►
From YouTube: Vulnerability Disclosures WG (January 11, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
victory,
okay,
hello,
so
this
is
the
open
source
security
foundation,
vulnerability,
disclosures
working
group
meeting
on
january
11th,
first
meeting
of
2021.
So
let
me
share
my
screen.
Hide
the
trails
of
me
trying
to
actually
log
in
and
ensure
the
meeting
is
being
recorded.
That's
us
is
there
anyone,
that's
new
that
hasn't
been
here
before
and
we
would
like
to
meet
and
greet
it
doesn't
sound
like
it
alrighty.
So
we
have
two
topics
on
the
agenda
today.
A
One
of
them
was
jason
was
supposed
to
kick
start
the
discussion
of
the
so-called
second
scenario
of
the
deck
that
he
was
presenting
the
last
time
and
does
it
seem
like
we
have
jason
around.
So
I
don't
want
to
like
steal
his
thunder
here.
I
suppose
he
was.
He
might
have
been
the
victim
of
the
zoom
calendaring
issues.
A
Do
you
folks
feel
you
want
to
discuss
this
issue
without
jason,
or
shall
we
like
postpone
this
to
our
our
next
meeting?
If
I
remember
correctly
in
that
slide
deck,
we
had
a
scenario
where
we
essentially
had
a
library.
We
had
a
developer
researcher
and
then
we
had
a
an
application
that
was
consuming.
A
That
library
and
the
second
scenario
was
different
in
that
the
library
was
actually
shipped
and
not
in
an
application
that
an
end
user
consumes,
but
it
was
shipped
as
a
part
of
an
operating
system
or
a
platform,
and
as
far
as
I
recall,
we
haven't
explored
that
that
use
case
at
all.
A
Yeah
so,
like
my
personal
feeling
is
that
we
we
should
wait
for
jason
and
let
him
kind
of
like
flash
out
that
that
scenario.
Do
you
all
agree?
We
would
do
that.
I.
A
Agree
and
the
second
issue
I
wanted
to
chat
about
that
kind
of
got
some
attention
and
some
thumbs
up
from
from
some
of
you
was
the
white
paper
and
some
time
ago
we
sort
of
started
discussing
you
know
the
personas.
The
pain
points
that
those
personas
have
in
open
source
vulnerability
disclosures,
but
then
it
wasn't
quite
sure
what
kind
of
kind
of
deliverables
we
could
work
on
to
address.
A
Some
of
those
pain
points-
and
I
had
this
thought
that
even
the
stuff
that
we
discussed
in
the
working
group
meetings
in
and
of
itself
contained
like
a
lot
of
useful
information,
that
even
if
the
participants
of
this
working
group
were
not
obvious
and
are
definitely
not
easy
to
find
and
definitely
not
in
a
single
place.
A
So
that
kind
of
gave
me
this
idea
that
maybe
before
proceeding
to
you,
know
working
on
tools
or
data
formats
and
and
stuff
like
that,
I
think
things
that
we
have
discussed
before.
Maybe
there
would
be
a
lot
of
value
coming
from.
You
know,
just
documenting
stuff
that
we
have
either
talked
about
or
stuff
that
we
have
identified.
Are
our
problems.
C
D
A
Somewhere,
it's
like
this.
I
treat
this
white
paper
idea
as
a
seed,
and
I
what
I
wanted
to
do
is
more
to
turn
the
discussion
in
the
direction
of
let's
just
document.
What
we
collectively
know
in
whatever
you
guys
think
is
like
the
most
suitable.
The
most
suitable
format
like
I
can
easily
see
how
this
might
turn
into
like
a
short
book
but
yeah
if
there
are,
if,
if
there
are
other
kind
of
formats
that
would
fill
the
same
objective,
I'm
I'm
I'm
totally
open
to
that.
A
D
Split
it
almost
into
a
generic
four
maintainers
of
projects,
a
you
know
like,
because
I
think
that's
probably
the
one
that
we're
diving
into
first
so,
like
maybe
doing
a
white
paper
there,
because
we
can
definitely
talk
more
intelligently
to
them
in,
like
hey
you're,
a
new
maintainer
did
you
know
about
this?
Did
you
know
about
this
and
that's
more
of
a
story
and
that
can
go
in
a
white
paper,
but
for
the
a
lot
of
the
other
personas?
