►
From YouTube: Vulnerability Disclosures WG (November 16, 2020)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Sharing,
okay,
okay,
okay,
so
let
me
share
my
screen
and
okay
hi
everyone,
I'm
tape,
cuda
from
open
source
team
and
aqua
security.
Like
first
of
all,
thank
you
for
taking
the
time
today
and
I'll
be
talking
about
cp
embedding
in
into
binaries.
C
B
Local
labels,
so,
but
I'm
not
sure
this
topic
should
be
discussed
in
this
working
group,
because
I
am
it's
the
first
time
for
me
to
join
this
meeting.
So
if
that's
not
the
case,
could
you
please
forward
me
to
the
right
place
and
but
okay,
so
let's
get
started
yeah.
I.
A
B
B
B
B
So
yes,
here,
so
there
are
some
challenges,
so
vulnerabilities
channels
cannot
detect
the
vulnerabilities
of
self-compiled
binaries
because
no
standardized
security
advisory
for
self-compiled
binary
and
also
need
to
associate
the
binary
with
vulnerability
information.
So
in
other
words,
we
have
to
generate
the
software
of
materials
from
binaries.
B
I
think
that
we
can
use
the
cp
common
platform
emulation
for
the
purpose
I'll
explain
the
later,
but
we
have,
we
don't
have
to
use
cp.
Maybe
we
can
use
a
package
url
or
a
software
id
or
something
else,
but
in
this
proposal
I'll
be
talking
about
cpe
cpa
represents
the
software
and
the
software
version,
so
in
this
case
the
latest
cp
2.3
a
radius
levels
and
radius.
So
this
is
a
cpu
name
and
also
the
nbd
national
vulnerability
database,
which
has
all
information
about
cbe
id
assigned
vulnerabilities
provider.
B
Cp
lists,
as
you
can
see
that
in
this
case
the
radius
rubbers
radius
is
affected
by
this
vulnerability.
So
we
can
associate.
We
can
closely
finance
their
software
information
with
security
advisory
from
nbd,
so
the
goal
of
my
proposal
is
associating
the
finally
with
cpe
name
and
make
use
of
it
for
vulnerability,
detection,
okay.
B
We
know
just
only
the
binary
name
in
this
case
the
it's
redis
server,
but
we
don't
know
the
latest
server
is
from
latest
labels.
So
we
don't
know
the
vendor
name
from
the
binary
and
also
the
binary
name
is
ready
server.
But
the
product
name
is
just
radius,
so
they
are
different.
So
we
have
to
know,
reduce
server.
B
So
it's
a
little
bit
difficult
to
know
bender
product
version
from
binaries,
so
there
are
some
approaches
to
detect
cp
name
from
binary
hash,
based
on
the
version
option
based
and
so
on,
and
the
first
approach
is
preparing
the
hash
based
mappings
in
advance
and
calculating
file
hash
of
the
binaries
and
stores
it
in
the
database.
With
the
cp
name,
actually,
the
not
only
cp
name,
maybe
the
binary
information
can
be
stored
with
hash.
B
Anyway,
we
have
to
calculate
all
hash
of
the
binary,
but
of
course
it
requires
huge
database,
because
if
the
version
is
incremented
from
5.0
to
5.0,
chrome,
one
and
the
file
hash
will
be
different,
so
we
have
to
cut
it,
calculate
the
hash
again
and
stores
it
in
the
database.
So
it's
a
little
bit
difficult.
B
Also,
the
the
second
approach
is
a
version
option
based
at
first
we
have
to
prepare
the
mappings
between
the
binary
name
and
the
cpu
on
the
product.
B
Ladies,
was
compiled
gcc
two
point
I
don't
know,
but
anyway
we
have
to
format
the
output
like
this
cut
and
set
orc,
or
something
like
that.
And
but,
as
you
know,
the
minus
b
option
is
not
standardized
and
some
software
uses
minus
minus
version
and
some
software
uses
minus
b
and
jabra
uses
a
minus
version
and
the
open
ssl
uses
just
version
without
hyphen
and
minus
just
version.
So
minus
v
is
not
standardized,
so
we
have
to
prepare
all
options
for
each
software
and
so
it's
almost
impossible.
B
So
anyway,
it's
difficult
to
generate
cp
names
from
self-compared,
binaries
and
okay,
so
that
my
proposal
is
embedding
cp
names
into
binaries
or
local
labels,
and
the
first
approach
and
first
proposal
is
adding
a
new
section
for
cp
name
and
in
this
example,
just
build
the
go
binary
from
the
go
source
code
and
embed
the
new
section
named
cpe
into
the
binary
by
object,
copy
command
and,
of
course,
after
that,
we
can
extract
the
cpu
information
from
the
binary
by
object,
copy
or
any
programming
languages
such
as
c
and
go
rust.
B
Everything.
So
now
that
we
can
generate
the
cp
name
from
binary
and
ideally
it
should
be
done
in
the
make
file
in
the
each
software,
but
it
if
it's
difficult.
