►
From YouTube: OpenSSF Vulnerability Disclosures (March 30, 2023)
B
A
So
I'm
in
a
time
zone
that
doesn't
do
daylight
saving,
so
nothing
really
changes
for
me.
It's
just
you
know.
So
if
it's
8
A.M
in
Brisbane
Sydney
is
about
to
transition
out
of
daylight
saving
this
weekend.
So
probably
the
answer
is
yes
for
Sydney.
B
I
used
to
work
with
a
bunch
of
guys
from
Sydney
a
guy
from
Tasmania
and
New
Zealand.
So
we
always
had
this
weird
couple
of
weeks
where
we,
every
all
the
meetings
were
messed
up.
A
I
hate,
Taylor's,
I
hate
the
daylight
saving
transitions
right
like
I
I,
don't
mind
the
idea
of
daylight
saving
time.
It's
the
transitions
that
suck
agreed.
B
B
B
B
All
right
is
anyone
interested
in
helping
us
with
notes
today.
B
B
Exactly
do
we
have
anybody
new
here
that
wanted
to
introduce
themselves
to
our
little
Mary
band.
B
Jonathan,
hello,
all
right
as
Andrew
alluded
to
there
was
a
very
exciting
vote
that
the
working
group
held
and
the
majority
of
the
eligible
members
endorsed
the
idea
of
us
adopting
the
open,
Vex,
spec
tools
and
evangelism
efforts
as
part
of
our
work
underneath
the
vulnerability
disclosure
working
group.
So
I
am
in
14
hours,
I'm
closing
out
the
doodle
poll.
So
you
will
eventually
see
a
recurring
Vex
call
as
part
of
the
open,
ssf's,
calendar
and
there'll
be
another
meeting.
B
You
can
watch
and
or
notes
you
can
follow
as
desired
so
very
soon,
hopefully
we'll
be
collaborating
I'm
already
involved
with
the
US
government's
sisa,
vacs
and
s-bomb
efforts.
So
we're
just
going
to
try
to
help
promote
the
use
of
Vex
and
kind
of
see
if
we
can
get
Upstream
maintainers
to
embrace
the
idea
to
at
least
be
able
to
issue
that
so
that
Downstream
all
Downstream
consumers
can
benefit
from
that
information
and
use
that
as
part
of
their
own
risk
assessments.
B
And
you
know
when
we
have
the
open
Vex
tool
set,
that
we
will
be
expanding
upon
as
an
option
for
people
to
follow
any
questions
about
that.
B
All
right
and
we
plan
on
working
with
I,
don't
even
know
who
owns
it.
Oasis
with
the
csaf
standard
we
plan
on
reaching
out
to
spdx
and
Cyclone
DX,
just
to
ensure
that
everybody's
at
least
open
to
the
ability
open
to
the
idea
of
using
Vex
is
a
way
to
help
quickly
share
information
about
the
state
of
vulnerability.
B
C
The
autofix
policy
or
the
wait,
oh.
B
Oh
I'll
talk
about
Luigi's
thing.
You.
C
Talk
about
artificial
hands,
first
off
the
there's
another
document,
which
is
the
vulnerability
disclosure
policy
for
outgoing
reports.
It
is
a
document
describing
how
alpha
omega
and
any
other
entity
operating
within
the
open
ssf
will
disclose
security
vulnerabilities
to
outside
vendors.
That
document
is
currently
been
passed
over
to
the
TAC
and
LF
legal
for
review.
C
It
is
not
clear
to
me
how
to
get
something
on
the
on
the
tax
calendar
beside
like
I
sent
it
slack
message
and
they
said
or
I've
gotten
all
response
and
I
put
it
in
their
calendar.
B
C
It's
also
Jonathan
with
a
thank
you.
No,
it's
all
good
the
well
okay,
I
I
made
a
comment
about
that
in
the
attack.
Slack
working
group
Channel,
but
it
was
like
this
is
described
as
a
place
for
short
things.
Where
do
you
get
things
on
people's
calendar?
So
they
review
it
before
the
meeting.
C
Okay,
I
saw
your
the
most
recent
email
to
the
TAC
has
is
please
thank
you
for
all
your
reviews
and
has
no
responses
from
February.
C
Fair,
all
right,
so
that's
that
the
autofix
meetings
are
still
occurring
every
Wednesday
at
4
pm
Eastern.
We
basically
had
a
bunch
of
conversations
about
some
standards
and
special.
