►
C
B
C
E
C
Well,
as
people
have
time
and
inclination,
thank
you
Francis.
If
you
could
pitch
in
and
take
a
note
here
or
there,
that'd
be
super
helpful,
because
there
are
a
lot
of
people
that
watch
this
call,
either
on
YouTube
or
review
the
notes
after
the
call,
as
is
tradition
in
our
working
groups,
do
we
have
any
new
friends
that
there
are
first
timers
today
that
wanted
to
introduce
themselves
and
say
hello
to
the
group.
B
Hello
to
the
group,
hello,
I'm,
Ola
Johansson
from
Sweden
I've
been
working
a
bit
with
trying
to
figure
out
the
European
cyber
resilience
act
and
how
that
applies
to
development
and
have
looked
into
open,
ssf
and
looked
at
us
a
lot
of
the
videos
with
zero
being
the
Superstar
so
I'm
here
to
listen
in
and
see
what
can
be
done.
Excellent.
Well,
welcome
glad
to
have
you.
F
Yeah
I'll
go
next:
hey
everybody,
I'm
Tracy,
Miranda,
I
work
at
chain
guard,
it's
recently
elected
to
the
open
ssf
governing
board,
so
yeah
just
thrilled
to
get
stuck
in
at
that
level
and
also
start
understanding
what
all
the
working
groups
are
doing
and
what
they
need
and
yeah
just
looking
forward
to
learning
more
about
openvx
as
well.
Today,.
G
H
I
C
All
righty
well,
thank
you.
Welcome
everybody.
If
anyone
has
any
opens,
they
would
like
to
discuss.
Please
add
them
in
the
opens
section
in
the
call
a
couple
business
items
if
you
may
or
may
not
be
aware,
we're
currently
going
through
a
Tac
election
and
we
would
love
to
get
everybody
that
contributes
to
the
open
ssf
to
first
off
be
registered
to
vote
so
that
you
can
express
your
opinion
for
how
we
want
to
lead
the
foundation.
So
that's
that
first
link
anyone
that
shows
up
to
a
working
group.
C
C
If
you
are
interested
in
helping
lead
the
foundation,
we
are
doing
the
election
for
the
tax.
So
it's
a
self-domination
form.
You
click
that
link.
It's
a
little
bit
more
than
30
seconds.
It's
about
two
to
four
minutes
of
work.
You
need
to
have
a
little
bit
of
a
biography
and
kind
of
a
platform
of
you
know
why
you
want
to
do
help
the
open
ssf,
but
those
nominations
are
currently
open
that
will
wrap
up
I,
believe
all
the
registrations
are
done
on
the
12th
and
then.
C
Finally,
if
you
work
within
the
security
Community,
we're
looking
to
have
nominations
for
the
security
Community
individual
representative,
this
is
typically
someone
that
isn't
affiliated
with
some
of
our
governing
board
entities,
but
somebody
that
is
willing
to
represent
the
voice
of
the
community
and
maintainers
and
the
security
community
at
large.
So
that's
another
self-nomination
item.
C
So
please,
if
you
feel
you're
eligible
for
that
nominate
yourself
and
what
procedurally
there
will
be
about
a
week
that
the
voting
we
have
a
voting
board
that
will
kind
of
be
managing
this
they'll
go
through
vet,
all
the
nominations
and
then
actually
send
out
links
to
an
electronic
voting
tool.
I
believe
that's
going
to
be
like
the
week
of
the
20th
and
we
should
have
the
elections
for
both
the
TAC
and
the
individual
representative
completed
by
the
end
of
March.
So
please
express
your
opinion
and
participate.
C
Roger
dodger
in
the
interest
of
helping
us
move
forward
and
be
more
efficient
and
focused
I
am
seeking
a
someone
to
volunteer
from
the
working
group
to
be
our
backlog.
Warden.
The
kind
of
responsibilities
would
be
helping
us
keep
an
eye
on
issues
and
pull
requests,
making
sure
that
they
get
the
attention
of
the
working
group.
Helping
us
put
the
agenda
together
and
if
there's
something
that
you
know
the
group
needs
to
focus
in
on,
they
would
help
draw
our
attention
there
pretty
light
work.