I
think
we
can
do
it
in
the
docker
file
so
like
this
at
first
it
builds
the
radius
binary
by
make
command,
make
minus
c
radius
and
embed
the
cp
name
into
the
binary
by
object,
copy
command
and
after
that
install
the
binary.
So
now
the
binary
radius
in
the
latest
option
image
has
the
cp
information.
B
So
the
my
goal
is
to
improve
the
accuracy
of
vulnerability
scanners.
So,
to
be
honest,
I
don't
care
about
how
to
achieve
it
and
ideally
the
we
can
embed
cp
name
or
any
software
metadata
into
binaries.
It's
useful
for
host
scanning,
not
only
container
scanning.
I
mean
bachelor
machine
scanning
or
biometer
linux
scanning
and
also,
if
it's
difficult,
we
can
embed
cp
name
into
the
docker
labels.
It's
useful
only
for
continuous
scanning,
but
not
only
for
3b
our
scanner,
but
also
all
scanners
and
yeah.
So
any
means
to
achieve
the
goal.
B
Actually,
the
I
think
we
can
use
cpe
and
package
url
software
id
and
the
cyclone
dx,
and
so
on
and
yeah.
So
anyway,
I
want
to
detect
vulnerabilities
of
self-compared
binary.
I
I'm
saying
self-compiled,
but
I
mean
any
software
that
is
not
easily
cross
referenced
to
security
advisories,
so
any
software
to
which
is
difficult
to
detect
vulnerabilities.
D
B
D
In
real
quick
yeah,
thank
you,
may
I
jump
in
real
quick.
This
is
david
wheeler
yeah,
so
I
don't
know
if
you
probably
haven't
been
able
to
follow
the
chats
while
you're
presenting,
but
just
as
a
quick
note
for
those
who
are
haven't,
noticed
the
chats
and
notes.
This
has
actually
been
proposed
before
to
owasp
dependency
check.
Dale
visser
actually
proposed
a
spec
and
in
fact,
a
poll
request
to
this
for
oas
dependency
check
at
the
time.
D
It
was
rejected
for
reasons
I
actually
don't
agree
with,
and
so
I
think
it's
a
perfectly
valid
time
to
yeah
and
you,
if
you
look
up
anonymous
penguin
if
you
look
right
above
the
text
right
above
already
notes
this,
and
that
includes
the
link.
So
I
think
it's
a
good
idea.
I
think
cpe
can
be
embedded.
Pearls
can
be
embedded.
I
would
embed
a
home
page
url.
I
don't.
D
I
suspect
you
can't
embed
sw
ids,
because
swids
are
hashes
and
you
can't
embed
the
hash
and
then
reproduce
the
result
of
the
hash
as
the
result.
But
that's
okay,
nah!
I
I'm
not.
You
know
you
know
not
being
able
to
support
swa
sw
ids
is
not
really
a
problem,
so
I
think
this
is.
This
makes
sense
to
me
other
thoughts.
This
would
might
require
some
revisiting
past
decisions.
E
I
can
bring
that
up,
but
I
deal
with
vulnerability
management
every
day
and
he
was
editing
extensively
so
being
able
to
map
a
piece
of
software.
A
little
bit
better
to
cve
is
really
helpful
because
from
a
developer
or
software
maintainer
perspective,
they
want
to
know
if
there
are
vulnerabilities
in
what
they
use
or
what
they're
responsible
for
so
instead
of
waiting
for
a
scanner
to
run
through,
they
want
to
say:
okay,
these
are
the
products
that
I
care
about.
E
Is
there
a
new
advisory
that
comes
in
that
has
that
mapping,
so
it
would
be
useful.
I
would
say
that,
having
sort
of
an
abstraction
of
here's,
the
binary
there's
a
unique
identifier,
any
kind
of
fire
of
type
cpe,
and
then
the
cpe
details
might
be
helpful
in
case
there
are
others
that
also
might
be
used
for
might
happen
further
down
the
line
because
nvd
themselves
are
trying
to
sort
of
push,
for
example,
for
a
better
approach
such
as
with
tags.
E
D
Well,
only
game
in
town
is
a
little
little
challenging.
You've
got.
D
And
you've
got
home
page
urls
and
I
I
think
my
understanding
is
that
there's
a
fight
within
nist
some
folks
think
that
everything
should
be
smids,
because
that's
an
iso
standard
and
isis
standards
are
perfect
in
all
possible
ways.
The
only
problem
is
that
switz
actually
don't
work
because
they
don't
have
any
version
information.
Every
suite
is
a
single
version
id,
so
you
can't
say
from
version
one
to
version
seven,
which
is
absolutely
necessary
for
a
reporter
system
for
identifying
vulnerabilities.
E
Yeah,
I
I
did
talk
to
them
about
that,
and
they
did
say
something
about
the
ranges,
but
I
would
I
would
I
would
just
clarify
when
I
meant
only
game
in
town
and
then
that
there's
identifier
to
cbe
that
that
exists,
that
doesn't
mean
in
the
future.
It
won't
be
it's
just
right
now,
the
most
useful
one
would
be
cpe,
although
it
has
its
own
problems
right.
So
it's
not
necessarily
perfect.