At
this
point
we
don't
have
as
cohesive
of
the
story.
D
A
Okay
and
this
cohesive
story
for
maintainers,
what
could
we
do
assuming
we
could
get
some
help
from
you
know
the
open
ssf
or
I.
D
Do
think
a
pdf
white
paper
would
totally
work
for
them
where
we
could
just
tell
them:
hey,
you're,
a
maintainer.
How
about
you
read
this
and
we
tell
you
a
little
story
about
how
a
vulnerability
should
flow
from
a
security
researcher
through
you
to
potentially,
you
know,
being
released
and
communicated
and
then
like
at
the
end
of
the
white
paper.
Here's
a
whole
bunch
of
resources.
You
can
read
for
how
to
accomplish
that.
A
Yeah,
okay,
that
seems
like
something
we
could
put
together
in
a
on
our
scale
like
a
relatively
short
time
and
then
a
follow-up
to
that
would
be
yeah
like
a
knowledge
base
or
an
faq
of
yeah,
like
you
know,
specific
pain,
points
and
solutions,
resources
in
and
stuff
like
that.
B
And
you
note
that
we
absolutely
can
take
that
output
and
feed
over
to
the
best
practices
working
group
and
make
it
part
of
our
literature
there
we're
going
to
be
doing
some
educational
training
so
that
if
we
have
a
you
know
a
solid
enough
artifact,
that's
something
we
can
help
advertise
and
kind
of
cross-pollinate
between
the
groups,
yeah
and
developers.
If
you're
looking
to
do
secure
coding,
here's
an
aspect
of
it
and
you
sh
some
resources.
You
need
to
be
aware
of.
A
Yeah,
I
I
think
we
even
a
few
meetings
back
dan
was
looking
for
help
of
this
kind
for
one
of
the
open
source
projects
that
was
so
they're
trying
to
level
up.
I
do
do
you
know
like
who,
because
I
think
someone
reached
out
to
them
and
shouted
to
them.
Do
you
know
who
that
was.
B
We
did
we
had
some
folks
on
my
team
talked
with
the
project
turned
out
really
well
from
our
perspective,
at
least
it
was
a
good
chat.
B
A
Yeah,
okay,
okay,
okay,
I'm
kind
of
not
trying
to
like
find
too
much
work
for
us,
but
I
can
totally
see
how
that
might
have
like.
Essentially
the
same
content
might
be
presented
in
a
number
of
different
formats.
So
you
know
maybe
like
a
pdf
white
paper,
but
also
maybe
like
something
more
interactive
like
an
online
course
could
also
work
or
a
you
know.
A
presentation
definitely
could
be
like
a
companion
companion
to
that.
A
So
of
all
of
you
like
who
would
like
to
participate.
B
A
Okay,
all
right,
so
I
like
my
gut
feeling
and
like
please
correct
me
if
I'm
wrong
or
talk
me
out
of
it,
but
I
think
something
that's
fairly.
A
Self-Contained
could
be
like
a
deliverable
of
this
working
group,
but
we
don't
have
to
work
on
it
within
the
working
group
repository.
I
would
actually
like
prefer
to
spin
up
a
separate
repository
that
would
contain
the
content
and
where
we
could
track
work,
and
you
know
split
it
between
ourselves.
A
I
myself,
I'm
not
sure,
like
how
much
I
would
be
able
to
contribute
as
far
as
the
content
goes,
but
I
would
definitely
like
to
help
to
sort
of
coordinate
things,
and
you
know
reach
out
to
the
openssf
technical
advisory
committee
to
kind
of
check
what
kind
of
what
kind
of
resources
we
we
could
get
from
them.
A
I
think
I
think
I
saw
dan
here
on
the
call
so
dan
you
you
mentioned
that
we
could
potentially
get
some
help
with
you
know
like
graphic
design
and
maybe
and
making
maybe
marketing
a
little
bit
when
when
we
have
the
thing
ready.
C
Yeah,
so
some
budget
stuff
might
be
coming
through
soon.
We
have
a
meeting
later
today
to
discuss
that
stuff,
but
if
you
could
write
a
sentence
or
two
explaining
type
of
you
know
help
you're
looking
for
here,
maybe
you
just
said
it
there
graphic
design
and
marketing.
That's
enough!
I
can
take
on
and
just
see
what
the
logistics
look
like.