C
All
right
and
our
final
final
business
item
is,
you
may
notice
in
the
agenda.
We
have
a
couple
Sig
or
sub
projects
going
on
like
the
autofix
Sig.
We
also
have
opened
up
our
meetings
to
the
APAC
time
zone,
so
we
had
a
call.
Our
second
call
was
last
week
we
met
with
representatives
from
the
osv
project.
C
Very
excited
they've
been
long
time
participants,
but
because
of
the
time
zone
most
of
those
developers
are
in
Australia.
It
was
challenging
for
them
to
get
a
better
connection
with
the
group,
so
we'll
be
meeting
with
them
on
a
regular
Cadence,
very
excited
about
that.
Anyone
that's
interested
in
participating.
In
that
conversation,
we
always
have
the
slack
Channel
and
mailing
lists,
but
we
will
physically
be
getting
together
at
a
zoom
call
at
a
time
once
a
month.
C
Let's
talk
about
continue
our
conversation
about
open,
Vex
Dan
other
Dan
was
here
about
a
month
ago
kind
of
gave
an
overview
highlights
of
the
project
and
what's
going
on
and
now
Dan
Lawrence
is
here
today
to
continue
the
conversation
with
us
and
kind
of
see.
If
there
are
areas
of
partnership
and
collaboration,
we
can
start
to
work
together
on
this
very
interesting
project.
I,
you
want
to
chat
a
little
more
Dan
and
I
can
open
up
the
questions
and
answers.
D
Sure
yeah
I've
got
a
little
presentation,
I'm
going
to
walk
through
kind
of
a
couple
motivating
examples
of
just
recently
on
why
Vex
is
important
and
why
we
think
openvex
is
going
to
help
out
so
I'm
going
to
start
out.
I
could
do
some
of
this
in
the
terminal,
but
I
screenshotted,
all
of
it
in
case
it
doesn't
work.
D
I'm
going
to
pull
up
screen
share
so
I'll
just
kind
of
walk
through
the
presentation
first,
and
if
we
can
probably
find
more
examples
on
the
fly
like
this
is
one
representative
example
that
I
found
like
last
weekend
in
a
couple
of
minutes,
and
oh
no,
my
zoom,
updated
and
I'm
going
to
have
to
restart
and
come
right
back
in
a
second
I
love
the
security
features
of
OS
X.
It.
C
J
E
E
J
C
D
All
right,
open,
Vex
I,
have
this
fancy
themed
presentation
here:
I'll
be
talking
about
openvx,
so
I'm
gonna
start
with
yvex,
because
that
comes
up
a
lot
and
I'm
going
to
be
walking
through
this
representative
example.
This
is
focusing
on
a
container
image
that
we've
built.
This
is
one
containing
node.js.
We
try
very
hard
at
changer
at
our
company
to
fix
or
triage
or
remediate,
or
do
something
with
all
the
vulnerabilities
that
the
scanners
find
in
all
of
the
images
that
we
ship.
D
D
If
you
look
at
the
output
here
and
that
finds
one
cve
in
our
node.js
image
in
an
npm
package
called
events,
the
interesting
part
is
that
if
you
scan
this
image
regularly,
you'll
know
it
wasn't
there
a
month
or
so
ago,
and
now
it
is
there,
but
it's
kind
of
weird
that
the
cve
is
from
2018..
So
how
did
a
cve
from
2018
appear?
D
Recently
lots
of
CVS
appear
all
the
time,
usually
they're
a
little
bit
more
up
to
date
or
they're,
just
invalid
and
they're
sitting
around
forever,
it's
kind
of
weird
for
one
to
go
from
not
there
to
there
when
nothing
has
changed
and
be
that
old.
It
does
happen,
though,
so
we
usually
click
around
and
go
through
the
nvd
and
figure
out
what's
going
on,
especially
for
something
critical
like
this
one,
so
it
says
it's
in
a
package
called
events.
D
This
is
probably
part
of
node.js
core,
because
that's
all
we
really
install
in
this
image
the
next
step
in
triaging.
Something
like
this
is
to
pull
up
the
CV
itself
in
the
database.
This
is
what
it
looks
like
if
you
search
for
this
exact
cve
in
the
nvd.