It
has
data
quality
issues
and
hopefully,
in
the
future.
We
find
a
better
approach.
E
D
Yeah
there's
a
chat
discussion
about
if
more
software
vendors
supported
s-bombs.
I
think
that
solved
the
issue.
I
think
he
got
it
backwards.
This
helps
solve
the
s-bomb
problem
right
now.
The
solution
is
make
sure
that
every
single
developer
across
the
planet
always
provides
s-bomb
data.
Absolutely
with
perfection.
D
I
wouldn't
put
a
timer
on
that,
but
if
people
start
embedding
this
data,
we
don't
have
to
have
everyone
simultaneously,
do
everything
all
at
once.
We
can
have
and
there's
a
provides
them
a
way
to
extract
it.
E
Yeah,
I
would
say
it's
it's
multi-layered,
so
the
first
layer
is
the
cp.
What
is
this
binary
code?
What
vendor
it
is,
and
so
on?
The
second
part,
which
helps
with
the
overall
software
building
materials,
is
what
is
it
made
of.
So,
if
you
find
like
a
vulnerable
library,
critical,
vulnerable
library,
you
want
to
know
in
your
entire
independent
state,
where
it's,
where
it's
located
or
in
which
pieces
of
software
it's
in.
E
A
A
The
current
issue
we're
discussing
right
now
that
normally,
if
you're,
relying
on
some
sort
of
package
manager
to
get
your
software,
you
have
technical
means
of
like
identifying
that
piece
of
software,
but
if
you
just
grab
fetch
the
source
code
and
run
make
like
this,
this,
this
information
disappears.
D
B
D
It
seems
the
problem
is
here's
the
binary,
what's
where's
it
coming
from.
If
all
you
have
is,
if
you
have
the
source
code,
then
you
have
more
information,
but
most
people,
don't
you
know.
Even
if
source
codes
exists,
they're
going
to
run
the
pre-packaged
binary,
compile,
not
recompile
it
themselves.
G
Yes,
even
if
they
run
the
pre-compiled
binary
at
the
time
that
the
binary
was
compiled,
the
cpa
information
could
have
been
embedded
in
it.
So,
even
if
it's
built
on
a
on
a
automated
build
or
something
like
that,
if
the
maintainer
can
make
sure
to
embed
the
cpu
information,
then
everyone
can
benefit
even
end
users,
who
don't
have
the
squad
access.
F
I
I'm
sorry
for
my
camera,
but
one
of
those
problems
is
that
I
I
think
is
scp
and
bending
is
easy
for
the
binaries.
But
you
still
have
issues
with
like
scripting
languages
like
python
libraries
or
pearl
libraries,
which
does
not.
F
F
B
So
in
that
case,
of
course,
we
it's
difficult
to
embed
cp
name
into
the
python
packages
and
there
will
be
packages,
but
it's
okay
as
a
first
step
because
they
already
have
the
metadata
standardized
metadata.
So
but.
F
So
you'll
sort
of
have
several
different.
You
sort
of
end
up
with
several
different
ways,
to
sort
of
fetch
the
cp
information
which
it's
a
slight
improvement.
But
I
don't
think
it
necessarily
solves
the
entire
problem
which
something
like
s-bomb
or
build-up
materials
would
potentially
sold.
D
Yeah
again,
I
I
think
for
vast
number
of
situations.
You
know
the
s-bomb
has
to
come
from
somewhere
and
if
I
have
a
binary,
where
is
this
data
coming
from
and
the
current
answer?
Is
you
don't
get
it
so
I
I
I
think,
you're
assuming
the
s-bomb
exists
and
therefore
it
solves
it,
but
this
provides
the
s-bomb
the
the
data
to
create
those
higher
level
s-bombs.
A
Right,
so
so
getting
back
to
like
the,
why
we're
here
that
would
I
see
this
as
something
that
we,
as
a
working
group,
could
but
get
a
proof
of
concept
of
like
how
an
open
source
developer
could
provide
that
information,
probably
by
you
know,
embedding
something
in
the
source
code
the
build
scripts,
or
things
like
that.
So
I
think
the
like
the
best
avenue
is
to
continue
the
discussion
in
the
github
issue
and
try
to
come
up
with
some
sort
of
next
steps
in
that.
A
But
I
I
think
this
is
this
is
super
interesting
because
it
sounds
like
it's
a
it's
a
missing.
It's
a
missing
stamp
stuff
in
the
whole
asbon
story
which,
as
I'm
as
I'm
understanding,
it
is
a-
is
a
huge
part
of
the
open
source
vulnerability
disclosures
alrighty.
Thank
you.
That
was
super
interesting
and
super
useful
in
the
interest
of
time.
I
would
pass
this
to
art
and
emily
to
tell
us
more
about
the
bins.
I
Sure,
thank
you.
Thanks
for
having
us,
I
I
threw
a
suggestion
suggested
edit
to
the
google
doc
meeting
notes.
My
company
is
trying
to
try
as
hard
as
we
can
to
sign
up
for
join
the
linux
foundation
and
join
this
working
group.