My
understanding
is
that
the
linux
foundation
has
a
bunch
of
graphic
designers
and
marketing
people
on
staff.
A
Yeah,
okay,
so
I'll
I'll
reach
out
to
you,
either
later
today
or
tomorrow,
and
try
to
send
you
something.
That's
probably
going
to
be
very
simple
to
distill
from
from
the
meeting
notes
here,
thanks
cool,
so
it
sounds
like
we
have
some
sort
of
project
going
on,
which
is
which
is
pretty
cool.
A
Is
there
anyone
who
would
like
to
start
like
pursuing
that?
Second
idea
that
nicole
had
like,
based
on
the
pain
points
identified
like
start
collating
together
some
sort
of
resources
and
even
think
about
how
we
would
kind
of
document
them
like
in
a.
A
A
Right
so
they're
in
a
bunch
of
they're
in
a
bunch
of
google
docs.
A
Yeah,
so
not
yet
so
what
I
did?
I
actually
created
a
pr
earlier
today
with
the
personas
description,
but
this
is
just
stolen
from
jason's
presentation,
and
I
think
this
could
be
a
good
point
to
actually
consolidate
this
with
information
we
have
gathered
in
in
those
four
or
five
google
docs.
So
there's
still
some
work
to
be
done
here.
D
Because
I
feel
like
wherever
their
the
personas
and
pain
points
are
going
to
end
up.
That
is
also
where
the
resource
guide
should
end
up,
because
then
you
can
kind
of
treat
it
like
a
requirements
document
where
the
pain
points
can
actually
link
to
a
resource
and
the
resources
can
be
broken
up
by
type.
D
So
there
could
be
a
resource
that
says
here's
all
of
the
existing
formats
to
you
know
accept
in
vulnerabilities
here
all
the
you
know,
processes
that
are
out
there
that
are,
for
you
know,
storing,
or
you
know,
software
that
is
for
storing.
E
D
Internally,
and
so
if
we
have
them,
the
pain
points
could
link
out
to
them
and
then
we
could
actually
make
placeholders
of.
We
are
unaware
of
any
at
this
time.
If
you
know
of
any
let
us
know,
I
unfortunately
got
signed
up
for
two
classes
by
my
company
in
january
and
february,
but
if
this
doesn't
get
taken
by
the
end
of
february,
I
would
be
happy
to
do
this
in
march
and
cross-correlate.
Those.
A
Yeah,
I
think
our
track
record
so
far
is
that
this
is
moving
somewhat
slowly,
so
it
might
be
there
by
the
end
of
february,
but
but
I
also
think
that
if
we
focus
on
this
maintainer
white
paper
for
now
like
this
is
something
we
would
sort
of
either
work
on
in
the
background,
or
we
would
just
plain
postpone
it
until
after
that
white
paper
is
released.
A
Cool
so
it
sounds
like
in
terms
of
in
terms
of
action
items
we
have.
I
will
spin
up
that
other
repository
and
chris.
If
you
could
get
that
information
from
your
friend,
then
we
could
collaborate
there
on
like
a
table
of
contents,
and
I
think
when
we
have
the
table
of
contents,
we
can
split
the
work
among
ourselves
so
like
work
on
individual
sections
and
when
we
have
that
we
can
sort
of
enter
more
of
a
editorial
than
polish
mode.
A
Yeah
sounds
like
that's
like
I
I'm
polish,
so
I
might
not
naturally
sound
excited,
but
this
is
as
excited
as
they
get.
So
that's
very
that's
very
exciting.
We're
actually
we're
on
to
something.
D
I
will
be
very
excited
when
that's
done,
because
the
project
I
work
on
on
the
side
we've
been
trying
to
get
manufacturers
to
implement
vulnerability,
disclosure
programs,
and
I
guess
I
can
link
to
the
page
that
we
put
together
describing
for
people
how
to
do
that.
Except
I
will
remind
you.
I
work
for
the
internet
of
dongs
so
decide
whether
you're
going
to
view
this
on
your
work,
computers
or
not,
but
you'll,
see
that
you
know
we
tried
to
explain
to
vendors
like
here's,
how
you
should
have
a
security
dot
text.
D
B
Yeah
in
another
life,
I
work
with
a
group
called
first,
it's
a
form
of
incident
response
and
security
teams.