You
do
not
have
a
lot
of
information
here.
This
is
basically
all
you
have
to
work
with
about
the
CV
itself.
It's
one
paragraph,
a
vulnerability
classified
is
critical,
was
found
in
events.
Extension
then
there's
a
long
path,
but
it
kind
of
ends.
D
The
strange
part
here,
if
you
read
this
whole
thing
closely,
it
ends
in
a
events.php,
is
the
actual
file,
so
a
little
bit
skeptical
at
this
point.
When
reading
this
it
looks
like
this
is
some
PHP
code.
It's
not
unheard
of
that.
Multiple
languages
are
installed
somewhere
and
you
do
have
to
triage
a
lot
of
this,
but
it
says
it's
SQL
injection,
and
so
this
seems
a
little
strange,
there's
a
patch
there
with
that
commit
and
then
another
vulnerability
identifier,
but
9.8
critical,
that's
about
as
bad
as
it
gets.
D
D
So
it's
a
little
weird
that
it's
in
PHP
when
we're
looking
at
node,
the
node.js
team
does
a
very
good
job
at
security
response
too.
So
something
seems
a
little
bit
off
if
you
click
on
that
patch.
The
next
thing
you
find
is
this:
this
is
the
actual
GitHub
repository
that
cvu
is
reported
in
Tim
Buckingham,
big
tree
hyphen
events.
D
This
gets
a
little
bit
semantic
now,
if
you
spend
much
time
looking
at
the
nvd
there's
some
rules
about
when
the
identifiers
get
issued
and
the
identifier
gets
issued
when
a
vulnerability
was
actually
first
disclosed,
not
when
it
was
entered
into
the
nvd.
So
even
though
somebody
filed
this
one
recently
only
a
couple
weeks
ago,
which
you
can
see
in
the
timestamp,
the
identifier
still
goes
back
to
when
it
was
first
disclosed
in
2018.
In
this
repository
it
looks
like
somebody
patched
a
vulnerability
here
with
just
a
commit.
D
They
didn't
do
much
else
beyond
that.
They
didn't
file
for
a
CV
back
then
because
it
was
only
granted
a
couple
weeks
ago,
so
someone
else
filed
for
a
CV
on
behalf
of
this
project.
Pigtree
hyphen
events,
but
yes,
it
is
in
PHP.
This
has
nothing
to
do
with
node.js.
There
is
no
node.js
package
involved
here.
There's
nothing
in
npm,
there's
nothing
in
node.
In
fact,
looking
at
this,
this
looks
like
a
personal
GitHub
project.
It
has
one
star.
One
person
is
watching
it
there's
one
issue
open.
D
D
D
Well,
not
really,
if
you
zoom
down
to
the
bottom
of
that
nvd
entry
for
this
cve,
you
see
the
CPE,
which
is
the
schema
for
how
they
declare
which
software
packages
are
affected
by
this.
The
scheme
itself
is
on
Wikipedia.
You
can
read
this.
The
first
part
here,
CPE
colon,
2.3,
colon,
a
I.
Don't
ever
remember
what
that
part
means
everything
has
that,
but
events
project
that
part
is
supposed
to
be
the
vendor
for
a
random
personal
project
like
this
on
GitHub.
What
even
is
the
vendor?
D
There
could
be
a
bunch
of
different
things
there
for
an
npm
package,
the
one
that
we're
actually
talking
about
the
events
npm
package,
which
should
be
the
vendor
there
either.
A
lot
of
this
stuff
is
kind
of
up
to
interpretation,
and
so
what
the
scanners
do,
which
is
probably
the
correct
behavior,
is
that
they
fail
open
and
they
fail
safe,
which
means
that
if
they
don't
know
the
actual
correct,
canonical
vendor
ID
for
something,
then
they
put
a
wild
card
there.
D
Basically,
because
it
could
be
anything
they'd,
much
rather
show
you
extra
stuff
than
miss
a
really
important
CV.
The
same
kind
of
thing
comes
up
all
the
time
with
other
packages
like
openssl
or
node.js
itself,
where
there
isn't
a
commercial
vendor,
it's
kind
of
unclear
what
to
put
there,
whether
something's
part
of
a
foundation
or
just
a
personal
GitHub
repository,
then
there's
a
bunch
of
stars,
because
those
are
typically
supposed
to
be
the
versions
minor
versions.
