►
From YouTube: Vulnerability Disclosures WG (October 4, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
This
is
a
follow-up
for
a
conversation
we
had
a
little
over
a
month
ago,
where
they
came
and
introduced
kind
of
just
an
overview
of
the
program
they're
here
today
to
return
to
talk
about
some
more
specifics,
some
technical
details
about
some
of
the
things
that
are
being
implemented
and
then
talk
about
how
we
might
be
able
to
move
forward
so
I'll
turn
it
over
to
the
cve
team
and
take
it
away.
Friends.
B
You
can
right,
okay,
so
it
feels
like
we're
right
at
before
after
it
seems
like.
There
are
a
lot
of
us
cbe
people
here
today
and
railro
hi,
rora,
hello,
okay,
so
I'm
katie
noble,
I
am
director
of
product
security
at
intel
corporation,
run
the
bug
batting
program,
also
a
cde
board
member.
I
have
several
other
folks
from
the
cve
program.
So
shondan
is
here,
he's
also
a
cbe
board
member
jonathan
and
then
it
looks
like
joe
is
also
here.
B
So
we
kind
of
wanted
to
just
kind
of
come
back
and
chat
with
you
guys
and
I
think
we're
recording
right,
perfect,
perfect,
so
we'll
go
through
and
do
a
couple,
quick
things,
real,
quick,
so
quick
refresh
on
what
we
talked
about
last
time.
That
will
not
take
very
long
and
then
I
just
want
to
pop
up
what
the
cde
entries
kind
of
look
like
just
real
quick.
B
So
we
can
go
over
that
and
then
I'm
going
to
hand
off
to
shondan
and
we're
going
to
go
through
a
couple
other
mind
map
and
some
other
sort
of
fun
technical
details
that
hopefully
we'll
be
able
to
dive
into
some
of
these
different
parts
of
the
cve
program.
B
Sound
like
a
plan,
perfect,
okay,
so
really
quickly,
just
as
a
refresh
what
the
cve
program
is
in
a
nutshell,
the
cv
program
is
a
publicly
available
free
service
that
enables
stakeholders
to
have
a
common
language.
It
is
a
dictionary
all
it
does
is
identify
define
and
catalog
publicly
disclosed
publicly
disclosed
vulnerabilities,
not
vulnerabilities
that
are
not
known
publicly
disclosed
vulnerabilities.
B
We
on
the
cve
board.
This
comes
from
us
not
from
anybody
else.
Call
ourselves
the
community
park
coo
bag
analogy.
We
are
the
providers
of
the
infrastructure,
we
provide
you,
the
bag,
we
make
sure
the
bag
is,
or
the
distribution
machine
is
always
stocked
with
the
bags.
What
we
do
not
do
is
follow
around
people
up,
follow
around
people
and
clean
up
after
their
puppies.
B
Unfortunately,
we
don't
have
the
bandwidth
to
do
that,
and
so
we
try
to
make
sure
that
the
infrastructure
is
available
so
that
everyone
has
the
opportunity
to
utilize
those
services
that
are
provided.
We
talk
about
how
the
vulnerability
or
the
cve
program
is
free.
Now
what
the
cve
program
is
not
it.
We
call
we
say
it's
free,
but
that
does
not
mean
it's
free.
It
is
funded
by
actually
by
a
department
of
homeland
security.
B
There
is
a
lot
of
work
that
goes
in
to
the
program
and
the
majority
of
it
falls
on
these
groups
called
the
cve
numbering
authorities
cnas.
So
those
are
individual
companies
and
entities
that
create
cve
entries,
and
so
I
always
like
to
make
sure
that
it's
very
well
understood
that
this
is
a
community-based
program.
There
are
cnas
all
over
the
world
we're
in
over
30
countries.
I
think
last
I
checked
we
had
181
cnas.
That
is
not
nearly
enough.
B
We
know
that
that's
not
nearly
enough
and
we
are
always
actively
recruiting
to
get
more
cna,
so
we
can
have
more
coverage
faster
and
more
wide,
widely
associated,
I
guess
or
widely
covered.
We
are
not
the
great
cve
overlord.
I
wish
that
I
had
the
omnipresence
to
be
in
everyone's
living
room
and
everyone's
computer
all
the
time
and
know
about
all
vulnerabilities,
but
sadly
I
am
not
goals
for
another
life,
maybe
in
the
multiverse,
and
I
also
want
to
kind
of
just
hit
out
really
quickly.
B
There
are
some
norms
that
have
developed
over
the
last
20
years,
or
so
cve
programs
started
in
1999,
and
so
because
of
that
there
have
been
several
norms
that
have
developed
throughout
the
years,
the
biggest
one
being
that
the
cde
program
is
a
demand
for
a
patch.