So
I
run
the
third
party
component
management
working
group
there
so
again
any
materials
that
we
produce
here.
I
can
help
site
as
examples
of
good
practice
in
that
group,
and
that
speaks
to
a
more
of
the
technology
industry
so
that
you
know
nicole,
describes
her
problem
with
her
manufacturers.
F
Cool
sounds
like
the
this
is
yeah
super,
exciting
yeah,
just
to
jump
in
hello,
casey.
First
time
caller
long
time
listener.
It's
3
am
here,
so
forgive
me
for
not
trying
me
in
as
you
guys
have
gone
along.
It's
I've
been
kind
of
spinning
up
on
what
we're
working
on,
but
what
I've
just
heard
at
the
back
here.
That
sounds
really
cool
like
the
need
for
that
is
so
real.
So
this
is
a
pretty
exciting
project.
A
Oh
thanks
for
jumping
in
like
three
a.m
is
quite
I'll,
sound
tired,
but
I'm
still
pumped
to
be
here.
So
this
is
very
cool
alrighty.
So
I
have
sorry
for
not
noticing
you
at
the
very
beginning.
So
maybe
you
like
they'll,
take
that
opportunity.
You
might
introduce
yourself
to
to
the
group.
F
Yeah
sure
so,
yeah
hello,
my
name's
casey
ellis.
I
am
the
the
founder
of
buck
crowd,
so
I've
been,
you
know,
monkeying
about,
I
mean
been
a
been
a
hacker
and
messing
about
with
computers,
my
entire
life,
but
got
into
the
the
kind
of
entrepreneur.
Startup
thing
to
really
you
know
do
some
of
the
stuff
that
we're
talking
about
here.
F
It's
like
if
there's
this
huge
problem
that
we've
got
with
people
needing
help
securing
their
stuff
and
understanding
what
needs
to
happen,
and
then
over
here
you've
got
this.
You
know
enormous
group
of
people
that
really
want
to
help,
but
haven't
really
ever
gotten
an
invite.
That
seems
like
a
dumb
problem
to
have.
So
how
do
we?
How
do
we
plug
it
in
together?
That
was
really
the
the
catalyst
for
starting
bug
crowd.
F
So
I've
been
doing
that
for
eight
eight
in
a
bit
years,
nine
years,
something
along
those
lines
also
started
a
project
called
discloseo,
which
is
really
kind
of
open
source,
standardization
of
of
vulnerability
disclosure
policy
doing
it
in
a
way
that
balances
you
know
ease
of
reading
for
for
non-legal
and
especially
english
as
second
language
audiences,
but
then
also
making
it
as
legally
complete
and
and
bilaterally
safe
as
possible
for
for
both
sides
of
the
aisle
and
yeah
that
that's
been
going
on
in
various
forms.
F
It's
kind
of
you
know,
bug
crowd,
started,
started
a
piece
back
in
2014.
I
think
it
was
2016
somewhere
in
there
between
us,
the
collaboration
between
us
and
cipher
law
out
of
dc
that
went
along
for
a
period
of
time.
Then
we
basically
hitched
up
with
emit
elizari
and
some
of
the
work
that
was
going
on
in
in
dropbox
and
other
places
at
the
time
and
that
kind
of
merged
into
disclosure.
So
that's
kind
of
a
side
gig.
F
You
know
it's
obviously
very
closely
related
to
bug
crowd,
but
it's
it's
a
standalone
open
source
policy
project.
That's
probably
good
for
you
all
to
to
at
least
be
aware
of,
because
it
kind
of
slips
streams
into
a
lot
of
what
we're
talking
about
here
and
I'll
pause.
There.
A
And
so
like
you
caught
my
interest
there,
so
how
are
there
any
open
source
projects
that
depend
on
it
or
is
it
like
an
open
source
policy?
That's
mostly.
F
F
It's
it's
mostly
adopted
by
by
organizations
like
the
idea
is
that
you
know
most
legal
teams
and
companies
haven't
really
contemplated
how
to
do
this
before
and
and
lawyers.
You
know
when
they're
uncertain
they
tend
to
write
war
and
peace,
which
you
know
the
people
doing.
The
hacking
subsequently
refuse
to
read
or
just
skip
over,
and
then
you
end
up
with
a
whole
bunch
of
legal
risk
around
the
whole
thing.