D
D
Here's
the
actual
CPE
schema
yeah,
so
version
part
and
vendor
product
version,
update
Edition
language,
software,
Edition,
blah
blah
blah
yeah.
Some
some
CPUs
get
set
a
lot
more
fine-grained
and
have
real
data
in
it.
This
one
it's
about
as
good
as
you're
going
to
get
for
a
CV
and
a
random
personal
project
like
this
one.
D
So
this
is
on
the
main
use
case.
I
mean
there's
a
lot
of
use
cases
for
vex,
but
this
is
the
main
one
that
we
deal
with
personally
when
we
triage
all
of
these
results,
there's
a
lot
of
borderline
ones
right.
There
are
a
lot
of
vulnerabilities
that
might
not
actually
be
exploitable
in
a
certain
configuration
or
might
require
an
attacker
to
have
privileges
or
all
of
this
stuff.
D
So
here's
kind
of
that
first
use
case
for
vex
here
is
what
an
openvex
schema
looks
like
there's
some
boilerplate
at
the
top,
explaining
what
it
is.
The
person
that
crafted
the
document,
the
Vex
document-
so
in
this
case
we'd
be
crafting
one
of
these,
because
we
just
did
that
triage
ourselves.
We
even
did
it
here
as
the
group
checking
each
other's
work.
We
could
write
one
together
when
we
did
this.
D
You
can
change
these
Vex
documents
over
time
and
then
here's
the
important
part
in
the
statements
so
with
an
open
device
document.
You
couple
that
vulnerability,
ID,
that
we
just
looked
at
to
the
products
that
we
looked
at
it
in
and
that's
a
slightly
important
distinction,
so
that
big
tree
CMS
thing
could
be
a
real
vulnerability
in
someone
else's
product.
It's
just
not
a
real
vulnerability
in
these
specific
products
that
we
looked
at
and
then
there's
a
whole
bunch
of
different
status
codes.
D
You
could
say
it
was
fixed,
but
in
this
case
here's
what
it
would
look
like
for
the
cve
I
kind
of
popped,
one
out
in
the
editor,
but
after
that
cve
hyphen,
2018
hyphen,
two
five,
zero,
six,
seven
six
and
declared
that
it
is
not
in
the
specific
image
that
we
looked
at
it
in.
In
this
case,
it's
a
node.js
image
and
I
think
there's
a
typo
there.
D
I
should
have
a
colon
in
between
node
and
sha,
but
you
can
imagine
what
this
would
look
like,
that
specific
product
is
that
built
final
package
that
we've
compiled
from
all
of
these
different
sources
and
the
justification
here
is
component
not
present.
That's
one
of
the
five
or
six
status
fields
that
you're
allowed
to
use.
You
get
to
write
a
little
statement
explaining
why
yeah
that
vulnerable
code
is
definitely
not
present
and
so
false
positive
match.
Our
code
is
a
node
that
code
is
in
PHP
just
completely
not
even
related
to
this.
D
These
come
up
all
the
time
with
different
packages.
There's
a
bunch
of
other
examples
in
a
Ruby
image
and
Ruby
that
you
can
look
up.
There
are
a
lot
of
ruby
gems
there's
a
core
ruby.
Gem
named
lager,
that's
baked
into
the
Ruby
distribution,
so
you
can
imagine
how
the
wild
cards
on
something
named.
Logger
explode,
combinatorically,
because
there's
probably
a
package
for
that
in
every
single
programming,
language
and
tons
of
proprietary
ones
too
so
tons
of
CVS
around
lager.
D
Real
quick
aside
here,
why
did
a
CV
just
get?
This
is
a
lot
of
other
systemic
problems,
I
think
with
the
vulnerability
management
ecosystem.
Why
did
a
CV
just
get
reported
a
few
weeks
ago
for
a
personal
project
that
hasn't
been
updated
in
five
years
with
one
star?
It's
not
even
clear.
Anyone
is
using
this
to
get
to
that
part
a
little
bit
of
aside
from
Vex,
but
I
think
it's
worth
calling
out.