I
We're
hung
up
in
our
on
our
side
in
a
stupid,
bureaucratic
document,
signing
problem
that
I
will
get
resolved
but
very
excited
to
be
here
and
I'm
was
very
excited
to
see
the
first
topic
I
didn't
know
what
to
expect,
but
that's
something
I'm
spending
a
lot
of
time
on
as
well,
so
not
directly
related
to
events
but
strongly
indirectly
related
to
events.
I
So
I'm
art
manion
with
me
also
is
emily
hi
emily.
I
But
we
are
a
an
ffrdc
with
a
research
make
the
world
better
component,
so
part
of
that
is
also
to
help
other
people.
Other
organizations
do
that
work
better.
To
that
end,
oh
yeah.
So
all
the
credit
goes
to
emily
because
she
is
the
lead
developer,
almost
only
developer.
Perhaps
we
have
an
infrastructure
person
and
we
have
emily
and
a
bunch
of
users
who
keep
chatting
with
emily
all
day
about.
You
know,
feature
creep
and
dumb
bugs
and
things
we
want
to
have
changed.
I
I
I
would
not
call
myself
one
so
this
project
has
also
been
very
eye-opening
in
terms
of
you
know,
producing
a
internet-facing
web
app
and
we'll
get
to
this
in
a
minute,
but
we're
planning
to
open
source
it
and
try
to
figure
out
what
an
open
source,
dev
process
and
community
looks
like
you
know,
first
hand
anyway,
though
sorry
let
me
get
back
on
track,
so
this
coordinated
disclosure
practice
we've
been
doing
with
a
mismatch,
mismatch
of
tools,
lotus
notes,
ancient
pearl,
5
code,
lots
of
email,
various
versions
of
pgp
and
gpg
over
the
years,
and
we've
been
you
know
from
for
a
long
time,
looking
for
a
better
tool
solution.
I
This
led
to
lots
of
looking
around
at
off-the-shelf
stuff,
nothing
off
the
shelf,
fit
off
the
shelf
plus
custom
dev
eh,
nothing
fit
well.
Custom,
dev,
plus
off
the
shelf,
wasn't
a
great
solution
for
us,
largely
due
to
emily's
interest
and
availability.
We
went
with
just
custom,
so
vince
is
a
python,
django
and
other
stuff
based
web
app
or
maybe
three
or
four
web
apps
that
work
together.
I
Sorry
starts
with
m
okay,
so
may
we
are
very
much
doing
testing
and
production.
Although
we're
you
know
several
months
down
the
road,
so
some
of
the
major
issues
have
been
worked
out.
The
idea
here
is
basically
if
it
makes
some
sense.
A
you
know.
Internet
facing
you
know,
bug
tracker,
get
github
issues.
Tracker
is
the
right
vague
direction,
but
with
security
and
privacy.
I
So
it's
not
public
issues
and
the
multi-vendor
component,
which
touches
on
the
supply
chain
problem
in
the
s-bahn
problem,
was
really
where
we
found
nothing
off
the
shelf
that
fit
so
right.
I
can
just
run
jira
or
if
we
get
the
open
source
thing,
I
used
to
run
track
or
something
bugzilla.
I
believe
those
all
support.
You
know:
user,
app,
user
access
and
authorization
access
control.
I
But
what
is
a?
What
does
that
issue?
Look
like
that?
Has
one
vendor
one
researcher,
one
coordinator:
it's
got
three
participants,
you
keep
it
private
great,
you
fix
it.
It's
published
great,
publish
it.
You
know
I'll
look
at
google
project
zero,
for
instance,
they
have
a
bug
tracker.
I
don't
know
what
they
use.
Probably
some
some
google
thing
and
they
eventually
make
the
bug
public
and
you
can
see
all
the
history
there.
The
bugs
we
deal
with
are
dozens.
I
I
D
I
Vince
yeah
I'll
ask
emily
to
maybe
type
it
in
the
chat
or
post
some
urls
in
there
we
have
so
let
me
actually
stop
a
minute.
I
don't
want
to
take
up
too
much
time.
We
have
some
slide
where
we're
not
against
doing
a
live
demo.
I
don't
want
to
abuse
our
time.
What
are
we
looking
at?
D
I
Well
again,
we
we
can
be
flexible,
we've
done
this
show
emily
and
I
are
getting
used
to
this
particular
show,
but
we
want
to
be
you
know,
cautious
of
the
time
frame
and
people's
interest.
So
I
we're
new
to
this
forum.
So
please
just
tell
us,
you
know
you
have
10
more
minutes
or
20
or
yes,
please
call
your
time
at
the
demo
or
art
keep
talking
or
art.
Don't
keep
talking.
Just
tell
us
what
you
like
we'll
get
back
to.
What
vince
is
david
to
your
point:
yeah.
A
Yeah,
I
think
we
have
like
time-wise
something
like
10
minutes.
It's,
it's
probably
realistic.
I
Emily
would
you
mind,
would
you
mind
doing
sharing
your
screen
and
running
a
demo
and
I'll
just
quickly
try
to
quickly
shut
up
about
kind
of
what
it
is
to
try
to
answer
david's
question
right.
