►
From YouTube: OpenSSF Vulnerability Disclosures (March 30, 2023)
B
A
B
A
B
B
B
B
Jonathan,
hello,
all
right
as
Andrew
alluded
to
there
was
a
very
exciting
vote
that
the
working
group
held
and
the
majority
of
the
eligible
members
endorsed
the
idea
of
us
adopting
the
open,
Vex,
spec
tools
and
evangelism
efforts
as
part
of
our
work
underneath
the
vulnerability
disclosure
working
group.
So
I
am
in
14
hours,
I'm
closing
out
the
doodle
poll.
So
you
will
eventually
see
a
recurring
Vex
call
as
part
of
the
open,
ssf's,
calendar
and
there'll
be
another
meeting.
B
You
can
watch
and
or
notes
you
can
follow
as
desired
so
very
soon,
hopefully
we'll
be
collaborating
I'm
already
involved
with
the
US
government's
sisa,
vacs
and
s-bomb
efforts.
So
we're
just
going
to
try
to
help
promote
the
use
of
Vex
and
kind
of
see
if
we
can
get
Upstream
maintainers
to
embrace
the
idea
to
at
least
be
able
to
issue
that
so
that
Downstream
all
Downstream
consumers
can
benefit
from
that
information
and
use
that
as
part
of
their
own
risk
assessments.
B
All
right
and
we
plan
on
working
with
I,
don't
even
know
who
owns
it.
Oasis
with
the
csaf
standard
we
plan
on
reaching
out
to
spdx
and
Cyclone
DX,
just
to
ensure
that
everybody's
at
least
open
to
the
ability
open
to
the
idea
of
using
Vex
is
a
way
to
help
quickly
share
information
about
the
state
of
vulnerability.
B
C
Talk
about
artificial
hands,
first
off
the
there's
another
document,
which
is
the
vulnerability
disclosure
policy
for
outgoing
reports.
It
is
a
document
describing
how
alpha
omega
and
any
other
entity
operating
within
the
open
ssf
will
disclose
security
vulnerabilities
to
outside
vendors.
That
document
is
currently
been
passed
over
to
the
TAC
and
LF
legal
for
review.
B
C
C
Fair,
all
right,
so
that's
that
the
autofix
meetings
are
still
occurring
every
Wednesday
at
4
pm
Eastern.
We
basically
had
a
bunch
of
conversations
about
some
standards
and
special.
You
know
some
things
about
what
we
wanted
to
do
or
what
how
much
we
wanted
to
restrict
people
from
contributing
like
doing.
We
want
to
force
people
who
are
doing
these
campaigns
to
try
to
do
private
disclosure
and
the
the
decision
was
yes,
because
GitHub
is
offering
an
API
for
doing
this.
C
We
should
try
to
encourage
people
who
are
doing
these
campaigns
against
services
like
GitHub,
that
are
offering
apis
for
this
stuff
to
yes
use
them,
so
we're
going
to
try
to
we're
gonna
put
in
a
flow
that
says
all
right.
If
your
platform
supports
a
way
of
doing
private
disclosure
via
an
API
here's,
the
set
of
steps
you
should
do
yes
in
other
news.
Github
now
supports
an
API
for
getting
information
from
private
vulnerability,
disclosure
or
well
from
ghsas.
C
There
was
no
API
beforehand.
These
are
repository
disclosures,
not
the
ones
that
are
published,
but
the
ones
that
are
pre-published.
So
there's
now
an
API
for
getting
that
information
and
there's
now
an
API
for
updating
that
information
and
adding
web
Hooks
stuff
like
that,
so
you
can
get
yeah
and
so
I'm.
Currently
writing
the
pi
GitHub
bindings
for
that
API.
So
there
will
actually
be
a
library
supporting
it
that
is
linked.
D
B
All
right
and
we
had
another
Foundation
member,
a
Luigi
who
thought
it'd
be
a
great
idea
if
all
of
our
GitHub
repositories
had
a
published
security
policy,
a
security
MD
and
so
he's
come
to
the
vulnerability
disclosure
working
group
and
we're
going
to
collaborate
with
him.
And
once
we
get
a
generic
policy
together
for
the
foundation,
we're
going
to
work
with
the
TAC
and
open
ssf
staff
to
get
that
rolled
out
to
all
all
open
ssf
projects.
B
B
B
Right
now,
he
just
has
a
document
that
kind
of
outlines.
What
he's
looking
for
the
link
is
there
and
we
have
not
taken
any
steps
yet.
So
if
you
had
feedback
on
what
you
think,
the
policy
should
contain
or
address
feel
free
to
drop
notes
in
that
document,
and
then
you
also
can
talk
to
us
on
the
slack
Channel
or
the
mailing
list.
If
you
had
one
to
have
more
of
a
long-running
dialogue.