If
you
click
on
the
identifiers
in
that
nvd
entry,
you
take
it
to
another
website,
called
zoldb
vuldb.com.
D
They
are
what's
referred
to
in
the
parlance
as
a
CNA,
so
they
are
allowed
to
issue
cves
a
lot
of
organizations
get
that
status.
But
this
is
what
you
get
when
you
click
on
their
website.
It's
login
required
and
it
is
basically
a
website
for
sharing
and
paying
for
bounties
for
exploits
against
specific
cves.
D
My
best
guess
for
why
these
things
keep
clogging
up
scan
results
is
that
there's
some
people
or
group
of
people
out
there
that
are
just
grabbing
GitHub
for
commit
messages
that
say
things
like
fixed
SQL
injection
or
you
know,
switched
algorithm
in
jwts
or
something
like
that.
Some
string
match
that
is
a
common
source
of
vulnerabilities
and
then
filing
cve
entries
against
them.
D
So
what's
next
here
for
for
vex
in
general,
how
does
open
Vex
fit
in
to
really
solve
that
core
use
case
of
stopping
that
crappy
data
from
flowing
Downstream
to
end
users?
We
need
a
whole
bunch
of
different
parties
to
start
implementing
and
trusting
and
interchanging
and
working
with
these
Vex
documents.
There's
also
all
sorts
of
weird
trust
things
to
worry
about.
When
you
start
talking
about
that,
we
did
that
triage
here.
As
a
group,
let's
say
somebody
trusted
the
open
ssf
to
be
doing
that
analysis
as
one
example.
D
They
might
not
trust
some
other
random
person
on
the
internet.
Trusting
random
people
on
the
internet
to
add
vulnerability,
vulnerability
data
is
how
we
got
into
this
mess
in
the
first
place,
so
that
trust
model
requires
some
kind
of
signature.
Digital
signature
at
a
station
framework,
so
you're
not
just
trusting
any
Vex
document
you
find
sitting
around
on
the
ground.
You
might
want
to
configure
that
to
only
trust,
facts
documents
that
come
from
someone
else.
D
D
How
do
standards
know
which
effects
documents
to
trust
on
behalf
of
you,
so
that's
kind
of
where
some
of
the
extra
stuff
in
openvx
comes
in
it's
designed
to
fit
into
a
lot
of
the
other
signing
and
attestation
formats
that
are
used
throughout
the
open
source
ecosystem
like
in
Toto
and
Sig
store.
So
we
can
start
to
work
with
scanners
and
figure
out
how
they
can
be
configured
on
behalf
of
companies
and
issue.
These
on
behalf
of
companies
and
signing
them
Vex
as
a
whole
is
very
new.
D
It's
a
very
large
schema
that
does
accent
a
whole
bunch
of
other
things
as
well
for
security
reporting
and
data
interchange,
and
all
of
that
there
aren't
great
libraries
for
it.
It's
just
a
massive
specification
in
general.
So
if
we're
trying
to
get
scanners
to
add
something
new,
something
simple
and
focus
to
the
Vex
case
seems
to
be
a
little
bit
easier.
D
Also,
just
personally,
we
like
standards
that
do
one
thing
do
one
thing
well,
rather
than
kind
of
large
overall
envelope
formats,
Cyclone
DX
also
has
a
Vex
profile,
but
Cyclone
DX
is
a
full
s-bomb
format.
You
can
issue
Vex
documents
in
it
without
the
whole
s-bomb
stuff,
but
it's
kind
of
off-putting
a
whole
different
tool
set
to
people
that
are
using
some
of
the
other
S9
formats
like
things
like
spdx
I.
D
Did
this
whole
Vex
demo
without
even
mentioning
s-bomb
and
talking
about
it,
because
you
don't
need
to
it's
related
to
s-bomb
and
s-bomb
is
going
to
kind
of
blow
up
that
noise
problem,
but
you
don't
need
as
bombs
for
vex
to
be
useful,
so
something
decoupled
from
any
of
the
major
s-bomb
formats
seems
to
have
a
better
chance
of
getting
a
widespread
adoption
in
our
opinion
and
then.
Finally,
this
as
a
whole
is
incredibly
new
I.