So,
if
anyone's
familiar
these
days,
I
guess
the
modern
version
of
this
is
also.
You
know,
bug
crowd
or
hacker
one
right.
I
Somebody
can
submit
a
ball
report.
A
vulnerability
report
to
us
current,
currently
only
cert
runs
events.
We
have
again
plans
to
open
source
it.
Let
others
run
their
own
instance.
We're
figuring
out
how
to
make
it
bigger,
but
someone
can
submit
a
report
of
a
security
bug
to
us.
They
can
do
this
anonymously
without
putting
in
their
name
or
they
can
log
into
events
first
and
submit
it.
I
I
I
You
know
it
works
for
people
who
know
how
to
use
it
when
you
get
beyond
three
or
four
people
that
breaks
pretty
badly
so
right
web-based
https
as
opposed
to
email-based
pgp
for
for
crypto
tickets,
a
case
we
open
a
case
in
here,
we
can
invite
vendors.
I
All
of
the
vendors
invited,
know
who's
in
the
case.
There's
no
wondering
hey
is
the
other
linux
distro
in
here
or
not.
I
don't
know
you
can
see.
All
of
that.
Hey
is
the
japanese
coordination
center
in
here
are.
The
fins
in
here
is.
The
us
in
here
is
cert
cc
in
here.
Who
are
the
coordinators
who
reported
this?
Who
are
all
the
vendors
affected?
That's
just
transparent
on
the
case.
I
Anyone
in
there
can
see
sort
of
what's
going
on
so
the
case
is
in
here
at
this
point
you
know.
The
overall
point
here
is
the
coordination.
The
private
coordination
for
a
vulnerability
happens
here.
I
In
the
end,
events
also
is
our
our
content,
production
and
publication
system.
So
we
can
produce
our
advisory.
We
call
it
vulnerability,
note,
which
is
you
know
our
our
direct
need
here,
but
the
the
overall
goal
here
is
that
there's
a
great
internet-facing,
accessible
platform
web-based
not
mail-based
for
private
coordination
of
vulnerability
reports
that
the
search
cc
is
participating
in
overall,
we
remain,
as
we
were
before,
open
to
anyone
reporting
anything
and
we
we
pick
and
choose
our
cases
based
on.
I
I
I
will
say
that
supply
chain
problem,
multi,
vendor
problem
cases,
don't
have
an
easy
answer
and
that's
where
we
find
a
lot
of
our
work
still
happening
and
that's
it
was
a
major
design.
Consideration
for
vince
was
to
handle
multiple,
multiple
vendors
affected
by
a
library
or
a
protocol,
vulnerability
or
some
shared
tech
that
upstream
they
all
end
up.
Sharing
I'm
hitting
my
pause
button.
Emily,
please
speak
up
if
you'd
like
or
anyone
else
for
questions,
yeah.
D
D
What
this
is,
it
looks
to
me
that
this
is
a
security,
vulnerability
issue
tracker,
but
it's
designed
to
support
multiple
affected
suppliers
and
projects
and
multiple
relevant
researchers
enables
private
reports
and
discussions,
and
it's
web-based
instead
of
email-based
have
I
got
the
basic
idea.
Yes,
thank
you.
J
So
let
me
I'll
just
kind
of
go
through
what
I
what
art
was
talking
through
there.
So
someone
can
submit
a
vulnerability
report
through
our
web
form
on
kv.search.org.
You
can
create
an
account
before
you
submit
the
vulnerability
report.
If
you
create
your
account,
then
you'll
be
able
to
potentially
participate
in
the
coordination
process.
J
So
I
did
one
earlier
today
when
that
comes
in
it
comes
in
as
a
ticket
and
we
kind
of
evaluate
that
ticket
and
determine
whether
we're
going
to
take
that
case
right.
Sometimes
it's
as
simple
as
they
just
the
the
reporter
didn't
have
the
vendor
contact
information.
So
typically,
we
won't
take
cases
like
that.
We
might
just
get
back
to
the
to
the
reporter
and
say:
hey
here's
the
contact
information.
J
But
if
we
do
take
the
case,
then
we
can
add
information
like
the
vulnerabilities.
We
can
add
vendors
and
notify
them
and
participants,
and
all
that
then
creates
a
a
case
discussion
in
what
we
call
this
calm.
J
This
is
kind
of
the
portion
where
all
of
you
can
create
an
account
and
come
potentially
participate
in
the
coordination
process,
but
it's
very
similar
to
a
message
board
once
you
log
in
and
you
get
access
to
the
keys,
which
means
that
one
of
our
coordinators
gave
you
access
whether
you're
or
vendor
organization
or
reporter.
J
We
have
to
give
you
access
to
that
case.
You
can
go
actually
see
the
original
report
that
was
submitted
to
us.
You
can
see
any
of
the
vulnerabilities
that
we
had
added
to
the
case
and
then
the
expected
date
public
and
then
basically
what
this
is.
Is
you
just
kind
of
communicate
with
everyone?
In
the
case,
you
can
tag
people
you
can
tag
the
reporter.
You
can
ask
for
more
information.
