►
Description
Meeting minutes: https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit#heading=h.pujncb7gxv4f
A
Could
have
less
work
as
long
as
I
don't
have
any
work
so
now
I'll
try
to
give
a
give
a
hand
here,
I
think
the
real
problem
we're
going
to
have
is
lack
of
time.
We've
got
more
information
than
can
possibly
be
within
the
time.
So
do
you
remember
offhand
how
much
time
we
have.
B
A
All
right,
that's
that's
actually
good,
because
even
with
that,
we
can
easily
overwhelm
so
we'll
have
to
be
careful
about
that.
B
Yeah
and
I'm,
hoping
we
actually
get
some
you
know
actual
developers
join
us
that
are
curious
to
sign
up
and
get
themselves
a
badge.
B
C
C
C
B
B
D
B
B
We'll
get
started
in
about
30
seconds
if
you
have
any
items
you
want
to
talk
about
today,
on
top
of
our
action-packed
agenda,
with
such
industry
luminaries
as
Dr
Wheeler
and
Luigi
and
Jonathan.
E
E
B
All
right,
ladies
and
gentlemen,
welcome
to
the
April
19th
edition
of
the
vulnerability
disclosures
working
group.
I
as
we
do
I
would
love
to
ask
one
of
our
esteemed
folks
here.
Could
you
please
help
us
take
some
notes?
Do
I
have
a
volunteer.
B
Sorry.
Would
someone
like
to
help
us
take
notes
today?
Oh
yeah
awesome.
Thank
you
Luigi
appreciate
that.
Do
we
have
anyone
new
to
the
group
that
wanted
to
introduce
themselves
and
say
hello
to
everybody.
G
I'll
say
a
quick
intro,
I'm
Brian
Russell
I've
been
in
some
of
the
other
open
ssf
meetings,
I
work
with
Alpha
Omega
and
I
work
as
a
product
manager
at
Google,
mainly
here
to
to
talk
about
some
of
the
vulnerability
disclosure
policies
that
Jonathan's
going
to
go
over.
So
thank
you
for
having
me
you're.
I
Hi
yeah,
sorry,
my
audio
is
probably
really
bad,
but
yeah
I'm,
relatively
new
I,
showed
up
for
the
first
time
last
week
and
just
still
trying
to
get
my
bearings
Andres
I'm
a
senior
at
NJIT.
D
B
B
All
right
well,
thank
you
friends.
If
you
have
any
items
you'd
like
to
discuss
today,
please
type
them
into
the
open
section.
Do
we
have
any
of
our
sub
projects
here
that
wanted
to
give
a
brief
update?
B
B
All
right,
I
would
all
I
would
strongly
encourage
everyone
if
you
are
able
we
hold
this
call
once
a
month
during
APAC
timeout
time
zone.
So
if
you're
in
APAC
or
the
west
coast
of
the
states
or
South
America,
you
have
the
opportunity
to
interact
with
our
friends
in
Australia
and
that's
where
the
osv
crew
lives.
Out
of
so,
if
you're
curious
and
talking
about
osv
we'll
be
talking
a
lot
more
with
those
friends
in
the
future,
so
I
would
put
endorsement
for
that.
B
D
B
Awesome
and
then
another
one
of
our
sigs
is
open
Vex.
We
just
recently
adopted
them.
They
meet
every
other
Monday
at
3
pm
Eastern.
So
if
you're
curious
about
trying
to
find
ways
to
share
vulnerability
information
across
the
ecosystem,
that's
another
great
place.
You
can
participate
all
right.
Let
us
start
our
esteemed
member
Dr,
David
wheeler
has
something
he
would
like
to
discuss
with
us.
Take
it
away,
sir.
B
A
So
so
I
am
mooting
around
the
idea
of
having
a
Linux
Foundation
wide
vulnerability,
disclosure
policy.
This
is
you
know,
reporting
vulnerabilities
to
a
Linux,
Foundation
project.
Vast
numbers
do
but
there's
nothing
that
says
on
the
top:
hey
we,
the
LF
like
like
vulnerability,
reporting
I
mean
we
do,
but
there's
nothing.
We
can
point
to
I
I
didn't
do
a
blog
post
earlier,
but
that
that
talk
a
little
bit
about
this,
but
a
blog
post
wall.
It's
you
know
it's
interesting,
it's
not
something
that
people
are
going
to
be
easily
finding.
A
So
this
is
not
a
done
deal
within
the
LF,
but
I
put
in
some
stuff
about
kinds
of
things.
I
think
it
should
say
and
I'm
just
want
to
sound
out
some
folks
once
I
can
get
something
to
a
more
stable
State
I
want
to
share
it.
But
but
basically
the
idea
here
is
telling
folks
hey
if
you
find
a
security
vulnerability
in
some
project
develop
sorry
by
the
way
for
the
background
they
decide
to
start
just
when
I'm
talking.
A
So
you
can
see
the
text
here
if
you
find
a
vulnerability
in
software
developed
by
an
Ella,
Foundation
or
project,
please
report
it
directly
to
that
Foundation
or
project,
using
whatever
they
have
we'll
link
off
to
some
I
mean
number
of
folks
already
have
such
things,
and
if
a
project
doesn't
statehood
or
how
to
report
a
vulnerability.
You
know
report
to
the
foundation
that
contains
the
project.
A
If
there
is
one
if
it
doesn't
make
it
clear,
then
ask
them
to
fix
to
change
their
process,
to
make
it
obvious
and
then
I
have
some
stuff
about
hey
if
they
don't
respond
after
someday
sometime
re-transmit
several
times,
and
you
know,
but
please
give
everybody
a
chance
to
fix
them,
and
you
know
there
was
a
question
about
how
to
handle
things
that
are
archived.
Basically,
there
are
projects
which
you
know
they're
not
being
maintained
anymore.
A
They
will
not
be
maintained,
we
Mark
we
try
to
mark
them
as
not
being
maintained,
in
which
case
you
know
just
go
ahead
and
report
to
the
public
and
if
nobody
ever
responds,
we
don't
want
to
stick
it
forever.
