.
F
Servers
that
do
have
do
have
that
do
have
socks
that
come
like
the
company
has
a
sock
of
some
kind
and
those
that
do
not
right.
Github
is
owned
by
Microsoft.
Github
probably
has
a
sock.
Microsoft
is
a
sock
right
if
they
have
a
security
incident
that
impacts
their
support,
their
their
npm.
They
can
respond
with
their
sock
right,
perform.
F
I
would
be
very
curious.
Well,
some
nougat
is
what
dot
net
yep
yeah
and
then
did
you
send
me
a
link
to
the
to.
F
Yeah,
it's
and
it's
also
2013.
I,
would
presume
that's
not
and.
G
I
The
expectations
of
the
users
are
drastically
different,
like
in
Homebrew,
people
will
download
stuff
and
then
when
they
they
like
have
adverse
effect
for
whatever
reason,
because
somebody
packaged
something
they
shouldn't
have
packaged
in
their
software,
then
they'll
come
back
to
Homebrew
and
be
like,
but
why
do
you
guys
host
it?
So
that's
why
Homebrew
does
not
take
any
editorial
approach
to
like
what
they
upload
or
they
try
not
to.
However,
if
a
package
is
unsafe,
they
will
delete
it,
but
it's
more
of
a
community
decision.
I
It's
not
like,
but
yeah
like
long
story
short
Homebrew.
Has
this
thing
where,
like
because
the
end
user
expectation
is
that
everything
works
and
everything
is
relatively
safe,
Homebrew
defends
itself
with
their
ideology
of
Homebrew
is
the
last
line
of
defense
and
should
not
be
relied
on
for
security,
and,
if
you
rely
on
it
for
security,
then
you're
just
doing
it
wrong.
Yeah.
F
Yeah,
that
makes
sense
yeah
that
makes
sense
I.
A
F
Can
you
can
you
do
some
dating
and
see
if
you
can
find
out
so
is
new?
Is
nougat
hosted
by
Microsoft.
F
Can
you
here's
the
link
to
the
dot
in
this
document
too?
F
F
If
you
could
so
I
found
the
nougat
contact
page
yeah,
if
you
can
try
to
convince
the
nougat
pm
to
add
the
security
contact
to
that
contact
page,
that
would
be
valuable
as
well
sure
or
and
if
even
if
it's
like
Microsoft's
policy
applies
that
actually
really
helps,
because
it
means
that
I
can
just
use.
Microsoft
is
the
is
the
disclosure
perspective
for
that
right,
yeah,
all
right
cool?
F
This
has
been
very
helpful.
Let's
continue
to
chew
on
this
I.
Don't
have
a
lot
of
time
this
week
and
this
might
take
two.
This
might
pump
out
two
weeks,
but
I
want
to
work
on
this
and
I
want
to
try
to
get
something
together
in
this
initiative.
So
I
appreciate
you
guys
help
I,
really
I.