B
The
cva
program
is
not
a
demand
for
a
patch.
There
is
no
responsibility
that
is
tied
to
patching
in
entry.
If
an
entry
is
identified,
it
exists
on
its
own
and
what
happens
after?
That
is
not
the
cve
program's
problem.
The
cve
program
is
not
a
severity
system
that
is
often
conflated
with
the
cvss
program,
which
is
run
by
mist
through
the
national
vulnerability
database.
B
So
the
cv
program
does
not
associate
severity.
Now
there
are
some
tricky
bits
there,
because
when
a
cve
entry
is
created,
often
the
cvss
or
the
severity
score
is
input
into
the
json
when
the
vulnerability
entry
is
created.
That
is
there
as
a
flow
through,
because
the
nvd
program
automatically
ingests
all
the
cbe
data
and
then
establishes
that
additional
enriching
information.
So
I
like
to
see
it
as
the
difference
between
nvd
and
cve.
B
Is
that
cve
is
the
dictionary
right?
It
just
defines
the
vulnerability,
whereas
nvd
is
the
encyclopedia.
It
gives
you
more
enriched
information.
That
is
where
you
see
cpe.
That
is
where
you
see
squid.
That
is
where
you
see.
Cvss
has
absolutely
no
connection
to
the
cve
program,
so
just
just
to
kind
of
get
at
those
things.
These
are
some
norms.
They
exist.
B
B
B
Oh,
my
goodness,
I
feel
very
out
of
breath.
Okay,
so
the
cve
record
itself
we
didn't
talk
about
this
is
new
the
last
last
time
we
talked
we
kind
of
talked
about
those
other
slides.
So
this
is
new
information
here,
so
the
cve
id
and
I'll
pull
up.
What
a
cveid
actually
looks
like
in
a
second,
but
there
are
a
couple
of
required
elements
of
the
cveid.
B
The
identifier
itself
is
the
unique
number.
The
description
is,
what
describes
the
vulnerability
their
vulnerability
and
then
the
reference
is
the
public
url
that
goes
back
and
provides
that
additional
information.
These
are
the
mandatory
elements
of
a
cve
beyond
this
when
you
actually
pull
it
up.
They
actually
look
like
this.
This
is
the
new.
The
new
format
of
the
website
right
description,
state
problem.
What
kind
of
vulnerability
it
is?
Who
is
the
vendor
and
the
the
affected
products,
and
then
the
references.
B
B
Okay,
so
I
have
talked
a
lot
and
I've
said
a
lot
in
six
minutes,
and
I
hope
that
I
I
didn't
didn't,
go
too
quickly
over
it,
but
I
do
want
to
make
sure
that
we
have
lots
of
time
to
talk
more
in
depth,
about
volume
graham
and
talk
more,
that's
about
some
of
the
mind,
mapping
stuff,
and
so
at
this
point,
I'd
love
to
hand
it
over
to
shondan
shondan.
Are
you
ready.
C
C
So
I
have
nothing
but
deep
respect
for
what
this
group
is
trying
to
achieve
and
wish
you
all
the
all
the
good
luck
and
success
so
cv
program
when
it
comes
to
vulnerabilities
and
the
cve
program
is
in
a
unique
position
in
the
sense
that
you're
getting
first-hand
information
about
vulnerabilities
directly
from
the
source,
from
the
vendors
themselves
or
from
the
researchers
who
have
spent
time
on
researching
vulnerabilities,
and
so
what
cv
program
in
the
last
few
years
has
been
working
on
an
infrastructure
to
get
make
it
easier
for
those
participants
to
get
an
id
populate.
C
An
idea
publishing
id
without
involving
a
human
element
on
miter
site,
and
so
what
you're
seeing
is
is,
for
example,
so
this
is
a
gui
that
takes
care
of
the
makes
use
of
the
new
api.
The
rest
api
that
the
cv
program
has
put
forward.
So,
for
example,
how
easy
it
is
to
get
an
id
you
get
it.
You
get
your
credentials
and
those
credentials
have
been
entered
so
I've
already
logged
in
and
then
I
say,
click
reserve
a
new
id
and,
and
I
get
a
new
id
and
then
I
can
go.
C
We
kind
of
pick
an
id
and
say
I
want
to
type.
You
know,
fill
in
the
details
about
the
id
and
then
I
can
save
it,
and
then
it
goes
goes
to
the
cv
database.
C
And
so,
while
we
are
collecting
so
a
as
an
entry,
a
cv,
entry
or
record
has
some
minimum
set
of
information
that
people
need
to
put
in,
because
to
prove
that
it's
a
vulnerability,
but
because
we
are
in
the
unique
position
of
capturing
this
detail
firsthand.