You
know
some
things
about
what
we
wanted
to
do
or
what
how
much
we
wanted
to
restrict
people
from
contributing
like
doing.
We
want
to
force
people
who
are
doing
these
campaigns
to
try
to
do
private
disclosure
and
the
the
decision
was
yes,
because
GitHub
is
offering
an
API
for
doing
this.
C
We
should
try
to
encourage
people
who
are
doing
these
campaigns
against
services
like
GitHub,
that
are
offering
apis
for
this
stuff
to
yes
use
them,
so
we're
going
to
try
to
we're
gonna
put
in
a
flow
that
says
all
right.
If
your
platform
supports
a
way
of
doing
private
disclosure
via
an
API
here's,
the
set
of
steps
you
should
do
yes
in
other
news.
Github
now
supports
an
API
for
getting
information
from
private
vulnerability,
disclosure
or
well
from
ghsas.
C
There
was
no
API
beforehand.
These
are
repository
disclosures,
not
the
ones
that
are
published,
but
the
ones
that
are
pre-published.
So
there's
now
an
API
for
getting
that
information
and
there's
now
an
API
for
updating
that
information
and
adding
web
Hooks
stuff
like
that,
so
you
can
get
yeah
and
so
I'm.
Currently
writing
the
pi
GitHub
bindings
for
that
API.
So
there
will
actually
be
a
library
supporting
it
that
is
linked.
C
D
B
All
right
and
we
had
another
Foundation
member,
a
Luigi
who
thought
it'd
be
a
great
idea
if
all
of
our
GitHub
repositories
had
a
published
security
policy,
a
security
MD
and
so
he's
come
to
the
vulnerability
disclosure
working
group
and
we're
going
to
collaborate
with
him.
And
once
we
get
a
generic
policy
together
for
the
foundation,
we're
going
to
work
with
the
TAC
and
open
ssf
staff
to
get
that
rolled
out
to
all
all
open
ssf
projects.
B
B
B
Right
now,
he
just
has
a
document
that
kind
of
outlines.
What
he's
looking
for
the
link
is
there
and
we
have
not
taken
any
steps
yet.
So
if
you
had
feedback
on
what
you
think,
the
policy
should
contain
or
address
feel
free
to
drop
notes
in
that
document,
and
then
you
also
can
talk
to
us
on
the
slack
Channel
or
the
mailing
list.
If
you
had
one
to
have
more
of
a
long-running
dialogue.
B
And
then
the
item
I
had
is
I
was
you
know,
since
Oliver
and
Andrew
here
are
both
representing
the
osv
project
and
you're
part
of
our
working
group?
You
know:
what
can
we
do
to
get
you
guys
better
integrated?
What
can
the
working
group
do
to
help
you?
What
types
of
things
do
you
all
need
to
be
successful?.
E
E
So
we
have
a
draft
almost
ready
and
we'll
probably
see
something
coming
your
way
for
for
approval.
At
some
point.
B
E
B
E
B
E
Yeah
I
could
talk
a
bit
about
that
as
well,
so
we
have
a
few
things
going
on,
so
so
we've
always
been
trying
to
advocate
for
more
databases
to
adopt
osv
as
a
format.
E
We've
been
making
slow
but
steady
progress
with
this
over
the
past
few
years,
most
recently
Rocky
Linux
agreed
to
start
using
the
honestly
format.
So
now
they
actually
natively
support
OSP
for
exploding
their
advisories
but
yeah.
So
but
like
we
have
a
pretty
decent
coverage
of
all
language
ecosystems,
but
where
we're
lack
it
a
lot
is
Linux
distribution
support,
so
most
distros
have
their
own
way
of
communicating
about
advisories.
We
really
like
a
more
uniform
way
that
open
source
users
can
easily
use
for
that.
E
Can
potentially
help
with
in
terms
of
advocating
or
communicating
with
apprenticesf
the
other
angle
here
is.
We
also
really
want
to
engage
with
the
cve
and
the
Envy
for
the
CV
and
the
med
folks
to
help
out
where
we
care
with
improving
processes,
making
sure
that
data
quality
starts.
You
know
at
the
source,
I
mean
everybody
still
uses
cves,
but
the
problem
is,
you
know,
there's
there's
a
lot
of
bad
data,
unfortunately
coming
from
CV
and
MVD,
and
it
just
makes
hard
for
everybody
to
triage
things.