Think
if
we
start
fresh
start
with
the
very
minimum
fields
that
we
need.
D
D
There's
a
lot
of
talk
about
fragmentation
again
that
doesn't
really.
That
argument
doesn't
really
resonate
with
me
personally,
there's
not
much
of
anything
to
fragment.
We
haven't
been
able
to
find
any
Vex
documents
out
there.
Yet
just
the
working
group
there's
of
course,
going
to
be
multiple
formats,
as
PDX
also
has
a
Vex
profile
going
on
inside
of
that
format.
This
is
a
working
group
kind
of
published
this
common
lowest
common
denominator,
definition
of
what
Vex
actually
is
and
what
it
means
to
be
vex,
semantically.
D
So
any
format
that
does
that
in
my
co-worker
Adolfo
just
did
some
demos
last
week.
Anybody
that
actually
has
that
metadata
in
different
formats
should
be
able
to
Interchange
just
fine.
They
semantically
explain
here's
what
a
product
is,
here's,
what
a
vulnerability
identifier
is
and
the
formats
can
choose
to
represent
in
different
ways
whether
it's
XML,
please
no,
but
something
like
that
or
even
custom
schemas,
there's
gonna
be
a
bunch
of
different
ways
of
representing
those
same
four
or
five
key
Fields,
whether
you
embed
it
somewhere
else
or
not.
D
A
E
E
E
Seen
a
lot
of
products
try
to
solve
is
the
this
project
is
or
this
dependency
is
vendored
in
some
other
project
and
add
the
cpes
for
the
or
whatever,
like
the
the
the
pearls,
the
cpes.
You
know
for
the
vendor
down
the
project
Downstream
that
vendors,
that
project
and
is
thus
still
vulnerable
to
that
upstream
cve,
and
try
to
capture
that
information
as.
I
E
D
I
know
Brandon
introduced
himself
at
the
start
of
this
call
Brandon
just
published
an
awesome
blog
post
on
yesterday,
like
literally
yesterday
on
ways
to
do
like
partial
recombination
of
X
documents,
as
software
gets
rendered.
I
don't
want
to
call
anyone
on
the
spot
Brandon,
but
I
think
what
Jonathan
just
described
is
what
your
blog
post
yesterday
was
about.
Is
that
correct.
A
D
D
L
Also
also
in
that
case,
when
they
are
not
like
they
did
Issue
an
advisory
saying.
No
JS
17
and
18
contain
openssl
in
their
vulnerable
version,
but
they
didn't
say
no
16
also
contain
the
same
openness
sub
because
it
was
end
of
life.
So
and
they
said
we
don't
support
end
of
life,
so
they
didn't
mention
it
so
I
reached
out
to
them
and
then
they
edited
but
yeah.
Unless
you
you
know,
then
you
don't
know.
D
D
Ideally,
an
end
user
would
have
enough
data
to
just
know
that
node
has
this
version
of
openssl
and
therefore
also
query
for
all
open
SSL
vulnerabilities,
instead
of
just
the
node
ones,
but
again
that'll
lead
to
a
whole
bunch
of
noise
that
you
need
a
way
to
quiet.
I,
think
art
looks
like
he's
here.
I
still
remember
this
talk,
art
gave
at
the
first
supply
chain,
security,
con
called
the
supply
chain
of
vulnerabilities
itself
and
I
think
it
might
be
completely
misrepresenting.
It
I
think
he
said.
D
K
Yeah
and
just
to
be
clear,
I
I,
think
I
think
I
was
citing
Chris
twiceople
of
varicode
and
but
just
important
nuance.
You
know
that
that
figure
was
for
the
software
that
they
were
looking
at.
So
I
don't
deny
that
that
number,
but
I
think
it
might
vary
depending
on
the
you
know.
The
ecosystem
you're
working
in
but
I
think
the
takeaway
is.
You
should
not
assume
Downstream
inheritance
of
vulnerability
or
non-vulnerability.
D
Yeah,
so
if
you
only
solve
that
first
half
of
the
problem
of
clearly
stating
which
software
is
bundled,
then
you're
just
going
to
blow
up
the
noise
problem
unless
you
also
solve
a
way
to
carry
on
a
trans
transmit
that
exploitability
information
to
alongside
of
that,
so
I
think
Brandon's
blog
post
from
yesterday
addresses
it
pretty.