That's
our
fault,
so
you
know
after
some
period
of
time
nobody
responds
release.
A
Finally,
this
is
really
appealed
to
projects
of
Foundations.
We
ask
everybody
to
make
it
easy
for
reporters
to
report
a
vulnerability
and
be
ready
to
receive
the
results,
and
this
is
where
especially,
you
guys
come
in,
because
oh
look,
hey,
there's
some
guidance
that
could
help
you
do
that,
and
you
know
talking
about
security
at
your
domain
at
security.md
file
and
GitHub
private
reporting,
as
things
you
might
do,
is.
D
The
scope
of
this
just
LF
open
source
or
is
the
scope
of
this.
I
A
In
fact,
thank
you
for
asking,
because
the
next
line
was
is
basically
hey
at
one
time
there
was
a
discussion
right:
hey,
let's
have
a
generic.
If
you
don't
know
where
else
to
report
report
here,
but
then
I'm
realizing
that
that's
great.
That
sounds
great
for
the
researcher,
but
then
the
next
step
is
oh.
Where
does
it
go?
A
We're
not
going
to
know
better
than
the
researcher
frankly,
and
so
we
do
have
a
security
at
linuxfoundation.org
email
address,
but
we've
decided
to
limit
that
only
to
the
Linux
Foundation
infrastructure,
things
like
DNS
names
and
and
the
web
and
the
main
LF
website
where
we
do
need
somebody
for
those
and
and
those
aren't
actually
part
of
any
particular
project
or
Foundation
or
anything
else.
So
you
know
scoping
it
that
way.
So
for
anything,
but
my
expectations
that
most
reports
are
going
to
be
about
specific
projects.
A
A
So
you
know
making
it
a
redirect,
will
just
probably
make
things
worse.
So
you
know
we're
telling
people,
please
don't
do
that.
That's
for
this
and
not
the
other
cases.
A
E
A
D
David,
do
you
have
a
the
one
concern
that
I
have
is
do?
Is
there
a
central
Repository
of
LF
owned
domains
right
like
or
like
IP
ranges,
or
something
like
that
that,
like
we
can
say
this
is
in
scope
or
because
because,
if
you're
saying
like
LF
owned
right,
especially
when
you're
talking
about
public
services
running
on
the
internet,
if
you
can't
Define
what
that
is,
you
can't
give
permission
over
it
or
you
know
right,
like
a
researcher,
you
can't
say
we
provide
protections
against
all
LF
owned
things.
D
A
Yeah
I
would
go
the
other
direction
we
generally
in
general,
although
there
are
probably
exceptions
most
domains,
that
host
a
website
will
say:
hey
we're
part
of
the
Linux
Foundation
and,
and
so
you
could,
you
could
determine
it
that
way.
D
A
A
Foundation
website,
which
lists
them
it's
very
incomplete
so
right
now
my
plan
is
to
link
to
that
and
we'll
separately
work
on
improving
that
page
to
try
to
be
a
complete
list
right.
K
D
A
Well,
actually,
I
don't
know
that
we
need
to
do
the
sub
foundations.
I
think
what
we
have
to
do
is
work
with
LF
infrastructure.
That's
actually
one
of
their
main
tasks
is,
you
know,
is
keeping
track
of
domain
names,
so
I
think
probably
one
of
what
we
have
to
do
is
we
have
we
we'd
have
to
ask
we.
You
know
we
could
ask
lfit
to
create
and
maintain
a
list,
but
that,
but
that's
the
only
way
I
can
think
of
doing
that.
A
And
krobe.
B
So
a
few
points
in
the
future
if
our
OSS
cert
idea
gets
funded,
that's
something
potentially
that
that
organization
could
help
out
and
be
that
routing
function,
assist
with
that
security
at
lf.org,
potentially
right,
that'll
track
down
the
maintainers,
and
then
I
wanted
to
note
that
this
is
not
identical,
but
is
somewhat
related
to
our
next
conversation
that
Luigi's
going
to
talk
about.
Where
he's
talking
about
a
similar
concept
for
everything
underneath
the
openssf
umbrella.
A
Before
you
go
there,
there's
one
other
topic
that
Jonathan
just
ended
at
real,
quick
yeah,
and
that's
that's
going
to
be
a
big
longer
term.
So
Jonathan
mentioned
this
whole
Safe
Harbor.
A
We
absolutely
do
want
to
make
sure
that
it's
okay
for
vulnerability,
researchers
to
report
I
had
sent
an
earlier
draft
of
some
Safe
Harbor
text
and
LF
legal
had
an
apoplexy
and
said
no,
because
the
way
it's
written
basically
gives
a
field
day
to
attack
the
systems,
and
there
are
researchers
who
exploit
that
and
basically
say
I'm
a
nice
researcher
while
intentionally
attacking
the
systems.
A
So
we
do
want
to
give
Safe
Harbor
to
those
who
are
trying
to
be
helpful,
but
we
do
want
do
not
want
to
give
a
safe
harbor
to
those
who
are
basically
flying
a
false
flag.
So
the
text
we're
going
to
have
to
write
is
going
to
be
a
have
to
be
a
lot
more
subtle,
I.
Think
I,
don't
I,
don't
know
exactly
what
that's
going
to
be.
I
know
what
the
goal
is.
I
think
it's
achievable,
but
that's
that's
something
that
is
a
current
discussion
ongoing.
A
To
be
something
that
involves
legal,
not
just
you
know,
a
technical
review,
yeah.
B
B
To
Safe,
Harbor
I
know
the
lady
that
helped
build
disclose.io
and
has
worked
internationally
around
Safe
Harbor
legislation,
a
meat.
So
if
you're
interested
I
could
help
include
her
in
the
conversation,
because
she
has
a
lot
of
experience
talking
about
Safe
Harbor,
and
perhaps
she
has
some
language
that
the
LF
legal
team
might
find
agreeable.