We
can
also
put
in
additional
details
if
the
the
participants
are
willing
to
provide
and
and
many
have
expressed
interest
in
their,
they
have
been
providing
that
information.
C
Things
like
what
kind
of
a
cwe
is
associated
with
vulnerability
or
what
is
the
impact
of
the
vulnerability
when
it's
exploded?
We
can
also
provide
more
details
about
like
the
gps
coordinates
of
where
exactly
the
vulnerability
is.
You
know
what
open
source
component
product
source
code
repo,
what
packaging
system?
C
What
is
the
package
name
in
the
packaging
system?
Even
what
is
the
source
code
file?
That
has
the
vulnerability
right
and
even
more
detail.
Even
high
resolution,
you
can
go
say
this
file
and
this
program
or
this
function
has
this
vulnerability
and
then
you
can
associate
what
versions
or
range
of
versions
are
affected
by
the
vulnerability
are
not
affected
by
the.
You
can
also
say:
make
statements
about
non-applicability
to
certain
versions,
things
where
the
versions
are
fixed
or
the
vulnerability
just
didn't
exist,
and
all
this
is
in
json
format.
C
C
Yeah
most
of
these
are
optional
and
the
ones
that
are
required
are,
like
you
know
the
only
few
okay,
and
so
so,
if
you
want
to
like,
maybe
I'll
pay
some
links
and
see
if
you
want
to
explore
on
your
own.
C
And
so
the
json
data
structure
itself
is
we've
kind
of
gone
through
revised
dates.
We
had
something
running
as
an
experimental
basis
like
currently
and
going
forward
in
november,
we'll
start
accepting
entries
in
a
new
improved
data
format
which
we're
calling
json
version
5
for
cv
schema
a
lot
of
it's
just.
C
You
know
headers
in
the
packet,
but
the
actual
payload
is
in
something
called
a
cna
container,
where
a
cna
would
provide
descriptions
for
the
vulnerability
provide
all
the
affected
data
about
where
exactly
the
problem
is
provide
something
about
the
problem,
type
and
links
and
so
on.
So
you
can
explore
the
mind
map
to
figure
out
how
the
data
structure
is
for
the
cv
record
kind
of
going
forward.
C
That's
essentially
what
I
wanted
to
show
and
people
are
interested
to
dive
into
any
of
the
section.
I
can
go
into
detail,
something
that
we
have
new
is
that
this
whole
new
section
related
to
how
we
encode
open
source,
open
source
components
and
products
and
point
out
where
the
vulnerability
is
exactly
exactly
the
gps
coordinates
of
where
the
problem
is
so
the
intent
is
anybody
who's
consuming.
This
can
identify
whether
something's
affected
by
a
vulnerability
or
not,
and
so
far
all
so.
C
C
D
I
guess
so
you
know
you
mentioned
json
version
five.
If
we
wanted
to
see
things
added
to
that
schema,
we'll
be
adding
an
issue
to
the
cve
project.
Automation
working
group
be
the
right
place.
D
C
Cv
qwg
quality
web
group,
the
the
git
repo,
where
I
showed
about
the
scheme
at
the
first
link,
is
where
the.
C
D
C
Yeah,
thank
you
and
again
so
we
because
the
new
services
are
coming
up
november,
so
there's
a
a
program
roadmap
on
when
this
service
is
coming
up.
We
kind
of
finalized
the
format
and
we're
calling
it
5.0
we'll
go
through
an
iterative
process
when
we
want
to
add
new
data
elements
to
it,
we'll
go
through
our
iterative
process
and
maybe
call
it
five
one,
five,
two
five
three
and
so
on.
Until
we
get
something
like
backward,
encompa,
incompatible
change
and
then
we'll
call
it
version
six
right.
C
But
this
is
at
the
moment
we
went
through
a
lot
of
iteration
a
lot
of
debate
on
on
how
we
encode
information
in
the
record,
and
we
are
like.
E
C
E
E
Not
so
much
that's
coming
out
and
you
know,
go
back
field
by
field,
but
from
a
programmatic
perspective,
the
fact
that
we're
you
know
looking
to
have
other
entities
contribute
to
cve
records
in
the
context
of
authorized
data
publishers
and
if
they
have
their
own
space
in
the
schema
to
publish
information.
I
don't
know
if
you
want
to
talk.
I
mean
it's
not
going
to
come
out
in
november,
but
this
is
a
a
big
plan,
a
broad
plan
for
the
for
the
program.
You
want
to
talk
about
that.
A
little
bit
yeah.