J
And
it
will
send
email
notifications
that
way
that
way
you
can
come
back
in
and
see.
You
know
the
case
discussion.
We
ask
vendors
that
are
involved
in
the
case
to
submit
their
status
and
statements.
So
you
can
do
that
here.
You
can
see
all
the
vulnerabilities.
J
Whether
or
not
you're
affected
and
then
potentially
submit
a
case
statement
and
urls
that
you
have
so
that's
pretty
much
the
gist
of
it.
I
know
we
don't
have
a
ton
of
time,
but
there's
also
other
things.
You
can
direct
message
us
at
circ.
Through
this
portal,
you
can
update
your
contact
information.
Every
organization
has
a
group
admin,
so
you
can
add
additional
users
to
your
that
your
organization's
cases,
and
so
they
can
get
access
that
way
and
they
don't
have
to
go
through
us
because
we
didn't
want
to
change
or
we
don't.
A
I
Yes,
and
while
I
am
perhaps
not
the
best
project
planner
and
that's
actually
entirely
true-
we
do
plan
to
basically
open
source
fence,
and
that
is
one
of
the
ones
the
routes
towards
others
running
it.
We've
had,
we
have
had
interest,
and
I
mean
you
know
we
looked
really
hard
for
something
off
the
shelf.
It
wasn't
anything
so
that
to
me
is
a
might
be
a
very
small
market
gap
but
seems
to
be
a
gap.
I
We
deal
a
lot
with
right,
maintainers
developers,
vendors
vendors,
who
have
security
teams.
We've
heard
lots
of
stories
over
the
years
about
what
they're
doing
right,
you're
great
stuff
like
excel
spreadsheet
and
sharepoint,
is
a
common
starting
place
for
some
people.
The
existing
bug
tracker
and
try
to
put
some
privacy
on
it
is
a
starting
place
for
a
lot
of
people,
a
lot
of
home
built
stuff,
a
lot
of
attempts
to
bastardize
crm
and
trackers
and
things
so
we
are.
We
are
planning
to
open
source
and
let
anyone
run
it.
I
Yes,
yes
I'll
put
them
in
the
chat
and
again,
despite
my
organization's
best
efforts
to
stop
it,
we're
trying
to
join
and
regularly
attend
this,
this
working
group,
so
you
will
hear
more
of
me
and
I'll
be
louder
about
anyway.
I
I'm
planning
to
join
so,
hopefully
we'll
see
more
of
you
folks,
I'll,
put
email
in
here
as
I
as,
as
we
part
emily
reminds
me
about
the
api
which
I
threw
in
the
chat
as
well.
I
Despite
not
liking,
pgp
and
email,
it's
a
lowest
common
denominator
of
sorts
lowest
common
comms
channel
if
everyone's
got
their
own
custom
web
app.
How
do
you
talk
to
each
other
right?
Everyone,
everyone,
having
a
login
and
using
their
own
fingers
on
someone
else's
web
app,
is
not
going
to
scale
really
well.
We
are
super
interested
in
how
to
get
that
to
work.
I
imagine
the
answer
is
a
common-ish
api,
but
to
be
common.
Of
course
you
need
input
from
people
who
are
doing
this,
not
just
us.
I
So
one
of
our
next
efforts
is
build
out
the
api
a
little
further
with
some
early
adopters
and
then
start
a
discussion
somewhere
about
what
does
a
common
vulnerability
coordination.
Api
look
like
something
generic
enough.
Everyone
can
use
it
bigger
discussion,
but
we're
open
to
all
kinds
of
input
on
that.
Okay,.
A
Yeah,
thank
you
that
was
that
was
awesome.
I
think
this
is
also
a
topic
that
it's
it's
a
very
good
fit
for
our
working
group
like
enabling
that
coordination
and
data
exchange,
like
we
have
identified
that
very
early
on
as
something
that
is
important
to
us,
and
I
already
saw
somewhere
that
you
can
generate
a
cv,
json
documents.
So
this
is
one
of
the
things
we're
going
to
be
looking
at
as
well
yeah
and
welcome
to
the
working
group.
A
It's
like
you,
don't
actually
have
to
be
a
linux
foundation,
member
to
participate,
which
is
which
is
pretty
great
okay
and
we
we
started
with
an
s
bomb-ish,
discussion
and
steve
is
steve
joined
because
he
was
supposed
to
join
in.
A
Hey
welcome
so
steve
was
kind
enough
to
offer
to
show
us
what
one
of
the
s1
standards
how
it
supports,
vulnerability,
information
sharing
and
remediation
tracking.
K
Absolutely
yeah
thanks
for
thanks
for
having
me.
Obviously
if
you,
what
I'm
going
to
show
is,
is
how
cyclone
dx
does
things
today,
if
you
were
on
the
ntia,
vex
sub
subgroup
call
a
couple
weeks
ago.
K
I
think
it'll
probably
be
a
very
similar
presentation,
high
art,
but
let
me
go
ahead
and
just
share
my
screen.
K
Okay,
great
so
real,
quick,
cyclone
dx
is
a
software
build
material
specification.