D
Established
the
the
the
Gradle
of
vulnerability
disclosure
policy
and
I
had
a
similar
set
of
arguments
about
Safe
Harbor
rewarding,
so
I
can
communicate
some
of
this
stuff
to
a
lawyer
as
well
in
a
way
that's
cohesive
and
I'm
already
employed
by
the
LF.
So
my
time
is
my
time
is
you
know,
available
yeah.
B
So
what
does
the
group
think
about
this
idea?
A
lot
of
things
tossed
out?
What
comments
and
feedback
do
we
have?
We
think
it
has
Merit
anyone
I'm
interested
in
helping
move
the
ball
down
the
field
so
to
speak,
but.
J
My
thoughts
are
really
on
the
other
side,
being
on
grumpy
old,
open
source
developer.
Thinking
about
all
these
projects
that
you
don't
even
have
a
proper
list
on.
J
Are
they
prepared
to
receive
this
I
like
Rob's
idea
of
having
a
an
OSS
intermediary
there,
because
my
experience
is
that
it's
easier
to
write
this
kind
of
text
and
publish
for
an
open
source
project
than
to
actually
implement
it
and
handle
vulnerabilities
in
a
proper
way.
A
I
I
think
the
short
answer
is
that
I
think
all
the
major
projects
that
the
bigger
ones
are
already
doing
this
and.
A
Are
absolutely
already
doing
this,
the
smaller
ones
are
not
necessarily
ready,
but
I.
Think
my
my
view
frankly
is
the
goal
is
to
get
them
ready
and
simultaneous
with
this.
Although
this
is
not
your
guys's
problem,
I
intend
to
work
with
LF
management
to
basically
try
to
get
all
our
projects
ready
for
such
things,
and
it
doesn't
have
to
be
sophisticated.
It
can
be
as
simple
as
you
know,
if
it's
a
one-person
project
turn
on
GitHub
private
reporting
and
you
know
get
ready
if
somebody
reports
something
yo.
J
Yeah,
but
the
problem
I
I
was
stumble
into
is
a
culture
problem.
I
spent
10
years
in
the
asterisk
open
source
project
and
we
were
proud
of
every
CBE
we
published
and
all
the
mitigation
we
did
in
the
asterisk
project,
but
now
I'm
in
other
projects
where
there's
some
sort
of
culture.
We
can't
change
where
a
CV
is
never
reported,
fixes
are
committed
in
dirty,
commits
and
yeah,
but
we
have
a
security
policy.
That's
very
proper.
J
A
A
That's
it.
We
don't
actually
get
I,
don't
actually
care
for
the
cve
is
reported
now
I
do
care
in
a
broad
sense,
but
I
don't
plan
to
make
that
a
requirement.
The
latest
kernel
folks
in
particular,
believe
that
the
CV
process
is
irredeemably
broken
and
they
are
not
going
to
participate,
saw
what
you
did
there.
I'm
not
going
to
try
to
put
I
am
not
trying.
I
am
not
trying
to
fix
I'm,
not
trying
to
change
their
opinion.
A
They
all
do
agree
that
they
want
to
receive
vulnerability
reports
and
they
want
them
it's
fixed
as
quickly
as
possible
and
that's
the
goal
whether
or
not
a
cve
is
assigned
I'm
going
to
leave
that
to
the
individual
projects,
because
people
disagree
on
whether
or
not
that
is
a
worthy
thing
to
do.
But
you
know
what
I'm
not
if
they
get
found
and
fixed.
A
B
So
Luigi
has
his
hand
up
and
I
would
encourage
anyone
else.
If
you
have
thoughts
or
comments,
get
raise
your
hand
to
get
in
queue.
Luigi.
L
Yeah
I
mean
I
can
understand
the
concern
about
the
policy
and
the
process
that
can
be
through
different
things.
It
can
happen
often,
but
I
foreign
should
be
good
enough
and
we
can
start
and
we
can
see
how
the
process
work,
and
if
we
see
that
we
can
improve
part
of
the
process,
we
can
definitely
work
on
it.
In
addition,
it
is
a
good
lesson
for
us
for
the
open
source,
Community
I
guess
we
can
learn
something
bright
and
share
what
we
have
loved.
This
can
be
definitely
a
good
experiment.
L
We
want
to
do
it
correctly.
Honestly,
it's
I
mean
I
work
on
security
policy
and
security
report
and
communication
with
the
community
of
the
researcher
or
in
general
over
three
years.
So
I
think
that
we
can
do
it.
I
know
that
sometimes
we
can
have
some
conflict
that
can
happen,
but
nothing,
that's
a
good
communication
and
some
good
Improvement
cannot
fix.
So
I
am
not
so
concerned.
Even
if
I
can
understand
why
people
say
having
a
security
policy
and
having
a
security
process
is
two
different
things.
B
Thank
you
Jonathan
then
Kayla.
M
Okay,
so
I
just
wanted
to
kind
of
echo
from
the
like
running
the
the
internet.
Bug
Bounty,
which
is
you
know,
a
bug,
binding
program
that
supports
open
source
vulnerabilities
that
that
we
run
one
of
the
things
well.
The
main
requirements
that
we
have
in
place
for
projects
that
are
enrolled
is
that
they
have
an
open
channel
for
vulnerability
reporting.
M
So
exactly
like
what
we've
been
talking
about
is
that
they
and
then
the
main
other
aspect
is
that
there
is
some
type
of
public
notification
of
a
fix,
so
that-
and
we
leave
that
pretty
generic
just
from
you
know,
because
the
same
topic
of
there
are
some
projects
that
are
very
much
against
cves,
and
so
we
don't
expect
that
we
also
don't
expect
you
know
specific
severity
ratings
that
follow.
M
You
know
cbss
or
anything
like
that,
because
there
are
also
projects
that
are
very
much
against
that,
so
the
requirements
that
we
have
in
place
is
just
that
there
is
some
form
of
security
advisory
by
the
project.
That
says
this
is
the
vulnerability.
This
is
the
fix.
It
was
a
security
issue
and
that
this
is
published
in
one
way,
shape
or
forms
for
some
projects.