C
Exactly
I
think
one
stand
that
the
cv
program
has
taken
a
lot
all
along
is
that
when
there
are
disputed
vulnerabilities
is
to
capture
both
the
opinions
and
say
it's
disputed
or
captured,
try
to
capture
both
both
perspectives
on
what
a
vulnerability
is
or
is
not,
and
the
same
is
kind
of
reflected
in
this
json
schema.
So
a
vendor
can
come
and
say,
hey.
I
have
this
vulnerability
and
maybe
it's
not.
You
know
not
a
big
deal,
but
somebody
else
may
come
back
and
say
hey.
No!
No.
C
So
they
have
the
same
data
structure
similar
to
what
the
cna
who
assigns
the
cveid
has,
and
they
can
provide
different
opinion
or
even
most
probably
the
most
simple
use.
Cases
provide.
Complementary
information
provide
information
that
enters
it.
Things
like
translation
to
other
languages,
cbs
course
cpe
entries.
You
know
you
can
provide
those
independent
of
what
the
the
information
that
has
been
provided
by
the
the
vendor,
who
assigned
the
cv.
C
And
so
so,
this
is
like.
We
are
starting
it
as
a
pilot,
and
the
first
part
is
first
pers.
First
experiment
in
the
pilot
is
through
what
search
cc
has
been
doing
through
ssvc,
where
they
try
to
prioritize
vulnerabilities
through,
what's
called
ssvc
score,
and
so
we're
planning
to
have
them
contribute
back
to
the
cv
program
through
authorized
data
publisher
entries,
but
going
forward.
C
This
could
be
take
expanded
to
include
a
one
vendor,
making
a
statement
about
how
a
particular
open
source
vulnerability
affects
their
products
and
and
in
which
way
you
know
which
versions
of
the
commercial
product
are
affected.
C
And
so
I
did,
I
did
get
like.
There
was
a
question
last
time
where
somebody
issued
a
cve.
Another
person
had
had
a
different
opinion
on
the
thing,
because
they
they
thought
that
cbe
did
not
deserve
a
cv.
It's
not
vulnerability.
C
The
program
stands
is
they
would
not
make
a
judgment,
call
on
what
is
vulnerability
or
not,
unless
there's
a
clear,
clear
evidence
to
contradict
it,
and
so
the
way
to
capture
it
through
an
adp
container
that
you
can
tag
it
as
a
disputed.
You
can
say
something's
disputed
and
that
vulnerability
could
be
market
disputed.
A
How
do
you,
how
does
someone
become
an
adp
or
how
is
that
vetted?
Can
any
provider
provide
that
information
to
you.
C
So
we
are
currently
running
it
as
a
pilot
with
search
cc
being
an
adp
providing
ssbc
scores,
but
going
forward,
I
think
it
they
will
have
to
participate
in
the
program
become
a
participant.
We
need
to
set
up
rules
of
the
road
and
how
does
somebody
contribute
things
here?
You
don't
want
to
open
it
for
spamming.
C
A
C
C
Any
other
thing
anything
to
do
go
deeper
into
the
data
structure.
I
know
folks
were
a
lot
more
interested
in
how
do
you
map
cves,
to
open
source
packages
and
so
on?
C
C
It's
meant
to
help
again
meant
to
help
the
open
source
ecosystem
figure
out
where
the
vulnerabilities
are,
especially
since
my
my
day
job.
If
I'm
scanning
software
for
open
source
vulnerability
that,
like
3000
vulnerabilities,
that
may
show
up
I'm
not
going
to
be
reading
them
one
by
one
to
figure
out
what
to
do
with
it.
I
need
automation.
A
How
would
you
track
if
a
project's
using
like
a
commit
id
instead
of
a
version?
Is
there
a
way
here
to
show
that.
C
Yeah,
so
you
can
actually
you
point
out
and
say
you
know,
this
is
the
commit
that
introduced
the
problem,
and
this
is
a
commit
that
fixed
the
problem
and
just
track
it
at
the
commit
range
and
and
say
version
type
is
kit,
and
given
that
you
can
then
query
your
git
repo
question
control
system
to
actually
figure
out
any
any
branch
or
part
of
the
core
is
affected
or
not
affected,
much
more
accurate.
It's
like
getting
this
information
in
4k
resolution
versus
what
he
had
at
like
standard
definition
for
20
years.
C
Again,
a
lot
of
that
work
is
thank.
You
know
we
thank
russ
for
doing
a
lot
of
research
and
spending
a
lot
of
energy
into
figuring
out
the
data
structure
to
keep
it
simple,
because
random
software
developers
are
entering
this
information.
C
We
want
to
make
it
easier
for
people
to
provide
these
records,
but
also
provide
it
in
a
way.
That's
accurate
and
non-confusing.
A
I
work
with
a
sister
working
group:
it's
the
developer,
best
practices
working
group.