Well
any
other
questions
on
that.
One.
D
D
You
probably
saw
this
in
the
salsa
specification
working
group
in
the
open
ssf.
A
lot
of
other
standards
go
through
this
I'm,
not
a
lawyer,
but
my
understanding
is
that
standards
and
specifications
are
treated
much
much
differently
from
a
licensing
and
patent
perspective
than
just
code
and
the
great
Folks
at
the
open,
ssf
and
the
Linux
Foundation
put
together.
This
process
called
the
community
specification
process.
Or
if
you
follow
that,
then
you
get
a
lot
more
protections
than
just
throwing.
D
Like
A,
Creative,
Commons
or
Apache
MIT
license
in
a
repository
and
calling
something
a
specification,
and
if
you
don't
do
that
from
the
start,
it
becomes
very
hard
to
propose
these
things
as
International
standards.
Jewelry
and
the
specification
group
of
the
learnings
foundation.
Explain
this
so
many
times
and
I,
don't
quite
understand
it
because
I'm
not
older,
but
I
trust
them,
and
so
we
set
up
open
fashion.
I'm
going
to
start
with
this
process
to
make
sure
we
are
protected
in
that
event
of
proposing
it
to
an
international
standards
group.
D
So
if
we
do
all
this
correctly,
then
I
do
hope.
We
can
get
some
ISO
specification,
I.E
tfrfc,
something
like
that.
I,
don't
know
that
we
have
any
plans
of
exactly
which
direction
to
go,
but
for
vex
itself
to
reach
that
goal
of
scanner
or
distributor
consumer
widespread
adoption.
That's
important
to
get
this
into
an
international
standards
group.
D
D
So
we've
got
to
work
with
a
few
scanners,
we're
hoping
to
work
with
the
gripe
folks
to
start
out
with
template,
that's
back
and
then
flesh
out
the
other
parts
beyond
the
spec.
The
stuff
I
talked
about
before.
How
do
I
trust
this
Vex
document?
How
do
I
configure,
which
sources
I
trust
for
which
pieces
of
software
there's
a
lot
of
different
status
codes
in
there
that
one
around
that
code
just
is
not
even
present,
is
the
simplest
there's
a
lot
of
other
more
nuanced
ones
around.
D
It's
not
exploitable
in
the
default
configuration
but
might
be
in
other
configurations,
so
use
an
end
user
based
on
your
risk.
Tolerance
might
want
to
trust
only
stuff
for
the
reasons
of
the
code
not
being
there,
but
you
might
still
want
to
take
another
look
yourself
for
other
statuses,
so
there's
a
lot
of
ux
here
to
figure
out
to
really
quiet
the
noise
problem,
while
still
keeping
transparency
throughout
the
entire
supply
chain.
D
If
that
goes
well
just
rinse
and
repeat
and
see
if
we
get
more
widespread
adoption
and
then,
of
course,
Tracy
threw
this
one
in
here,
one
of
my
favorite
memes
about
Vex
I
did
this
during
the
the
World
Cup,
but
yeah
as
s-bombs
ADD
transparency.
We
need
tools
to
combat
the
noise
that
comes
with
transparency.
B
C
B
D
D
Yeah
might
take
vdr
is
vulnerability.
Disclosure
report,
I
think,
is
that
what
it's
called
Parker
am
I,
getting
this
right
now
I'm
blanking
on
what
it's
actually
called
I.
As
long
as
it's
correct
and
I
know
my
take
yeah
vulnerability
disclosure
report
that
is
kind
of
I,
look
at
it
as
almost
the
opposite
of
Vex
in
some
ways
a
vdr
document.
My
understanding
anyway,
is
supposed
to
contain
a
list
of
the
vulnerabilities
that
are
exploitable
in
a
piece
of
software.
D
D
The
big
Nuance,
in
my
opinion,
is
that
it's
it's
there's
not
always
an
answer
of.
Is
it
exploitable
or
is
it
not
especially
for
late
breaking
new
vulnerabilities?