That's
a
blog
post
for
some
projects.
That's
a
cve!
It's
a
distro,
it's
one
of
those
other
aspects.
M
So
that's
that's
one
of
the
things
we
ask
for
for
for
the
open
source
projects
that
are
enrolled
in
IBB,
and
that
way
we
can
reward
those
submissions
ensuring
that
the
project
has
gone
through
their
whole
vulnerability
life
cycle.
First,
so
it's
it's!
You
know
that
that's
the
base
requirements
that
we
ask
for
IBB,
I,
don't
think
that's
outside
of
you
know
something
reasonable
to
ask
in
this
case.
A
E
A
I
can
respond.
Real
quick
I
actually
agree
that
those
are
good
ideas,
I'm,
not
sure
I'm,
going
to
get
that
to
be
honest
and
I
would
rather
get
people
again
report
problems
fix
them
now.
I
I
you'll
note
that
it
reports
this
guidance
is
going
to
encourages
people
to
use
the
guidance
from
this
group.
The
best
practices
badge
work,
for
example.
A
The
best
practices
badge
actually
does
require
that
so
and
of
course,
the
guidance
from
this
group
recommend
similar
things
at
this
point,
I
am
I'm,
not
sure
I'm
going
to
be
able
to
get
that
either
and
I'm
much
more
concerned
about
getting
the
getting
the
car
the
Train
on
the
rails
as
it
were.
A
We
can
always
try
to
add
that
later,
but
right
now,
what
I'm
concerned
about
primarily
is
the
potentially
very
long
delays
between
I
heard,
there's
a
problem
and
getting
something
reported
to
somebody
who
can
do
something
about
it
and
to
the
extent
that
we
can
make
some
sort
of
legal
Safe,
Harbor
I
think
is
a
good
plan
dudes
that
we
can
manage
and
I
see
both
Jonathan
and
crook.
So
I
will
be
quiet.
D
Finding
the
unmute
button,
the
I,
have
it
my
brain.
My
brain's
come
back
on
the
topic
of
Safe
Harbor
your
concerns
about
actors
behaving
in
such
a
way
that
they
are
using
like
vulnerability
disclosure
as
a
guise
for
bad
actor.
That
you
know,
negative
activity
is.
D
No
I
I
do
recognize
that
it
has
happened.
I
just
want
to
I.
Just
wanna
put
it
out
there
that
the
simplest
thing
for
a
security
researcher
to
do
is
nothing
like
the
least
legal
risk.
They
assume
is
to
do
nothing
the
if
they
want
to
see
it
get
fixed
and
they,
the
you
know,
the
second
safest
thing
for
them
to
do
is
anonymously
drop
it
on
paste
bin
or
something
like
that.
Right,
like
there
is
just
like
from
a
legal
risk
perspective
right.
D
D
That
being
said,
so
so
that's
like
the
base
that
we're
working
from
so
in
the
safe
harbor
language
that
we're
crafting.
We
have
to
be
sure
that
we
are
not
setting
a
set
of
constraints
that,
like
you,
have
to
follow
these
rules
exactly
or
Safe
Harbor
doesn't
apply
right
and
that's
if
you
read
a
lot
of
Safe
Harbor
documents
and
a
lot
of
things
that
legal
companies
put
out
there.
It's
you
must
follow
all
of
these
rules.
D
If
you
don't
follow
these
rules
to
the
letter,
if
you
go
outside
the
scope
of
these
rules,
if
you
disclose
in
a
way
that
we
don't
agree
with
or
if
you
do
these
things
out
of
out
of
what
in
some
way,
that's
not
compatible,
Safe
Harbor
does
not
apply
to
you,
and
that
is
a
a
risk
and
something
that
that
some
people
don't
choose
to
engage
in.
Because
of
that,
because
they're
those
guard
rails,
that
legal
is
setting
up,
still
exposes
the
researcher
to
risk
right.
A
That's
a
great
Point
and
I
totally
agree
with
you,
Jonathan
yeah,
so
I,
you
know
what
here's,
what
I
I
would
do
so
I
agree
with
you
that
that
we
do
need
to
prevent
that
and
I
also
agree
that
we
need
Safe,
Harbor
I
I
proposed
a
removal
of
some
Safe
Harbor
attacks
from
the
draft
open
ssf
text
based
on
legal
to
at
least
have
something
that
could
be
gotten
out
the
door.
A
But
I
would
like
to
see
much
better
and
I
think
that's
something
we
absolutely
can
and
should
do
so.
Jonathan
I'm
gonna
invite
you
to
try
to
work
with
our
legal
folks
specifically
to
try
to
make
sure
that
that
happens.
I'd.
A
That
that's
what
I'm
looking
for
I,
don't
care
about
the
format
that
I'm
looking
for
the
making
sure
because
I
agree
with
you,
that's
that's
important
and
by
the
way,
I
think
we
can
totally
do
that.
I
think
we
can
say
that
hey!
You
know
the
the
goal
here
is
to
not
help
the
attackers
but
to
help
the
Defenders,
and
you
know,
work
from
there.
So
I
think
that's
totally
doable
and
yes,
I
completely
agree.
That's
important.
B
So
as
this
moves
forward,
David,
as
Ollie
pointed
out,
part
of
your
challenge
is
going
to
be
Communications
and
getting
the
word
out
when
this
moves
forward
feel
free
to
reach
out
to
me,
since
that
is.
B
I
am
glad
to
assist
in
kind
of
figuring
out
a
comms
plan
and
thinking
up
some
ways.
We
can
get
the
word
out
to
the
different
LF
projects
to
help
encourage
awareness
and
participation,
and
now
I
would
like
to
transition
to
Luigi's
topic,
which
is
again
related.
It's
about
a
reporting
policy,
but
this
one
is
specific
to
the
open,
SSS
and.
B
A
B
L
Well,
technically,
I
wanted
to
have
an
update
about
the
Safe
Harbor.
We
have
discussed
about
this
in
the
last.
What
20
minutes,
I
guess
about
the
inbound
security
policy?