Do
you
have
any
kind
of
training,
materials
or
videos
that
that
group
potentially
could
reference
as
we're
going
out
advocating
to
developers
and
kind
of
demystifying
cve
we
could
provide
as
links
to
our
stakeholders.
C
A
lot
of
this
entertaining,
I
mean
a
lot
of
things
about
this
format
and
training.
We
are
developing
material,
training,
materials,
slides
and
documentation,
but
then
a
lot
of
it
is
through
learning
by
experience.
So
as
more
when
more
vendors
start
using
the
format
to
provide
their
assignments,
you
can
take
a
look
copy
and
replicate
the
effort.
E
Well,
china
there's
also
there's
also
a
boatload
of
podcast
references
as
well
as
recorded
training
material,
that's
available
on
on
youtube
right
that
we
can
provide
you,
okay,
okay,.
A
I'm
less
worried
about
those
of
us
that
are
representing
vendors
like
a
vendor
product
security.
Team
kind
of
our
mandate
here
in
the
foundation
is
focused
on
small
to
medium
projects
that
might
not
have
a
security
team
so
trying
to
help,
show
them
resources
and
give
them
access
to
training
and
videos.
That'd
be
really
helpful
right.
C
C
Again,
the
rest
api
will
be
available.
There
is
a
test
instance
of
the
rest
api,
that's
available.
I
believe
chris,
are
you
going
to
talk
about
that.
E
C
Yes,
some
of
the
api
endpoints
require
credentials,
but
there
are
some
that
just
get
the
record,
you
don't
need
credentials
to
just
get
a
cv
record,
that's
entered
there.
What
you'll
have
on
the
test
is
all
example,
information,
but
starting
november.
I
believe
we
should
be
going
live
with
the
project,
so
you
can
play
with
the
rest
api
for
when
that
goes,
live.
B
Yeah
we're
expecting
to
build
some
training
to
help
people
kind
of
get
the
get
their
feet
under
them.
Some
of
the
some
of
the
tools
are
a
little
bit
new,
so
we're
working
on
some
of
that
as
well
so-
and
I
think
chris,
where
are
we
gonna
turn
it
over
to
you.
B
E
Couple
folks
here
we're
gonna
chat
a
little
bit
about
what
we
want
to
go
to
next
guys
is
talk
a
little
bit
about.
We've
talked
about
the
format
of
the
data
and
how
that's
going
to
be,
you
know
heavily
enriched
based
upon
compared
to
what
it
is
today
we
talked
about.
Adp
is
getting
more
entities
involved,
not
just
cnas,
and
how
the
data
format
allows
for
that.
So
we're
going
to
talk
a
little
bit
now
is
kind
of
the
architecture
that
we're
pursuing.
You
heard
china
talk
about
an
api,
you
turn
and
talk
about.
E
E
Yes,
okay
right,
so
this
is
a
picture
of
our
target
architecture,
and
so
I've
got
two
people
here
that
you
know
we're
going
to
chat
a
little
bit
about
kind
of
what
this
architecture
looks
like
we're
going
to
focus
heavily
in
on
on
this
space
right
here.
E
What
china
just
spoke
about
it,
as
as,
as
you
mentioned,
we
have
an
api,
that's
this
right
here,
all
right
and
what
he
demonstrated
for
you
as
a
client,
a
vologram
which
is
a
client
that
he
built
as
a
member
of
the
community
built
and
is
available
for
everybody
to
use.
We've
also
got
martin
perfect
here
who
is
you
talked
about?
You
know
very
simple
types
of
interviews
he's
got
a
command
line
interface
that
he's
a
member
of
these
red
hat,
a
member
of
the
cna
community.
E
That
they've
also
built
a
a
a
little
client
to
be
used
out
here
in
this
space.
So
here's
our
user
space
and
we
have
many
different
flavors
of
uses.
We've
talked
about
cnas
right
here
and
that's
a
that's
kind
of
the
perspective
that
most
of
us
speak
from,
but
they're
also
general
users
and
researchers
that
integrate
with
the
program.
E
Now
we're
not
going
to
talk
a
lot
about
this
web
interface
today,
but
the
reality
is
is
that
researchers
today
can
implement
information
and
submit
requests
for
cve
records
through
the
through
the
minor
web
form,
and
that's
going
to
continue
to
be
the
case.
We're
going
to
talk
a
little
bit
about
more.
Is
this
piece
right
here?
This
is
the
this
is
where
the
new
services
are.
This
is
where
what
we've
talked
about
is
the
the
cnas
on
on-ramp
to
the
cbe
superhighway.
E
If
you
will,
the
idea
here
is
is
for
everything
to
be
automated
right.