E
So
Andrew
has
been
having
a
bit
of
a
ongoing
dialogue
with
some
of
these
folks
but
yeah.
It's
it's
a
slow
movie,
then
and
I
wonder
if
I'm
having
this
come
from
open
ssf
could
also
potentially
help
give
more
weight
to
these
conversations
as
well.
A
I
will
switch
out
of
note-taking
mode
and
switch
into
participating
in
the
conversation
mode.
Yeah
I'm
I'm
I've
been
predominantly
working
on
trying
to
get
select
cbes
into
OSB,
because
we
notably
CNC
plus
software,
because
we
don't
have
an
ecosystem
for
that.
So
the
only
way
we're
going
to
get
that
stuff
is
virus.
Cvs
and
yeah.
A
Cv
is
fun,
and
so
yeah
I've
been
having
some
ongoing
dialogue
with
the
NBD
folks
about
the
state
of
things
I
up
until
having
this
task
haven't
been
that
familiar
with
the
whole
sausage,
making
machine
and
so
I've
been
getting
familiar
with
it,
and
that
led
me
to
the
CD
program
itself,
so
I've
been
participating
in
the
automation,
working
group
and
quality
working
group
meetings,
mostly
As
fly
on
the
wall
at
the
stage,
just
to
sort
of,
as
I
said,
understand
the
the
landscape,
the
CDE,
the
CV
program
itself's
in
an
interesting
space
at
the
moment,
because
they
are
literally
switching
over
to
the
CD
5.0
schema.
A
A
Stop
in
that
format,
as
well
as
accepted
in
that
format,
that's
not
super
super
interesting,
because
my
conversion
work
is
sourcing
things
from
the
national
vulnerabilities
database,
which
is
yet
to
do
anything
with
the
CV
5.0
schema
and
may
not
even
from
most
recent
conversations,
which
was
slightly
interesting,
but
yeah
ongoing
conversations
with
everybody
involved
with
these
things,
but
yeah
like
I've,
even
found
that
having
conversations
about
data
quality
is
interesting,
because
data
quality
means
different
things
to
different
people.
A
I'm
I'm
mostly
focused
on
quality
in
the
Aggregate
and
and
therefore
consistency
across
records,
whereas
oftentimes
other
folks
are
interested
in.
You
know
how
do
they
make
sure
that
given
CNAs
are
actually
just
emitting
individual
records
that
are
actionable
and
and
of
obviously
certain
standards,
so
yeah,
even
even
data
quality
conversations
get
interesting.
E
Yeah
I'll
add
kind
of
more
broadly
that
we
really
want
to
advocate
for
a
more
kind
of
open
model
for
dealing
with
alcohol,
contributing
to
vulnerability
databases,
so
GitHub,
for
instance,
has
their
entire
security
advisory
database
available
in
the
osv
format.
But
if
anybody
can
come
in
and
submit
pull
requests
to
fix
up
any
things
that
might
have
been
wrong
or
to
submit
General
improvements
or
even
new
advisors
through
the
UI,
so
it's
just
a
nice
way
to
open
up
the
kind
of
process
for
contributing
to
vulnerability.
E
Databases
in
general
and
I
think
it
benefits
everybody.
It's
a
much
more
sustainable
model
for
maintaining
accurate
advisories
in
open
source
and
yeah.
We
just
we're
hoping
to
generalize
this
and
potentially
also
convince
other
other
big
players.
E
Hopefully,
we
can
kind
of
reduce
duplicate
effort
through
building
these
better
communication
channels.
B
So
three
areas
where
I
think
the
working
group
and
the
foundation
can
help.
First
off
you
mentioned
the
distros.
We
two
of
The
Big
Three,
are
members
of
the
foundation.
I
personally
know
the
big
three
pcert
teams,
so
this
is
something
we
very
definitely
can
help
kind
of
broker
those
conversations
between
those
folks.
The
distros
is
bigger
than
just
the
big
three,
but
they
can
definitely
start
to
help
broker
that
communication.
So.
B
B
So
you
you
converse
with
them
and
get
their
agreement
or
at
least
have
a
conversation
that
can
be
very
influential
with
the
rest
of
that.
That
list
so
again,
I'm
glad
to
help
broker
that
conversation
whenever
you
want
actually
Marcus
Messner
who's
like
the
head
or
the
technical
lead
for
the
suse
piece.