The
updates
are
the
yesterday
presented
to
the
talk
again
to
have
a
feedback
and
a
sort
of
approval
and
sorry
for
the
nice.
L
We
need
to
agree
about
the
setup
honestly.
I
would
prefer
the
first
version
that
have
a
safe
harbor,
and
if
this
means
to
wait
to
two
weeks
one
more
month,
we
can
wait
two
weeks
a
month
and
I,
don't
think
it
is
a
problem.
At
the
same
time,
I
know
that
Linux
Foundation
is
working
on
similar
policy,
and
maybe
we
want
to
be
aligned
with
a
little
explanation,
but
this
is
an
internal
problem.
So
I
think.
L
Let
me
correct
me
if
I'm
wrong,
but
we
can
stay
in
touch
with
the
Linux
Foundation
Council
and
see
if
we
can
be
aligned
to
publish
our
policy
and
their
own
policy.
But
from
my
perspective,
the
policy
is
more
or
less
really.
I
am
collecting
comments
at
the
moment
and,
except
for
the
safer,
ever
I
think
that
we
agree
on
the
scope
list.
L
We
know
that
at
the
moment
we
don't
have
the
pgp
key.
It
is
on
the
roadmap,
but
I
don't
think
it
is
so
crucial
to
have
it
for
the
first
implementation,
even
if
I
can
understand
why
people
want
to
communicate
using
pgp.
L
At
the
moment,
we
want
us
to
implement
a
security
policy
server
document,
another
way
for
the
security
Community
for
the
students
actually
to
report
the
house
full
rabbits,
but
in
the
future.
If
we
agree
on
how
we
want
to
share
Secret
in
Open
Access
open
ssfl,
we
can
also
introduce
a
pgp
without
no
particular
issue,
and
yes.
I
D
I
L
Well,
technically,
technically,
it
should
be
for
the
email
yeah,
because
if
we
I
mean,
but
if
we
I
mean
if
we
Define
a
procedure,
if
we
Define
a
procedure,
we
can
give
a
pgp
to
every
project
or
maintain
a
project.
It's
not
a
problem.
The
main
issue
that
I
see
at
the
moment
is
that
we
don't
have
a
standard
way
to
share
secret
like
a
pgp
and
it's
very
easy
to
lose
them
or
I
am
very
good
to
lose
them.
L
So
without
the
password
or
organization,
password
manager
or
similar
approach,
I,
don't
see
an
easy
way
to
have
a
pgp.
D
D
Should
we
choose
but
like
ultimately,
I,
don't
necessarily
I
had
a
conversation
with
somebody
about
a
pgp
before
and
and
the
line
that
he
said
to
me
was
I,
don't
want
to
talk
to
anybody
who
wants
to
use
or
needs
to
use
pgp
to
communicate
with,
like
yeah
I,
don't
know
like
I
I,
and
you
know,
that's
a
that's
a
strong
opinion.
I
know
maybe
for
some
people
but
I
I,
honestly,
don't
see
it
as
a
as
a
massive
Blocker
in
any
capacity.
D
A
L
L
The
point
is
that
there
are
I
mean
and
usually
an
exception,
don't
use
the
pgp
from
my
own
experience
to
communicate
or
apple,
but
maybe
there
are
some
good
reason
to
use
it
that
we
don't
see
at
the
moment,
and
we
want
to
have
it
I,
don't
know,
but
not
the
blocker.
For
the
first
question.
A
Yeah
I
mean
if,
if
somebody
wants
to
make
pgp
available
sure,
but
I
I
mean
we
we've
had
decades
to
try
to
make
pgp
usable,
it
hasn't
worked,
there's
no
evidence,
it
will
ever
work.
I,
don't
recommend
pgp
at
all.
If
the
goal
is
to
encrypt
the
emails,
may
I
suggest
something
called
MTA,
STS
and
somewhere
they're
built
in
now.
They
do
hop
to
hop
encryption
you're
already
using
it
all.
Your
emails
are
encrypted.
A
What's
the
issue
you're
solving
the
wrong
I
would
say
you're
solving
the
wrong
problem,
and
if
you
worry
about
nation
states,
pgp
is
not
going
to
help
you
as
much
as
you
think.
Johnson.
D
A
But
basically
increasing
the
email
systems
are
all
supporting
hop
encryption
using
either
start
TLS
or
mtasds,
which
me
you
know
and,
and
the
last
hop
IMAP.
You
know
you
use
encrypted
IMAP,
so
well
IMAP
with
TLS,
and
so
yes,
it's
hop
to
hop.
It's
not
end
to
end,
but
it's
encrypted
on
each
stage
and
for
most
folks
that's
good
enough
and,
more
importantly,
they
don't
have
to
figure
out
how
to
use
a
clunky
tool.
That's
too
hard
to
use
and
I
think
that's
more
important.
Information
is
hard.
L
I
agree
with
you
in
general:
the
point
is
that
pgp
is
still
a
sort
of
standard.
I
can
listen.
Why
and
it
is,
for
example,
advice
in
the
security.txt
and
it
is
in
a
lot
of
security
policy.
L
Maybe
in
some
countries
in
the
world
you
want
to
encrypt
your
tax
data,
but
at
the
same
time
I
can
understand
why
we
don't
want
to
start
with
a
pgp
and
I
am
not
asking
this
just
that
it
is.
Sometimes
people
want
to
at
least
to
see
it
even
if
they
don't
use
it,
and
this
is
the
main
reason
why
I'm
not
so
I,
don't
think
it
is
a
blocker,
because
if
people
use
the
people
in
community
really
use
pgp,
we
can
think
to
implement
it.
L
So
that
is
not
a
blocker
just
a
point
that
maybe
we
want
to
discuss
again,
but
without
no
rush
or
something
similar.
So
this
is
my
opinion.
B
I
I,
like
Luigi's
approach
that
pgp
will
be
addressed
in
the
future.
It's
not
a
blocker
today,
but
just
so,
everyone
is
aware.