We've
got
a
formal
standardization
process,
but
these
are
the
tenants.
This
is
the
way
cyclone
dx
actually
approaches
standard
space
development,
it's
very
unlike
most
standards,
development
processes
by
design
it's
risk
based.
But
for
the
sake
of
this
conversation,
we're
going
to
focus
on
the
facts
first,
because
that's
really
going
to
matter
once
we
talk
about
vulnerability,
disclosure
and
then
remediation.
K
So,
just
to
kind
of
level
set
what
it
is
that
we're
talking
about.
Cyclone
dx
is
extensible
the
core.
The
base
specification
supports
only
static
factual
information,
so
these
are
facts
that
do
not
change
over
time
now.
Cyclone
dx
extensions
are
what
you
can
build
on
top
of
that
right,
and
this
is
really
intended
to
provide
support
for
opinions,
observations,
dynamic
facts
which
may
change
over
time.
K
So
cyclone
supports
again.
It
is
a
software
bill,
material
specification,
but
it's
a
security
first
s-bom
spec
and
being
security.
First,
we
have
a
lot
of
security
like
features,
so
we
support
remediation
and
disclosure.
Now
the
remediation
is
actually
built
into
a
component's
pedigree,
I'm
using
x
component,
I
fixed
a
security
defect
in
that
component.
K
I
have
a
component,
and
maybe
I
am
using
a
vulnerable
version
of
apache
tomcat
right
and
but
for
whatever
reason
I
can't
upgrade,
and
so
therefore
I'm
going
to
patch
my
version
of
apache
tomcat,
so
I
can
make
a
patch
I
can
optionally
document
the
commits
and
or
the
diff
that
the
patch
actually
is,
but
I
can
also
say
that
it
resolves
zero
or
more
issues.
It
resolves
a
security
issue,
it
creates
it
resolves
a
defect.
It
actually
adds
some
additional
functionality,
but
I
can
specify
specifically
what
security
defect
my
patch
actually
resolves.
K
K
K
K
In
terms
of
remediation,
it
does
not
attempt
to
communicate
the
effectiveness
of
the
remediation,
that
is,
you
know,
usually
the
job
of
a
security
researcher
right.
It
is
the
opinion
of
somebody
based
on
their
knowledge
at
a
point
in
time,
so
based
on
that
the
effectiveness
is
not
actually
included
in
cycle
and
dx.
We
don't
even
attempt
to
to
address
that
problem.
K
Cyclone
dx
also
does
not
describe
remediations
that
occur
in
a
build
at
runtime
or
as
part
of
an
environment
which
is
outside
of
the
code
that
you're
actually
describing
many
remediations
can
take
place
outside
of
the
code
that
the
sbom
actually
describes.
So
we
don't
address
that
either,
but
that
can
be
addressed
to
configuration
management
tools.
K
Now
for
vulnerability
disclosure
a
component
can
buy
can
be
affected
by
multiple
vulnerabilities
right.
These
are
dynamic
things
they
can
change
over
time
and
therefore,
this
vulnerability
disclosure
capabilities
are
not
built
into
the
core
specification.
It
is
an
extension,
multiple,
sca,
vendors,
multiple
container
security
vendors
are
using
this
extension
today,
so
lots
of
folks
are
using
this
today.
K
Essentially,
what
it
does
is
this
for
any
given
component,
I'm
referring
to
the
package
url
of
that
component
in
my
s-bomb
and
I'm
describing
that
this
component
is
affected
by
cve
2018
74.89.
K
I
can
have
zero
or
more
risk
ratings,
so
I
can
have
this
particular
risk
rating.
As
a
cvss
v3,
I
can
also
have
a
v2
in
there.
I
can
also
have
like
an
o
wasp
risk
rating
and
in
other
risk
ratings
as
well.
So
it
is
possible
to
say
that
this
vulnerability
is
has
cvss,
v2
and
v3,
but
it's
also
possible
to
use
oauth
risk
rating
to
give
a
more
realistic
view
of
what
the
actual
impact
is.
K
K
A
couple
notes
on
disclosure,
the
vulnerability
extension
communicates
instances
of
vulnerabilities,
and
this
is
important
because
it
it
leads
to
a
it
increased
bomb
size
right.
If
I
have
more
than
one
component
that
is
affected
by
the
same
vulnerability,
I
can.
I
actually
have
to
per
the
spec
describe
each
one
separately,
and
the
reason
being
is
that
they
could
both
be
have
completely
different
risk
ratings.
K
Let's
see
oh
yeah,
it's
not
perfect.
Extensions
are
a
way
to
collaborate
with
the
community,
do
so
very,
very
quickly,
and
do
so
in
a
way
that
isn't,
you
know
necessarily
confined
to
a
slow
moving
standards
process.
So
we
are
improving
the
vulnerability
extension.
We
are
currently
working
with
snick
who
is
participating
in
some
of
these
improvements.
C
Hi
this
is
reid.
My
one
comment
would
be
just
that.
You
know
every
single
time
we
have
one
of
these
meetings.