F
So
we
wanted
to
kind
of
you
know
unfuck
that
problem
basically
and
the
other
thing
that
we
observed
was
there
was
a
lot
of
basically
copy
pasta
boiler
plating
on
these
little
templates
going
on
anyway.
So
it's
like
all
right.
How
do
we
kind
of
corral
some
of
that
stuff
in
together
create
something
that
you
know
just
becomes
an
authoritative
source
that
people
can
use.
It
doesn't
have
any
kind
of
you
know
commercial
interest
attached
to
it,
so
it's
not
written
in
a
certain
way
to
support.
F
You
know
the
needs
of
a
particular
platform
or
a
particular
entity.
It
just
needs
to
be
available
and
really
like.
The
goal
of
the
goal
of
the
the
project
is
to
make.
You
know
the
friction
around
adopting
vulnerability
disclosure,
particularly
on
the
legal
side
as
low
as
possible,
and
even
to
start
to
make
it
actually
kind
of
attractive
to
an
organization.
So
the
other
thing
that
we're
doing
is
really
reinforcing
best
practice
like
this
whole
idea
of
legal,
safe,
harbor
and
making
sure
that
there's,
you
know,
clauses
like
authorization
against.
F
You
know
the
the
threat
of
something
like
cfaa.
You
know
exemption
for
for
any
kind
of
any
circumvention
laws
that
would
kick
in
or
potentially
be
in
play.
You
know
exempted
from
the
terms
of
service
all
those
different
things.
F
That's
if
you've
got
that,
then
you're
really
thinking
this
stuff
through
and
you're,
actually
kind
of
a
little
bit
higher
up
the
rung
from
a
maturity
and
a
sophistication
standpoint
we're
in
the
process
of
actually
adding
to
that.
You
know
if
you've
got
a
proactive,
coordinated
vulnerabilities
disclosure
timeline.
So
the
the
like,
the
difference
between,
I
think,
the
the
platform
kind
of
thing
that
kicked
off
you
know
eight
years
ago
kind
of
introduced.
F
It
kind
of
munged
up,
I
think,
to
some
degree
the
definition
of
coordinated
disclosure
because
there's
this
idea
of
well,
you
know
if
we
don't
want
to
we'll
just
say
no
and
and
different
things
like
that,
so
you
know
there's
a
maturity
step
up.
If
the.
If
the
organization
says
all
right,
if
we
don't
get
back
to
you
in
90
days
or
120
days,
you
can
just
go
ahead
and
report
and
we're
actually
putting
ourselves
on
the
hook
to
fix
this
stuff.
That's
another
level
up.
So
that's
it's
I'll!
A
F
It's
it's
a
it's
a
it's
a
boogeyman
in
the
closet
with
the
whole
thing
like
it's,
not
that
it's
not
the
only
thing
to
consider,
but
when
you,
when
you
think
about
you,
know
the
failure
modes
of
disclosure
they
they
generally
cross
over
into
the
legal
team's
territory
fairly
quickly
when
it
goes
that
way,
so
that
was
that
was
part
of
the
logic.
It's
like
how
do
we?
F
It's
like
for
me,
vulnerability,
disclosure,
you
know
between
now
and
the
heat
death
of
the
universe
is
just
going
to
be
the
way
that
the
internet
works
and
I
think,
we're
kind
of
heading
fairly
rapidly
in
that
direction
at
the
moment.
So,
from
my
perspective,
the
question
is:
how
do
we?
How
do
we
accelerate
that?
But
how
do
we
also
try
to
you
know,
keep
it
on
on
its
rails,
because
there
are
still
quite
a
lot
of
things
that
could
go
wrong.
A
Yeah,
definitely
so
what
I'm
thinking
like?
I
don't
want
to
abuse
the
3am
on
your
side,
but
I
think
yeah
at
some
point.
It
would
be
great
to
use
this
forum
here
in
this
working
group
to
kind
of
chat
about,
like
the
legal.
A
As
well,
especially
that,
like
I,
have
absolutely
zero
knowledge
myself
on
how
to
apply
this,
to
say,
like
an
open
source
project,
that's
run
by
volunteers
because,
like
for
open
source
projects
that
are
backed
by
tech,
companies
like
I
can
totally
see
how
that
works.
However,
for
it's,
like
you
know,
just
a
developer
publishing
their
their
open
source
project.