B
And
then
the
item
I
had
is
I
was
you
know,
since
Oliver
and
Andrew
here
are
both
representing
the
osv
project
and
you're
part
of
our
working
group?
You
know:
what
can
we
do
to
get
you
guys
better
integrated?
What
can
the
working
group
do
to
help
you?
What
types
of
things
do
you
all
need
to
be
successful?.
E
B
E
B
B
E
We've
been
making
slow
but
steady
progress
with
this
over
the
past
few
years,
most
recently
Rocky
Linux
agreed
to
start
using
the
honestly
format.
So
now
they
actually
natively
support
OSP
for
exploding
their
advisories
but
yeah.
So
but
like
we
have
a
pretty
decent
coverage
of
all
language
ecosystems,
but
where
we're
lack
it
a
lot
is
Linux
distribution
support,
so
most
distros
have
their
own
way
of
communicating
about
advisories.
We
really
like
a
more
uniform
way
that
open
source
users
can
easily
use
for
that.
E
Can
potentially
help
with
in
terms
of
advocating
or
communicating
with
apprenticesf
the
other
angle
here
is.
We
also
really
want
to
engage
with
the
cve
and
the
Envy
for
the
CV
and
the
med
folks
to
help
out
where
we
care
with
improving
processes,
making
sure
that
data
quality
starts.
You
know
at
the
source,
I
mean
everybody
still
uses
cves,
but
the
problem
is,
you
know,
there's
there's
a
lot
of
bad
data,
unfortunately
coming
from
CV
and
MVD,
and
it
just
makes
hard
for
everybody
to
triage
things.
E
A
I
will
switch
out
of
note-taking
mode
and
switch
into
participating
in
the
conversation
mode.
Yeah
I'm
I'm
I've
been
predominantly
working
on
trying
to
get
select
cbes
into
OSB,
because
we
notably
CNC
plus
software,
because
we
don't
have
an
ecosystem
for
that.
So
the
only
way
we're
going
to
get
that
stuff
is
virus.
Cvs
and
yeah.
A
I'm
I'm
mostly
focused
on
quality
in
the
Aggregate
and
and
therefore
consistency
across
records,
whereas
oftentimes
other
folks
are
interested
in.
You
know
how
do
they
make
sure
that
given
CNAs
are
actually
just
emitting
individual
records
that
are
actionable
and
and
of
obviously
certain
standards,
so
yeah,
even
even
data
quality
conversations
get
interesting.
E
Yeah
I'll
add
kind
of
more
broadly
that
we
really
want
to
advocate
for
a
more
kind
of
open
model
for
dealing
with
alcohol,
contributing
to
vulnerability
databases,
so
GitHub,
for
instance,
has
their
entire
security
advisory
database
available
in
the
osv
format.
But
if
anybody
can
come
in
and
submit
pull
requests
to
fix
up
any
things
that
might
have
been
wrong
or
to
submit
General
improvements
or
even
new
advisors
through
the
UI,
so
it's
just
a
nice
way
to
open
up
the
kind
of
process
for
contributing
to
vulnerability.
E
B
So
three
areas
where
I
think
the
working
group
and
the
foundation
can
help.
First
off
you
mentioned
the
distros.
We
two
of
The
Big
Three,
are
members
of
the
foundation.
I
personally
know
the
big
three
pcert
teams,
so
this
is
something
we
very
definitely
can
help
kind
of
broker
those
conversations
between
those
folks.
The
distros
is
bigger
than
just
the
big
three,
but
they
can
definitely
start
to
help
broker
that
communication.
So.
B
B
So
you
you
converse
with
them
and
get
their
agreement
or
at
least
have
a
conversation
that
can
be
very
influential
with
the
rest
of
that.
That
list
so
again,
I'm
glad
to
help
broker
that
conversation
whenever
you
want
actually
Marcus
Messner
who's
like
the
head
or
the
technical
lead
for
the
suse
piece.
Cert
he's
a
member
of
this
working
group,
good
good,
dude,
Red
Hat
has
good
Australia
coverage,
so
that'd
be
really
easy
to
broker
a
real-time
conversation.
Suse,
Germany,
sorry
and
canonical
I.
B
A
B
But
we
can
make,
we
can
definitely
help
start
and
then
figure
out.
I
don't
know
if
they
have
like
a
forum
where
that
that
group
talks
periodically
outside
of
the
mailing
list,
but
glad
to
help
start
that
conversation
with
them.
So
get
me
some
details
of
kind
of
what
you'd
like
to
talk
about
and
I'll
figure
out
how
we
can
address
that.
A
Well,
the
nice
thing
is
that
you
know
we
are
getting
a
little
bit
of
organic
snowball
effects,
so
we
we
added
Alpine,
Linux
and
Debian,
so
we've
we're
doing
our
own
sort
of
conversion
of
their
of
their
vulnerability.