Cert
he's
a
member
of
this
working
group,
good
good,
dude,
Red
Hat
has
good
Australia
coverage,
so
that'd
be
really
easy
to
broker
a
real-time
conversation.
Suse,
Germany,
sorry
and
canonical
I.
B
A
B
But
we
can
make,
we
can
definitely
help
start
and
then
figure
out.
I
don't
know
if
they
have
like
a
forum
where
that
that
group
talks
periodically
outside
of
the
mailing
list,
but
glad
to
help
start
that
conversation
with
them.
So
get
me
some
details
of
kind
of
what
you'd
like
to
talk
about
and
I'll
figure
out
how
we
can
address
that.
A
Well,
the
nice
thing
is
that
you
know
we
are
getting
a
little
bit
of
organic
snowball
effects,
so
we
we
added
Alpine,
Linux
and
Debian,
so
we've
we're
doing
our
own
sort
of
conversion
of
their
of
their
vulnerability.
Disclosures
organically
ubuntu's
come
out
of
the
woodwork
saying.
Oh,
we
should
add
this
and
we're
like.
A
Yes,
you
should
better
be
great
and
so
I
just
dropped
in
the
notes,
an
issue
where
they've
already
sort
of
reached
out
to
us
awesome,
Rocky,
Linux,
I,
think
we've
reached
out
to
them
and
they
got
very
enthusiastic
as
a
result.
So
yeah.
A
That
was
right,
like
like
I
I,
can't
exactly
remember
how
that
all
came
about,
but
I
think
I
was
involved.
B
But
they're
new
and
small
and
they
don't
have
a
dedicated
team.
So
that
is
a
big
boost
for
them
to
have
yeah.
A
Yeah
so
we're
going
to
get
to
a
Tipping
Point
here
of
network
effects
where
that's
seen
as
where
it's
all
happening
so,
but
we
want
to
try
and
avoid
being
in
a
situation
where
we're
doing
we're
hosting
and
doing
the
conversion
work,
because
then
it's
dependent
on
us
right
as
opposed
to
them
just
doing
it
natively.
B
B
There
aren't
a
lot
of
bigger
platforms
than
that
right
and
then
so.
The
second
Point,
the
cve
board
they
actually
have
been
on
and
again
off-again
participants
with
the
working
group.
B
B
So
again,
if
you're
interested
in
having
a
sit-down
conversation
with
them
about
how
we
might
be
able
to
get
some
more
openness
and
transparency
and
be
able
to
get
that
kind
of
community
feedback
into
their
processes
again,
I'm
glad
to
help
facilitate,
they
historically
have
been
very
open
to
talking
to
the
open,
ssf.
So
I,
don't
think
that'd
be
a
problem.
It's
just
a
matter
of
it's
a
scheduling,
challenge,
yeah.
A
Yeah,
it's
fun
time
zone
wise
at
the
moment
like
the
AWG
and
qwg
meetings
are
like
6
a.m.
My
time
I
just
got
up
this
morning
for
a
pwg
one
that
but
I
think
it's
valuable
being
in
in
the
room
for
those
right
so
I'm
happy
to
do
it.
B
A
That'd
be
that'd,
be
cool.
I
I
get
the
impression
that
they're
a
little
bit
busy
right
now
with
the
the
CBE
5.0
transition,
and
so
so
they're,
probably
a
bit
preoccupied
with
that.
I
also
want
to
go
and
consume.
They
just
had
a
like
a
annual
Summit
thingy
two-day
Summit
thingy,
which
I
believe
is
going
to
be
recorded.
A
So
I
want
to
go
and
consume
that
and
sort
of
get
a
bit
more
State
on
things
before
I
before
I
get
to
up
in
their
business
about
how
things
are
behaving
and
how
they
could
behave
or
whatnot.
So
so,
yeah
I'm
still
as
I
said,
I'm
still
kind
of
filling
out.
The
landscape
and
understanding.
A
E
A
Here
and
you
know,
everything's
wrong,
and-
and
you
should
do
it
this
way-
that
that's
not
a
good
way
to
win
friends
and
influence
people,
so
so
so,
but
yeah
would
definitely
appreciate
any
yeah.
Very.
B
Very
glad
to
do
that
to
broker
that
conversation
and
again
they're,
very
agreeable
they're
interested
in
changing
and
adapting
and
I
I
think
it's
a
win
for
everybody.
If
we
can
have
a
simple
way
for
a
large
swath
of
Open
Source
to
be
able
to
consume
and
share
this
information
back.