It's
like
hell
knows
so
like
that.
That's.
A
I
would
be
super
interested
to
to
explore
at
some
point.
F
Most
definitely-
and
I
think
the
thing
that
comes
in
here
you
know
that
I
already
heard
a
fair
bit
like
the
the
idea
of
third-party
vendor
coordination
and
kind
of
downstream.
F
F
It
gets
weird
like
very,
very
quickly,
which
is
you
know,
another
part
of
the
drive
towards
simplicity
in
the
initial
language
like
if,
if
you
can
make
it
like
kind
of
go
with
the
whole,
like
simplest,
strong
philosophy
as
your
foundational
boilerplate,
then
you
can
add
things
to
it
as
it
gets
more
complicated
from
when
you
need
that
so
yeah
I
mean
it's,
it's
been.
F
It's
been
really
interesting
because
it's
you
know
cesar
cisappointed
at
it
as
a
part
of
their
election
administrator
advice
handbook
that
they
released
back
in
july,
a
bunch
of
the
voting
machine
vendors.
We
went
hammer
and
tong
on
on
trying
to
get
this
stuff.
F
You
know
trying
to
build
awareness
around
this
around
election
security
because
we
knew
that
you
know
the
the
kind
of
information
warfare
and
cyber
security
thing
would
probably
clash
which
sure
enough
they
did
and-
and
you
know,
ball
disclosure
as
a
way
to
say,
hey,
look,
here's
the
thing
that
we
did
to
reduce
the
risk
and
actually
increase
the
transparency
of
the
process.
That's
something
that
we've
been
working
on
for
about
probably
18
months,
and
you
know
a
bunch
of
the
vendors
picked
up
the
language
and
different
things
like
that.
F
So
I
wouldn't
say
it's
been
like
heavily
adopted
in
in
open
source
as
a
like
directed
thing,
there
hasn't
been
like
a
hey-
let's
do
this
in
in
in
that
area,
but
definitely
in
a
bunch
of
other
areas-
and
I
think
this
is
one
of
those
ones
where
you
know
thinking
through
some
of
those
use
cases
and
being
able
to
extend
the
boilerplates
into
fast
and
into
like
downstream
supply
chain
users
of
foss.
That's
going
to
be
that'll,
be
a
fun
thing
to
do.
A
Yeah,
that
sounds
some
actually
sounds
super
interesting
I
haven't.
This
is
something
I
like
like
one
of
those
areas.
This
is
kind
of
fascinating
about
this
whole
vulnerability.
Disclosure,
like
I
haven't,
thought
about
it.
Yeah.
F
F
You
experience
a
lot
of
the
failure
modes
very
quickly,
just
because
of
the
throughput
and
the
diversity
of
what's
going
on,
it's
not
something,
that's
necessarily
intuitive
when
you
look
at
it
from
the
outside
in,
but
when
you
start
doing
it
at
scale,
these
sorts
of
things
pop
up
quite
quickly
because
it's
you
know
it's
basically
uncertainty
as
a
service
right.
So
you
kind
of
end
up
fuzzing,
like
the
different
things
that
could
go
wrong.
Unintended
consequences
as
a
service
is
how
I
like
to
frame
it
sometimes.
F
F
E
Going
too
far
off
the
rails
in
this
direction,
but
I'd
like
to
just
emphasize
one
thing:
casey
said
the
the
part
about
we're
going
to
be
living
with
this
for
forever,
more
or
less
right.
So
we
have
tons
of
software,
we
have
more
and
more
software.
We
have
tons
of
open
source
software
right.
I
forget
the
software
is
going
to
eat
the
world
quote,
but
yes,
right
happens
through
continuing
increased
complexity,
increased
supply
chain,
stuff
software
and
everything
we're
going
to
have
bugs
in
our
software
they're
going
to
be
security
bugs
and
software.
E
E
E
F
Kind
of
really
looking
forward
to
this
being
boring
because
it
was
like
there
was
a
period
of
like
extreme
excitement
around
bounty
that
that
you
know
went
for
a
couple
of
years
in
there,
and
you
know
I
do
recall
talking
to
the
team
and
and
basically
saying
hey,
enjoy
this,
because
if
we
do
it
right,
it's
going
to
end
up
kind
of
boring
and
that's
actually
going
to
be
a
good
thing
like
that.