Pgp
is
a
thing
that
a
lot
of
people
still
use
regardless
of
its
ease
of
implementation.
So
that
is
something
I
think
we
should
consider
as
an
option,
because
we
don't
want
to
exclude
any
researcher
or
any
anyone
within
the
community
that
prefers
that
method.
B
So
do
they
get
an
option
in
the
future
and
I
like
the
fact
that
it's
not
a
part
of
the
1.0
release,
any
other
conversations
about
the
openssf
inbound
policy
and
again,
please
comment
on
the
document.
We
can
talk
in
slack.
We
have
a
lot.
Let's
continue
this
conversation,
if
we
don't
have
any
further
comments
today.
B
B
We
have
20
minutes
left.
I
will
divide
the
time
between
Jonathan
and
Mr
scovetta.
Can
you
get
your
item
completed
in
under
10
minutes,
Jonathan
I.
D
Don't
know
if
not
we're
gonna
have
another
odd,
open
source
security,
Foundation
vulnerability,
disclosure
working
group
meeting
on
on
a
on
a
non-standard
Wednesday.
If
that,
if
that's
what
it
comes
to
I.
D
Out,
okay,
so
we
have
the
response
from
so
okay.
We've
talked
about
the
in
for
for
those
who
have
not
been,
and
a
lot
of
these
meetings,
Luigi's
working
on
and
David
wheeler,
discussing,
inbound
vulnerability,
reporting
policies
for
Alpha
Omega
and
the
open
source
security
Foundation.
D
There
is
also
well
adapt
predominantly
with
the
out
and
within
Alpha
Omega,
the
concept
of
vulnerabilities
that
are
getting
reported,
outbound,
and
so
this
is
the
policy
for
oh
fine,
David,
yeah,
okay,
so
this
is
for
the
outbound
vulnerabilities
being
reported,
so
this
has
been
run
by
legal
Mike
Dolan
and
he
has
red
penned.
It
and
I
want
to
go
through
his
feedback
and
I
was
hoping
to
do
that
in
this
meeting
with
people
live
that
seem
like
fine
Chrome.
D
Perfect
great
I've
reviewed
some
of
his
feedback
and
the
biggest
concern
that
I
had
is
that
it
comes
across.
It
takes
this
document
that
was
more
easy
going
and
turns
it
into
a
little
bit
more
legalese.
That's.
D
But
I
also
see
it
as
like
the
the
intention
of
renaming
things,
like
you
know,
using
proper
nouns
to
to
Define
things
right
like
the
time
limit
right,
so
it
no
longer
reads
in
my
opinion
as
what
humans
would
read,
but
more
what
lawyers
would
read,
and
it's
not
really
my
intention,
especially
given
that
this
is
not
necessarily
intended
to
be
a
legal
document.
It's
intended
to
be
a
policy
for
you
know.
B
Just
so
you're
aware
within
organizations,
capital
P
policy
has
certain
meanings
and
that
I
feel
is
very
appropriate
for
legal's
feedback.
Now,
if
you
want
to
convert
this
to
a
process,
that
is,
would
be
less
stringent,
potentially
well.
D
Yeah,
so
the
policy
is,
is
this
is
a
policy?
The
process
is,
you
know,
you
know
like
I,
don't
want
to
build
a
policy,
a
process
document,
because
the
process
is
like,
in
my
mind,
more
like
prescriptive
of
a
flow
of
things.
How
things
will
occur
right-
and
this
is
more
like
this-
is
how
we
will
do
things.
I,
don't
know.
Brian
you've
have
better
insights,
Brian
bellendor
if
you've
brought
better
insights
into
this
and.
K
K
We
want
to
do
the
right
thing
for
for
everybody
and
and
comes
across
well
at
the
same
time,
if
this
is
a
standard,
we're
being
asked
to
hold
ourselves
to
right
and
and
hold
ourselves
to
others,
I
think
being
precise,
using
standardized
terminology
makes
sense
and,
as
crib
says,
there's
other
stuff.
You
can
hang
off
this
like
the
definition
of
a
process,
an
easy
ingest.
You
know
here's
a
form
for
submit
that
that
is
the
more
approachable
side
of
it.
So
I
worry
less
about
the
legalese
I.
K
Don't
want
to
be
insensitive,
though,
to
your
concerns,
because
you've
you've
touched
a
lot
more
researchers
and
and
developers
on
these
topics
than
I
have
so
that's
all.
I
can
add.
I,
just
don't
know
if,
when
something
is
published
as
a
policy
document,
you
know
it's
it's
going
to
need
it's
something
that
legal
is
comfortable
with
and
so
I
would
be
inclined
to
accept
Mike's
comments,
if
you,
unless
you
felt
like
there,
was
something
dramatically
wrong
with
them.
D
All
right,
I
I,
just
okay,
so
from
the
perspective
of
someone
who's
reading
this
document
with
the
legal
changes
and
you
are
receiving
a
vulnerability
report
from
the
Linux
Foundation
or
from
the
open
source
security
Foundation
right
does
the
legalese
or
the
Precision
and
the
less
kind
of
gentleness
to
it,
come
across
as
aggressive
to
a
maintainer
who's.
Reading
this
for
the
first
time.
D
B
B
In
my
current
position,
I
work
with
lawyers
every
hour
of
every
day.
So,
from
my
perspective,
what
Mike
is
suggesting
is
very
common
that
actually
what
I
would
expect
I.
This
looks
like
kind
of
suggestions,
I've
seen
on
every
other
kind
of
policy
type
document
I've
seen
throughout
my
life,
so
I
I,
don't
personally
see
anything
objectionable,
doing
a
quick
skim,
but
again
the
perspective
of
a
security
researcher
is
a
little
different
than
mine.
You
know
my
my
main
background
is
Enterprises
and
this
all
makes
sense
to
me.
B
I
see
exactly
where
Mike
is
coming
from
on
these
statements
and
again
it's
the
the
real
reason
behind
his
comments
is
precision
because
you
know
a
capital.