That
makes
it
better.
A
B
Everybody
agreed
and
then
for
the
last
Point
kind
of
evangelizing.
B
My
friend
Madison
from
GitHub
and
I,
are
doing
a
presentation
at
the
North
America
Summit,
where
we're
talking
about
CBD
so
very
short
term,
if
you're
interested.
If
you
want
to
give
me
a
couple
slides
where
you
can
get
that
inserted
into
our
conversation
there,
but
then
long
term
think
about
my
friend
Gunner
used
to
call
it
a
walking
around
deck.
Think
about,
let's
create
some
kind
of
presentation
that
explains
the
project
and
the
benefits
and
kind
of
asks
for
what
we
need
like
we're.
B
Looking
for
contributors
or
people
to
start
adopting,
and
we
have
a
lot
of
different
forums,
we
have
the
open
source.
European
Summit
is
coming
up
and
that'll
be
the
call
for
papers
ends
for
that
in
May
and
that'll
be
early
fall
and
then
they'll
also
do
another
one
in
Asia
I
think
it's
probably
going
to
be
in
Tokyo
again,
but
again,
that's
not
next
door,
but
is
closer
than
flying
to
DC.
B
A
I
I
would
love
to
get
ramped
up
and
get
on
the
on
the
speaking
circuits.
It's
just
a
case
of
time,
right,
yeah
and
being
able
to
Deputy
deputize
some
folks.
In
other
time,
zones
sounds
like
a
great
way
to
scale
things
right,
so
a
general
pitch
deck,
elevated,
elevated
pitch
deck,
for
you
know
what
is
osv
and
why
why
it's
important
sounds
like
a
really
cool
thing
to
make
yeah
so
the
open
source,
North
America.
That's
that's
in
May
right
that.
B
A
A
A
B
And,
as
you
guys
have
any
big
announcements,
yeah
mail
me
slack
me,
but
we
can
or
stage
it
in
the
agenda
like
for
sub
project
updates,
saying
hey,
we've
got
a
new
release
coming
out
we're
releasing
a
new
tool,
we're
looking.
We
have
an
RFC
out
for
a
new
feature.
Whatever
you
guys
are
thinking
about,
we
can
definitely
use
the
working
group
there
as
well.
So
a
lot
of
different
ways.
We
can
get
the
word
out
and
start
to
educating
people
on
the
the
usefulness
of
this
project.
A
B
So
Chris
or
other
Andrew
do
you
have
any
questions
or
comments
about
what
we've
been
talking
about.
B
Not
particularly
I'm
I'm
happy
being
a
10x
lurker
over
here.
No
worries
no
worries
at
all
right.
Do
we
have
any
other
items,
hi
Andrew.
D
Hi
I'm
just
a
grad
student
who's
interested
in
fuzzing
stuff,
so.
E
B
Nice,
we
don't
do
fuzzing
in
this
group,
my
friend
Josh
bressers
over
in
the
tooling
working
group.
They
actually
have
a
project
OSS
fuzz.
That
may
be
more
pertinent
to
that.
Yeah.
E
D
Talk
to
Oliver,
yeah
well,
I,
don't
know
I'm
I'm
up
for
different
connections
for
Stuff.
There's
one
Discord
group:
that's
pretty
active
that
I
joined,
which
is
great
but
which
is
I,
think
where
I
saw
some
Google
Calendar
with
a
whole
bunch
of
stuff
on
it,
so
that
I
thought
I'd
pop
by
for
something.
But
I
won't
take
your
guys
time,
but.
B
Oh,
do
you
want
to
leave
us
an
email
or
a
contact?
We
can
shoot
you
over
what
we've
got,
what
we
can
find.
D
B
B
Do
we
have
any
additional
questions
or
topics
we
want
to
talk
about
today?.
B
All
right,
thank
you.
Gentlemen.
I
appreciate
your
time
and
attention
today,
I'm
looking
forward
to
continuing
our
relationship
and
collaborating
together,
and
you
know,
whenever
you're
ready
to
engage
with
any
of
those
groups.
Let
me
know
I'll
be
glad
to
start
the
footwork
there
and
then
Oliver
did
you
grab
Andrew's
email
out
of
the
zoom
chat,
yeah.
Oh
awesome,
God,
cool
cool!
Well
thanks
gents
and
enjoy
the
rest
of
your
day.
Cheers
bite.