This
has
been
an
issue
in
the
past.
You
know
where
things
take
a
little
longer
than
they
should
weeks.
You
know
months
to
get
a
cd
id
getting
records
up
this.
E
This
architecture
is
indeed
a
response
to
that
right
and
it's
a
an
architecture
that
we're
trying
to
it
has
been
built
to
scale
across
the
world
to
not
just
180
cnas
but
thousands
of
cnas,
and
so
that's
what
we're
trying
trying
to
build
to
and
I've
got
the
lead
developer.
Here.
E
That's
going
to
talk
a
little
bit
about
this
piece
right
here,
just
to
give
a
characterization
of
what
what
the
types
of
services
are
that
we're
we're
offering
in
this
this
application,
and
then
I'm
going
to
turn
it
over
quickly
to
martin
perfect,
just
to
talk
a
little
bit
about
that
additional,
an
additional
command
line.
Library
you
saw
shondans,
but
the
idea
is
that
there's
more
than
one
possibility,
if
you're
talking
about
a
client
out
here,
it
can
be.
E
Anybody
can
build
their
own
client
to
to
interface
with
it
with
the
rest
api
right
and
the
idea
is
that
the
community
and
the
program's
gonna
support
a
couple.
Members
of
the
community
have
built
their
own,
but
the
idea
is,
everybody
can
use,
what's
been
built?
Okay.
So,
if
you're
to
get
to
your
point
earlier,
but
if
you're
a
small,
cna
or
you're
a
small
entity-
and
you
don't
have
the
resources
to
build
your
own,
the
idea
is,
you
can
just
adopt
one
and
put
it
in
your
own
infrastructure.
E
It
doesn't
have
to
be
a
big
server.
It
can
be
just
a
little
command
line
interface
that
individuals
can
use
right,
and
so
that's
we
have
a
couple
of
examples
that,
as
I
said,
martin
parker
is
going
to
talk
a
little
bit
about
that.
If
we
have
time
matt
if
you're
out
there,
if
you'd
like
to
go
ahead
and
give
your
your
quick
overview
of
kind
of
where
we
are
with
these
these
pieces
here
with
cv
services,
our
rest
api
and
what
we
have
planned.
F
All
right,
yeah,
so
hi,
everyone,
I'm
matt,
bianchi
and
and
like
chris
said,
basically
that
ends
up
anything
that
ends
up
in
the
cv
services
repository
I've
had
some
kind
of
hand
in
it,
but
the
goal
being
that
we
are
making
an
api
is
just
a
base
layer
of
automation
so
that
the
community
can
operate
the
way
it
needs
right,
because
we
have
a
lot
of
cnas
and
that's
a
lot
of
organizations.
F
So
you
know
we're
we're
trying
just
to
be
that
base
layer,
so
everyone
can
integrate
with
us.
The
code
is
open
source
on
github,
and
you
know
all
you
need
to
do
is
work
through
the
program
to
get
a
credential
which
essentially
is
just
an
api
key
and
from
there
you
can
interact
with
a
few
of
the
resources
that
we
have.
F
So
if
you
see
in
the
box
there,
we
kind
of
have
given
some
smaller
names
to
parts
of
the
api,
they're
just
centered,
around
kind
of
our
main
key
resources
right,
so
you
have
to
be
able
to
get
ids.
So
we
have
the
id
reservation
service
and
so
you're
able
to
reserve
some
ids
in
the
future.
You'll
be
able
to
reject
them
as
well.
In
order
to
you
know
some
edge
cases
where
maybe
you've
gotten
too
many
ids,
and
you
don't
need
that
many
for
that
year
and
you
reject
them.
So
you
can
move
on.
F
You
know
you've
been
in
the
program
for
10
years.
You've
got
a
an
old
id
that
you're
not
going
to
use
anymore.
Moving
on
from
that
is,
you
know,
rsus
or
the
record
service,
and
really
we've
started
now.
Finally,
getting
to
the
point
where
we
just
call
this
the
cve
services
api,
but
that
of
course,
is
centered
around
our
records,
so
we
were
able
to
actually
release
internally
the
record
service
that
was
working
in
the
cbe
4.0.
F
Now
we're
moving
on
to
upgrading
all
that
data
and
accepting
5.0
format.
But
right
now
we
are
integrated
with
our
internal
system,
so
we
actually
secretly
have
the
record
service
getting
updated
every
time
a
cv
record
gets
published.
So
now
we
just
flip
it
to
5.0,
and
we
actually
have
the
test.
Adsense
up.