Disclosures
organically
ubuntu's
come
out
of
the
woodwork
saying.
Oh,
we
should
add
this
and
we're
like.
A
B
B
B
B
B
So
again,
if
you're
interested
in
having
a
sit-down
conversation
with
them
about
how
we
might
be
able
to
get
some
more
openness
and
transparency
and
be
able
to
get
that
kind
of
community
feedback
into
their
processes
again,
I'm
glad
to
help
facilitate,
they
historically
have
been
very
open
to
talking
to
the
open,
ssf.
So
I,
don't
think
that'd
be
a
problem.
It's
just
a
matter
of
it's
a
scheduling,
challenge,
yeah.
A
B
A
That'd
be
that'd,
be
cool.
I
I
get
the
impression
that
they're
a
little
bit
busy
right
now
with
the
the
CBE
5.0
transition,
and
so
so
they're,
probably
a
bit
preoccupied
with
that.
I
also
want
to
go
and
consume.
They
just
had
a
like
a
annual
Summit
thingy
two-day
Summit
thingy,
which
I
believe
is
going
to
be
recorded.
A
A
E
A
B
Very
glad
to
do
that
to
broker
that
conversation
and
again
they're,
very
agreeable
they're
interested
in
changing
and
adapting
and
I
I
think
it's
a
win
for
everybody.
If
we
can
have
a
simple
way
for
a
large
swath
of
Open
Source
to
be
able
to
consume
and
share
this
information
back.
That
makes
it
better.
A
B
My
friend
Madison
from
GitHub
and
I,
are
doing
a
presentation
at
the
North
America
Summit,
where
we're
talking
about
CBD
so
very
short
term,
if
you're
interested.
If
you
want
to
give
me
a
couple
slides
where
you
can
get
that
inserted
into
our
conversation
there,
but
then
long
term
think
about
my
friend
Gunner
used
to
call
it
a
walking
around
deck.
Think
about,
let's
create
some
kind
of
presentation
that
explains
the
project
and
the
benefits
and
kind
of
asks
for
what
we
need
like
we're.
B
Looking
for
contributors
or
people
to
start
adopting,
and
we
have
a
lot
of
different
forums,
we
have
the
open
source.
European
Summit
is
coming
up
and
that'll
be
the
call
for
papers
ends
for
that
in
May
and
that'll
be
early
fall
and
then
they'll
also
do
another
one
in
Asia
I
think
it's
probably
going
to
be
in
Tokyo
again,
but
again,
that's
not
next
door,
but
is
closer
than
flying
to
DC.
A
I
I
would
love
to
get
ramped
up
and
get
on
the
on
the
speaking
circuits.
It's
just
a
case
of
time,
right,
yeah
and
being
able
to
Deputy
deputize
some
folks.
In
other
time,
zones
sounds
like
a
great
way
to
scale
things
right,
so
a
general
pitch
deck,
elevated,
elevated
pitch
deck,
for
you
know
what
is
osv
and
why
why
it's
important
sounds
like
a
really
cool
thing
to
make
yeah
so
the
open
source,
North
America.
That's
that's
in
May
right
that.
B
A
A
B
And,
as
you
guys
have
any
big
announcements,
yeah
mail
me
slack
me,
but
we
can
or
stage
it
in
the
agenda
like
for
sub
project
updates,
saying
hey,
we've
got
a
new
release
coming
out
we're
releasing
a
new
tool,
we're
looking.
We
have
an
RFC
out
for
a
new
feature.
Whatever
you
guys
are
thinking
about,
we
can
definitely
use
the
working
group
there
as
well.
So
a
lot
of
different
ways.
We
can
get
the
word
out
and
start
to
educating
people
on
the
the
usefulness
of
this
project.
A
B
B
E
B
E
D
Talk
to
Oliver,
yeah
well,
I,
don't
know
I'm
I'm
up
for
different
connections
for
Stuff.
There's
one
Discord
group:
that's
pretty
active
that
I
joined,
which
is
great
but
which
is
I,
think
where
I
saw
some
Google
Calendar
with
a
whole
bunch
of
stuff
on
it,
so
that
I
thought
I'd
pop
by
for
something.
But
I
won't
take
your
guys
time,
but.
B
D
B
B
All
right,
thank
you.
Gentlemen.
I
appreciate
your
time
and
attention
today,
I'm
looking
forward
to
continuing
our
relationship
and
collaborating
together,
and
you
know,
whenever
you're
ready
to
engage
with
any
of
those
groups.
Let
me
know
I'll
be
glad
to
start
the
footwork
there
and
then
Oliver
did
you
grab
Andrew's
email
out
of
the
zoom
chat,
yeah.
Oh
awesome,
God,
cool
cool!
Well
thanks
gents
and
enjoy
the
rest
of
your
day.
Cheers
bite.