That's
sort
of
the
state
that
we
want
where
this
becomes
just
the
way
that
the
internet
works.
F
And
you
know
we
we
get
to
play
a
role
in
facilitating
that.
A
Yeah
and
then
again
getting
back
to
like
the
theme
of
open
source
is
it's
like
the
big
bigger
projects
and
bigger
organizations,
kind
of
they
have
an
idea
that
you
know
disclosure
is
there.
Disclosure
needs
to
be
done.
A
Some
may
have
idea
how
to
do
this,
but
I
would
I
suspect,
that
the
vast
vast
majority
of
the
open
source,
maintainers
and
developers
out
there
have
no
idea
right,
and
this
is
something-
and
this
is
something
that
I
think
we
have
a
standing
chance
of
addressing
we're
at
least
facilitating
that
we
can,
you
know,
put
the
collateral
out
there
and
kind
of
you
know,
educate
and
maybe
work
on
some
tooling
to
make
it
a
little
bit
easier.
A
E
A
Based
on
the
the
last
couple
of
months
of
us
sitting
here,
chatting
exchanging
experiences
seems
like
the
sort
of
foundation
of
awareness
is
also
something
that's
is
tremendously
important
and,
like
it,
sort
of
percolates
very,
very
slowly
in
in
the
community.
F
Yeah,
no
most
definitely
the
clarity.
You
know.
Clarity
of
definition
is
critical.
I
do
think
you
know
one
of
the
pieces.
I
would
say
that
open
source
maintainers
are
probably
aware
of
bug
bounty,
but
they
probably
aren't
like.
I
wouldn't
be
as
confident
that
they're
aware
of
vulnerability
disclosure-
that's
like,
oh,
I
don't
need
to
do
a
bug,
bounty
program,
because
you
know
I
don't
have
money
or
I
don't
want
to
do
that
or
it's
stupid
or
whatever.
F
The
reason
is
not
to
do
that,
usually
I'm
just
too
busy
as
an
open
source
maintainer,
but
then,
if
that
excludes
them
from
receiving
input
from
the
outside
world
on
on
security
stuff,
just
in
general,
then
there's
a
definition
issue
that
we're
tripping
over
at
that
point-
and
I
see
that
everywhere,
like
that's,
that's
honestly,
my
kind
of
hill
that
I'm
you
know
quietly
dying
on
in
a
lot
of
different
areas
at
the
moment,
because
you
know
bug
bounty,
I
think,
served
the
concept
well
to
get
people
used
to
the
idea
of
of
hackers
not
all
being
like
evil
and
stuff
and
and
kind
of
you
know,
catalyzing
that
it
was
useful
for
that.
F
But
then
it
became
kind
of
almost
the
dominant.
You
know
introductory
concept
around
the
whole
thing,
like
hackers
talking
and
talking
to
organizations
and
vice
versa.
So
I
think
some
of
this
stuff
is
really
useful
to
say
hey.
This
is
this.
This
is
that
you
know
you
are
probably
thinking
about
that
thing
that
you
haven't
necessarily
considered
before,
because
you
were
distracted
by
this
thing.
Here's
how
it
works
like
go.
Go
have
fun
like.
I
think.
F
That's
you
know
the
more
authority
there
can
be
around
a
consensus-driven
definition,
the
more
powerful
it
would
become
definitely
to
open
source.
You
know
people
that
kind
of
value
that
to
begin
with,
does
that
make.
F
A
Definitely
makes
sense
yeah.
So
thanks
for
thanks
for
bringing
this
up,
this
is
I
I
think
this
opens
up
a
whole
new
sort
of
line
of
inquiry
to
for
or
just
things
for
us
to
consider
all
righty.
It
looks
like
in
jason's
absence
we
have
exhausted
the
agenda.
Is
there
anything
that
you
folks
want
to
chat
about
something
we
should
have
discussed,
but.
A
A
Going
once
going
twice:
okay,
so
let's
get
15
minutes
of
our
lives
back
and
casey.
He
can
hopefully
go
to
bed.
So
we
have
some
action
items
I'll
get
that
repo
for
the.
What
with
the
maintainer
white
paper
going
and
the
next
time
we
meet
in
two
weeks,
we
can.
We
can
see
what
kind
of
progress
we
we've
made
already.
Okay,
I'll
stop
the
recording
now.