F
Excuse
me
with
5.0,
so
we're
working
out
all
the
rough
edges
of
that
with
the
fact
that
we've
had
a
flexible
data
format,
so
we
find
little
edge
cases,
those
types
of
things
and
then
what
we
call
the
user
registry
just
being
able
to
create
more
accounts
for
different
people.
In
your
organization
we
introduced
an
org
admin
model
so
or
role.
So
you
can,
you
know,
administer
your
own
accounts
and
you
know
for
security
reasons
you
get
to
you
know
decide
you
could
use
that
account
to
reset
everybody's
secrets.
F
You
know
if
you
want
so
everybody
gets
new
secrets
every
30
days
or
whatever
you
can
do,
that
inside
of
your
own
organization.
So
that's
really
about
it
and
we've
got
documentation
in
various
forms
and
we're
working
on
getting
better
about
that.
I
know
you
mentioned
videos
and
training.
So
of
course,
we've
started
out
where
I
wrote
wiki
pages.
You
know
on
github.
F
That
would
give
out
like
little
curl
examples
and
examples
of
results,
but
we
always
made
sure
to
have
an
open
api
channel
file
in
the
repository
so
that
people
could
consume
that
and
we've
tried
to
make
sure
to
keep
it
as
up-to-date
as
we
can
now
we're.
Finally
making
the
next
step
of
hosting
live
documentation
with
the
rest
api
using
you
know,
swagger
tools
that
parse
the
open
api
yaml
give
us
an
html
website
where
you
can
click
through,
and
you
can
look
at
the
links
and
we're.
B
F
F
Let's
see
what
else
yeah,
that's
our
that's!
Our
goal
really
is
just
to
be
playtonic
right,
we're
just
a
rest
api,
we're
giving
you
access
to
resources
so
that
you
can
run
your
organization.
The
way
you
want
to
and
not
have
to
go
through
miter
or
human
interface.
E
E
If
you
see
this
picture
out
here,
this
whole
federation-
and
we
see
lots
of,
we
hope-
to
see
lots
of
root,
cnas
and
cnas
as
being
part
of
part
of
the
community,
and
the
idea
is
moving
into
this
federated
environment,
and
I
guess
that
organizational
admin
function
that
we're
going
to
export
to
allow
if
you're,
participating
and
you're
a
cna
or
a
root
cna
to
actually
manage
your
own
user
pool
in
an
appropriate
way.
You're
still
held
accountable
to
that
usable,
there's,
still
accountability.
E
You
know
in
the
context
of
your
own
cna,
but
to
actually
have
those
administrators
from
those
organizations
not
at
minor
but
in
a
cna
handling
their
own
records
handling
their
own
users.
So
they
can
contribute
in
a
very
positive
way
to
the
to
the
overall
effort.
E
So
I
think,
that's
a
that's
an
important
strategic
note,
as
we
think
about
you
know
how
that
strategy
has
driven
down
to
this
architecture,
okay
and
so
so
you'll
see
and
that
whole
user
registry
piece
is
kind
of
the
same
thing
here,
where
we
can
actually
have
user
registry
notions
of
people
all
over
the
world.
That
could
actually
have
things
connected
in
with
the
with
the
website
and
website
services
that
we
can
offer
the
cnas
to
help
them
do
their
job,
do
their
jobs
easier,
faster
and
more
efficient.
E
So
so
we
got
a
lot
a
lot
planned
and
then,
especially
in
that
user,
regular
space.
That's
why
it's
a
little
darker
here,
because
that
really
hasn't
been
designed
or
implemented.
This
stuff
right
here
and-
and
I
think
chad
had
mentioned
a
little
bit
of
it.
This
stuff-
we've
already
got
the
cdid
reservation
system
already
deployed.
E
The
members
of
the
community
are
using
that,
so
you
can
get
a
cd
id
without
wait
without
you
know,
if
you
use
this
api
in
a
matter
of
seconds
as
as
shannon
showed
his
monogram
was
indeed
using
this
particular
part
of
the
interface
in
the
context
of
the
record,
submission
and
upload
service.
That's
going
to
be
deployed,
as
china
said,
current
planners,
deploy
that
in
november,
and
that's
the
big
kahuna,
that's
what
everyone
everybody's
been
waiting
for.
E
It's
not
just
to
get
a
cvid
reserve,
but
also
to
upload
a
cv
record
into
the
repository
and
we're
going
to
be
using
that
new
json
5.0
format.
So
that's
a
big
that's
going
to
be
a
big
deployment
in
in
in
november
that
we're
looking
forward
to
I'm
going
to
turn
it
over
just
for
a
few
moments,
because
I
know
we
are
getting.
We
only
have
in
a
few
minutes
left.
E
First,
are
there
any
questions
and
I'm
going
to
ask
jonathan
to
kind
of
match
on,
but
martin
perfect
from
red
hat,
just
to
spend
a
few
of
us
talking
about.