P
policy
is
a
thing
that
the
foundation
can
be
held
accountable
to
and
he
wants
to
make
sure
that
everybody
is
equally
represented
and
protected.
B
F
E
B
Alternative
documents,
you
could
write
a
blog,
saying,
hey,
look
at
this
awesome
thing
we're
doing,
and
then
you
could
use
more
layperson
language,
it's
just
again
depending
on
you
know,
targeting
that
specific
audience
you're
reaching
out
to.
But
you
know,
capital
P
policy
has
certain
meanings.
D
D
There
is
not
to
make
a
final
pass
of
this
document
and
see,
if
there's
anything
else,
and
then
hopefully
we
can
hopefully
after
LF
has
has
reviewed
it.
Our
elk
legal
will
give
them
a
chance
to
re-review
it
before
that
meeting
and
then
we
can
pass
it
off
to
the
attack
after
that.
So
does
anybody
after
this
meeting
wanna
pop
on
a
call
and
go
through
these,
like
review
like
review
points
more
directly,
immediately
one-on-one
I.
D
D
That's
fine!
It's
not!
It's
not
important.
Okay,
all
right,
Michael
scalvetta
over
to
you,
unless
anybody
has
any
more
points
they
want
to
add
to
the
group
about
this
topic
before
we.
B
B
E
H
H
Oh
well,
it's
somewhere
in
the
text
of
a
security
MD
that
you
have
to
read
and
that
works
well
once
it
doesn't
work
well,
when
you
have
a
thousand
of
these
and
just
the
fact
that
there
is
actually
no
standard
like
there's
like
37
different
standards,
which
does
so
obviously
we
need
a
38th,
but
I
figured.
Why
not
just
have
a
script
because,
like
looking
for
this
stuff,
isn't
actually
like
magic.
H
So
can
we
just
like
point
to
repo
or
pointed
at
a
package
and
do
our
best
to
pull
out
all
the
different
ways
that
vulnerabilities,
like
all
the
different
ways
that
we
know
that
vulnerabilities
could
be
expressed
as
a
you
know,
in
a
security,
MD
or
private
vulnerability,
reporting
or
Tide
lift
or
whatever,
and
like
do
that
for
the
person
for
the
for
the
researcher,
in
which
case
you
just
say
like
boom
npm
left
pad.
H
It's
like
here's,
the
contact,
it's
an
email,
sorry
and
then
you
can
do
whatever
you
want
with
it.
After
that,
so
proof
of
concept,
I
wrote
I'm
very
happy
to
just
give
that
to
open
ssf
or
whatever
it
shouldn't
be
maintained
by,
like
me,
personally,
I'm
hoping
that
by
next
week
it's
like
packaged
as
a
you
know,
just
a
pip
install
thing
right
now.
H
It's
a
couple
different
ecosystems
that
leverages
libraries,
I
o
I,
think
I'm
gonna,
add
depths.dev,
since
they
just
released
it
an
API
and
then
it'll
crawl
through
GitHub
and
look
for
security
MDS
in
different
directories,
and
it
all
sorts
of
stuff
like
that.
So
does
this
seem
like
a
terrible
idea
to
anybody
that,
like
we
should
not
be
doing
or
that
someone
has
already
done,
and
it's
like
if
I
would
have
just
looked
harder.
I
would
have
found.
B
For
traditional
vendors
Mike,
there
have
been
a
couple
efforts
from
first
to
do
something
similar:
okay,
that's
not
going
to
be
applicable
to
like
Upstream,
but
anything
that's
managed
by
a
vendor.
There
would
be
I
can't
recall.
I
could
look
it
up,
but
basically
it's
a
similar
idea
like
a
security
dot
text
file
on
a
web
page.
That
would
have
all
this
short
information
like
to
report.
B
Something
call
blah
so
I
I
think
it's
a
fine
idea
and
if
we
wanted,
if
the
group
likes
it
something
again,
we
can
kind
of
endorse
as
a
preferred
standard
and
see
if
we
can
influence
the
community
to
start
adopting
something
similar
as
they're,
adding
their
security
MDS
to
yep
Luigi.
L
That
honestly
I
like
this
kind
of
idea,
because
at
the
moment
yeah
there
is
no
standard.
The
security
is
written,
definitely
a
human
way,
but
there
is
sometimes
it's
super
bubbles.
L
Sometimes
it's
not
profitable
and
I
think
that
it
can
help,
of
course,
maybe
not
something
that
is
used
to
automate
a
tool
that
scan
the
entire
internet
like
npm,
because
we
don't
want
to
cast
an
outage,
but
the
tool
is
different,
something
that
can
add
the
researcher
and
not
only-
and
it
is
interesting
because
security
insights
would
like
to
solve
the
similar
issue
where
company
project
people
have
different
standards.
L
Sometimes
they
have
documents,
but
you
don't
know
where
they
have
so
I
think
it
is
a
very
good
way
to
proceed
and
I
like
it,
because
I
mean
I,
invest
time,
sometimes
to
find
the
right
contract
to
write
maintainers
and
if
they
don't
have
a
security.md,
but
maybe
they
have
other
documents
that
are
not
Linked
In.
The
repo
yeah
you'll
need
to
look
for
them
and
yeah.
So
I
agree
with
Michael.
H
Awesome-
and
we
can
also
add
kind
of
like
we
could
have
a
list
of
like
known
places
where,
like
we
actually
know
the
contact,
but
it's
not
discoverable,
and
we
can
kind
of
whatever
embed
that
as
a
text
file
or
something
and
just
try
to
keep
it
up
to
date,
to
override
cases
where,
like
we
literally
can't
do
any
better
purely
from
a
tool.
B
H
H
D
Related
to
like
finding
I
mean
just
more
industry
related,
but
there's
security.txt,
which
is
an
RFC
standard
yeah,
that's
that's
the
other
one
I
spoke
with
Madison
about
this
topic
in
the
past
about
trying
to
parse
security.md
files.