It
seems
somebody
has
a
different
format
for
kind
of
describing
a
vulnerability,
so
there's
clearly
a
problem
there
that
we
all
have
different
formats,
that
that
are
incompatible
with
each
other
separate
from
the
s-bomb
stuff,
but
just
like
describing
the
vulnerability
itself.
So
that's
just
something
of
note
that
maybe
this
group
I
know,
has
looked
at,
but
maybe
should
also
see
what
we
can
do
there.
H
I
Yup
go:
go
ahead.
Sorry,
I
have
a
list
and
would
be
happy
to
contribute.
It
might
be
a
starting
point
if
you'd
like
yeah.
A
So
we
also
have
a
starter
list,
so
I'll
send
that
to
you
and
you
you
tell
us
what
we're
missing,
but
I
think
that
the
interest,
the
important
context
is
that
we
want
to
see
how
well
those
formats
work
for
like
open
source
use
cases
and
one
of
the
things
that
we
need
to
do.
A
I
think,
in
parallel
and
kind
of
compare
and
contrast,
those
two
things
is
to
elaborate
on
the
pain
points,
we're
trying
to
address
for
various
actors
in
the
ecosystem,
right
so
maintainers
security,
researchers
or
also
coordination,
centers
or
companies
that
do,
for
example,
vulnerability,
disclosure
for
downstream
software
or
upstream
software.
Sorry,
so
there's,
I
think
some
work
on
analyzing
the
formats
themselves
and
also
like
how
do
they
work
for
use
cases.
We
care
about.
A
Oh
thanks
for
the
thanks
for
the
spreadsheet,
we'll
add
it
to
the
to
the
meeting
notes.
Oh
sure,.
I
A
Cool,
do
you
have
any
any
more
questions
for
steve?
Well,
we
have
him
here.
K
Of
course,
anytime,
and
if
you're
be
curious
to
know
if
you,
if
this
group
ever
comes
up
with
a
I
don't
want
to
say,
I
don't
want
to
say
a
standard,
but
at
least
an
agreed-upon
way
to
to
do
things
would
would
definitely
improve
the
situation.
I
think
and
I'll
I'll
definitely
be
watching
this
working
group
going
forward,
because
I
think
it's
going
to
it's
going
to.
K
A
Yeah
there's,
like
I
think,
right
now,
honestly,
maybe
it's
my
personal
perspective,
we're
just
just
now
right
in
the
more
of
a
discovery
mode
where
what
are
the
problems
to
be
solved?
What's
the
prior
art,
and
I
think
or
going
forward
were
really
a
few
interesting
ideas
to
to
work
on,
and
while
we
have
a
few
more
minutes
dan,
you
wanted
to
chat
about
a
project
that
could
use
some
help
and
advisory.
So
maybe
if
we
can
squeeze
that
in
for.
L
I
think
I
can
be
brief
here,
so
I
get
to
work
in
a
couple
other
umbrella,
open
source
organizations
that
have
a
lot
of
different
projects
at
different
sizes,
different
places
in
their
maturity,
life
cycle
and
I'm
looking
at
helping
to
pair
up
between
our
working
groups
and
these
projects,
where
they've
got
different,
needs
that
open
ssf
contributors
can
help
them
with
and
then
vice
versa
that
it
looks
like
a
good
opportunity
to
feed
in
requirements.
L
In
this
case,
there's
a
relatively
young
project
called
cactus,
and
I
can
put
the
details
for
this
into
the
meeting
notes,
but
they
just
went
through
dave's
badging
process
and
one
of
the
discoveries
for
them
was.
They
didn't
really
understand,
vulnerability,
reporting
and
disclosure
and
they're
looking
for
somebody
to
help
give
them
a
few
pointers
how
to
get
started
with
with
best
practices
there.
L
So
I'm
looking
for
one
or
two
volunteers
that
are
willing
to
show
up
to
one
of
their
one
of
their
weekly
meetings.
They
would
meet
mondays
at
6,
00,
pm,
pacific
time.
2
am
gmt,
and
it
could
probably
be
in
in
any
of
these
upcoming
weeks.
L
Okay,
so
you
can,
you
can
reach
out
on
black
or
I'll,
also
drop
my
email
into
into
the
chat
here.
A
Yeah
or
you
can
either
create
a
github
issue,
those
work
pretty
well
or
post
the
mailing
list,
both
of
them.
Those
will
work
fine
as
well,
but
I
I
can
take
your
email
as
well
and
take
it
from
here
and
coordinate
all
of
that.
So
I
I
think
this
is
a
very
fair
trade
trading
advisory
for
requirements.
Sounds
sounds
awesome
to
me,
alrighty
we're.
A
We
have
one
minute
any
last
minutes
questions
comments,
thoughts.
L
And
I
can
go
ahead
and
put
the
the
issue
in
so
you
don't
have
to
worry
about
that.
A
Okay,
cool
yo!
Thank
you
all
that
was,
that
was
an
awesome
meeting.
We
need
to
make
our
next
one
even
better:
okay,
I'll,
stop
the
recording
and
I'll
post
the
meeting
notes
and
the
recording
tomorrow.
Okay,
see
you
all.