You
know
the
real
simple
api
I
mean
real.
Several
clients
they've
created
for
members
of
of
the
public,
not
just
the
community
members
of
the
public,
to
use
to
integrate
with
seasoned
services
any
questions
I'll
stop
sharing
too
in
case
you
won't
share.
Martin.
Okay,
are
you
right
there,
martin.
G
All
right,
I
guess
I'll
just
make
this
really
quick,
so
we
as
a
member
of
the
awg
had
a
need
to
implement
another
client
that
would
be
more
client
command
line
based
and
terminal
based.
So
I
pasted
a
link
to
it
in
the
in
the
chat
and
it's
basically
a
python
library
that
contains
an
interface
to
the
rest
api,
as
well
as
a
command
line
client
which
could
be
used
as
a
complement
to
the
excellent
vulneragram.
G
So
if
a
cna
is
out
there
implementing
their
own
automation
to
to
push
and
reserve
cv
ids
they
can,
they
can
use
the
python
library
to
do
that.
I
can
also
imagine
that
other
implementations
of
a
similar
client
could
exist
in
go
javascript
or
whatever
other
language.
E
Do
you
want
to
show
a
demo
real,
quick
martin?
Are
you
done.
F
E
Because
I
think
one
thing
that's
interesting
about
this
is
you
know,
obviously
there's
a
big
difference
between
a
full
gui
interface,
where
you're
adopting
a
big
application
and
a
real
simple.
You
know
I
got
to
do
this
real,
quick,
so
kind
of
two
different
ends
of
the
spectrum
of
applications
that
that
you
have
that
the
community
would
have
available
right.
So.
G
Yes,
all
right,
excellent,
all
right,
so
the
main
command,
the
cve.
If
you
run
it,
you
get
the
help
you
get
a
bunch
of
sub
commands.
So
right
now
this
this
cli
client
supports
the
cv,
id
reservation
and
cve
user
registry.
G
G
This
is
this
is
running
against
against
a
locally
deployed
cv
services
app.
So
no
real
changes
here,
but
yeah,
that's
that's
mostly
it.
I
guess
you
can
filter
on
your
cv,
reservations
based
on
their
state
when
they
were
reserved
who
reserved
them
their
state,
so
yeah
so
far,
pretty
basic
stuff.
It's
going
to
be
a
bit
more
extensive
with
the
support
for
updating,
cve
records
and
submitting
them
so
yeah.
If
any
of
you
are
interested
in
contributing
we'd
love
commits
and
patches.
C
Yes,
yes,
yep
they're,
open
source
components,
so
you
can
take
them.
It's
very
easily.
Modifiable
open
source
license
right.
E
And
to
to
that
point,
it's
also
the
case
that
the
cv
services
themselves
are
open
source
right
and
so,
even
though
that
they
give
a
pitch
for
the
awg,
the
oversight,
entity
or
working
group
that
you
know
is
kind
of
overseeing
the
development
of
the
cv.
Services
is
actually
not
a
miter,
but
it's
really
the
community
through
the
all
the
requirements
drawn
from
the
automation
working
group.
I
think
that
you
know
we
mentioned
a
few
minutes
ago.
Anybody
can
participate
in
that
working
group.
E
You
don't
have
to
be
a
member
of
the
community
right
and
so
so,
and
that
in
the
information
also
lives,
and
you
can
put
issues
and
and
identify
issues
on.
I
don't
know
if
you
can
do
pull
requests,
but
you
can
do
issues
for
sure
on
the
github
repository
if
you're,
if
you're
using
it
for
from
a
public
perspective
and
the
public
interface
doesn't
work,
and
you
have
a
comment
about
it.
You
can
post
that
on
on
github
as
well.
A
A
But
what
we'll
do
is
I
will
figure
out
how
to
get
this
video
uploaded
and
shared
with
the
membership,
and,
as
we
have
additional
feedback,
I'd
love
to
reach
back
out
to
the
program
I
can.
I
will
encourage
all
of
our
members
anyone
that
views
this
to
go
out
to
the
projects
we'll
have
in
the
notes-
and
you
know,
make
comments
and
suggestions
where
this
is
only
going
to
get
better
through
everybody's
contributions.
F
Yeah,
absolutely
I
agree
with
that,
because
you
know
we
we
do
have
developer
staff,
but
you
know
we
we
do
have
our
limitations
and
and
we've
had
some
significant
contribution
with
the
community.
F
You
know
if
it's
martin's
api
or
shondin's
bonogram
tool,
along
with
you,
know
considerable
hours
on
the
cbe
record
data
format,
so
yeah
it.
It's
been
very
beneficial.