D
The
problem
is
that
like,
if
you're
trying
to
automate
vulnerability,
fixing
at
scale
or
you're,
trying
to
automate
vulnerability,
reporting
at
scale
and
maintainers,
are
really
net
negative
on
reporting
at
scale,
because
they
think
that
the
reporting
at
scale
is
just
usually
low
quality
fud
in
in
their
experience
you,
when
you're
trying
to
do
stuff
like
that
at
scale
like
especially
when
you're
dealing
with
like
multiple
different
jira
instances-
and
you
know
like
you
know,
Jenkins
has
their
own
to
your
instance.
D
You
know,
apache's
implementation
has
their
own
gear
instance.
If
you're
trying
to
report
to
all
these
different
projects
at
scale,
you
have
to
create
logins
for
every
single
one
and
then
you're
suddenly
dealing
with
having
to
automate
creating
logins
and
stuff
like
that,
and
it's
if
that
it
like
diminishing
returns
right
like
it's
totally.
H
Agree,
just
I
may
have
not
looked
hard
enough
and
in
the
right
representative
places,
but
in
every
place
that
I
found
a
contact,
it's
been
it.
Basically,
it's
been
email
or
like
a
web
form,
so
I
haven't
had
the
case
where
someone
said
the
only
way
to
report.
This
is
to
create
a
jira
instance
for
security
issues
for
regular,
bugs
I've
seen
that
a
lot
but
for
security,
there's,
usually
a
a
shortcut.
D
D
E
I
was
I
was
going
to
mention
the
same
thing
in
my
experience,
I've
having
to
do
Mass
reportings,
a
lot
of
companies
will
just
Outsource
it
to
hacker
one
and
then
or
something
similar,
and
it
does
create
a
roadblock.
But
an
audit
Trail,
which
David
said,
is
not
a
requirement
to
have
an
audit
Trail
yep
I
was
just
gonna,
add
my
two
cents
for
that
yeah
I.
H
Mean
at
the
end
of
the
day,
like
we'll
see
in
practice.
So
if
we
have
a
thousand
vulnerability
report
and
we
can
get
800
of
them
done
through
easy
means
and
there's
200
that
we
have
to
like
manually,
do
the
thing:
well,
it's
better
than
doing
it
for
200
than
a
thousand,
and
we
just
know
that.
That's
like
the
the
pain
of
of
of
reporting
stuff,
you
know,
I,
would
just
we'll
give
it
a
shot.
M
If
I
could
just
jump
in
here,
real
quick
I
think
you
know
being
at
hacker
one.
You
know
you.
Never
you
never
address
the
situation
until
all
of
a
sudden,
it's
here
and
so
I
think
the
idea
of
mass
in
Mass
vulnerability,
report,
high
quality,
vulnerability
reporting.
You
know
it's
it's
it's
we're
talking
about
it
because
it's
up
and
coming
so
maybe
that's
something
that
could
be
discussed.
Michael
like
if
you
want
to
reach
out
or
if
anyone
else
wants
to
reach
out
about
you
know.
M
D
That
I
appreciate
that
that's
awesome,
I
would
encourage
you
if
you
have
the
time,
join
the
autofix
Sig
meeting
groups
too,
which
are
again
every
Wednesday
at
4
pm,
Eastern.
D
No,
sorry
every
other
Wednesday,
because
that
is
an
area
that
we're
discussing
our
plan
for
the
future.
Moving
forward
for
most
organs.
Nations
is
to
at
this
time
encourage
them
to
enable
github's
private
vulnerability
reporting,
which
now
has
an
API
to
let
us
report
via,
but
I,
know
that
that's
not
that
doesn't
plug
into
a
lot
of
corporate
disclosure
programs,
and
so,
if
there
is
a
way
we
could
do
this
with
hacker
one
or
something
like
that.
D
The
biggest
concern
that
I
have
is
that
when
you
go
to
hacker
one
or
you
go
via
disclosing
that
way,
a
lot
of
those
companies
have
even
in
their
private,
their
public
disclosure
policies,
terminology
that
restricts
how
you're
allowed
to
disclose
a
vulnerability
and
whether
or
not
you
can
like
they
basically
wave
Safe
Harbor.
D
If
you
disclose
in
a
way
that
like,
if
you
want
to
disclose
a
vulnerability,
a
lot
of
them,
State
like
you,
can
only
disclose
with
permission
and
stuff
like
that,
and
so,
if
we
we
would
I.
Don't
think
that
as
a
group,
we
would
be
willing
or
able
to
accept
those
terminal
that
terminology
Corp
launch
without
a
carve
out
that
hey
the
work
that's
been
performed
under.
This
is
known
to
not
going
to
be
disclosed
and
and
companies
that
are
accepting.
That
have
to
have
to
be
aware
of
that
and
accept
that.
L
Yeah
now
I
want
just
to
say
that
I
can
run
can
be
not
the
right
example.
Sometimes
because
there
are
private
company
and
vulavity
are
on
the
infrastructure
and
we
are
talking
about
open
source.
So
probably
the
policy
of
less
stick
I
know
that
some
company
want
to
have
the
control
also
on
the
open
source
projects
and
disclosure
about
the
opposite
products.
But
maybe
we
are
just
lucky
I,
don't
know.
D
Yeah
the
policies
tend
to
be
for
the
infrastructure,
and
then
they
also
add
open
source
in
scope.
Maybe,
and
then
it
just
becomes
something-
that's
very
overly
restrictive
because
they're
they're
talking
about
their
infrastructure
and
it's
a
toss
in
afterwards-
and
it's
like
this,
this
world
of
no
disclosure
does
not
work
for
open
source
when
you're
publishing
stuff
right,
it
needs
to
be
a
cve.
B
D
A
Do
I
I
have
that
I
have
very
few
superpowers,
but
that's
one
but
I
have
another
meeting,
so
I'm
gonna
be
I'm.
Gonna
turn
it
off.
Now,
if
that's
okay,
everybody,
because
it's
no
longer
that
meeting
it's
a
it's
a
breakout
and
I'm
gonna,
let
Jonathan
I
guess
be
lead
on
this.
Yeah
come.