There's
a
third
intermediate
State
there,
which
is
we
don't
know
yet
or
we
haven't,
looked
yet
or
something
like
that,
and
so,
if
you're,
using
that
vdr
style
model
of
I
assume.
My
vendors
will
tell
me
if
something
is
exploitable
and
I
have
this
API
to
hit
and
I'll
check
the
morning.
D
Log
for
Shell
happens
or
the
next
log
for
Shell
happens
and
you
hit
all
these
apis
and
it
doesn't
show
up
in
that
report.
You're
left
wondering.
Did
they
do
that
triage
and
affirmatively
state
that
it's
not
there,
because
it's
not
in
this
document
or
have
they
just
not
done
that
triage
yet
or
with
Vex?
D
You
know
that
if
it's
not
there
say
it's
not
exploitable,
then
you
get
to
assume
that
it
is
exploitable
until
you're
told
otherwise,
so
that
slight
default
switches,
different
kind
of
like
a
fail
open
to
fail,
closed
model,
I.
Guess
in
my
opinion,
which
lets
you
decide
what
to
do
in
those
situations.
B
D
D
Yeah
that
that's
my
high
level
I
think
there's
a
couple
memes
or
two
somewhere,
but
yeah
I.
Think,
coupled
with
s
moms
I
mean
it
to
some
extent,
I
think
the
vdr
concept
is
great
like
if
you
can
trust
your
vendors
to
tell
you
that
information.
It
saves
you
a
lot
of
time,
but
it
requires
you
to
be
able
to
trust
your
vendors
and,
in
my
opinion,
one
of
the
main
goals
of
s-bombs
is
to
give
you
transparency
in
that
code.
So
you
don't
have
to
just
blindly
trust
your
vendors.
D
You
can
see
what's
in
there
and
do
a
lot
of
that
querying
yourself.
So
Vex,
plus
s
bombs,
is
kind
of
solves
that
same
use
case
as
vdr
in
the
end
which,
if
you
want
that
transparency,
if
you
want
to
be
able
to
that
feel
safer
having
the
s-bomb
data,
doing
the
queries
yourself
and
then
checking
for
vex
entries,
it
is
more
work
to
be
clear
than
just
asking
a
vendor
whether
or
not
there's
anything
you
need
to
worry
about.
B
K
Art
yeah,
sorry,
just
one
day
a
couple
months
ago
that
the
acronym
video
are
surprised.
The
heck
out
of
me
and
I
went
to
dig
it
up.
It's
not
crystal
clear
to
me
that
vdr
is
well
specified
anywhere,
I,
think
nist
brought
it
put
it
up
in
an
SP
and
the
Cyclone
DX
folks,
you
know
have
perfectly
fine.
You
know
chosen
that
they're
going
to
implement
it
or
just
talk
about
it
more,
but
one
you
know
analog
to
Vex
right,
even
there's
no
such
thing
as
open
vdr.
K
Currently,
that
has
an
actual
right,
schema
or
format
or
anything
so
I
would.
My
opinion
is
that
vdr
is
pretty
weakly
specified
not
to
get
too
fired
up
about
it
at
this
point,
no
one
is
actually
requiring
them
or
has
a
special
format.
You
have
to
do
them
in
just
yet
that
I
know
that
I
know
of
at
least
thanks.
D
H
M
Just
I
know
that
you've
done
some
Outreach
to
some
of
the
standards
groups
that
have
been
working
on
this.
What
does
the
philosophy
in
terms
of
you
know,
trying
to
collaborate
with
other
standards,
groups
that
have
been
participating
versus
trying
to
sort
of
Advance
this?
Is
it
a
little
early
in
the
game
yet
or
any
other
thoughts?
You
have
on
that,
because,
obviously,
in
the
past,
standards
have
driven
a
lot
of
this.
M
M
D
You
yeah,
Alan,
Alan
and
Justin
are
great.
They
were
part
of
the
Cisco
working
group
that
formalizes
the
definition
of
vex
I
I,
don't
see
either
of
them
here
in
the
call
and
I
don't
want
to
put
words
in
their
mouth
and
I
know.
Art
was
in
that
as
well,
but
my
understanding
is
that
the
goal
of
that
working
group
was
to
Define
what
Vex
is
not
to
define
a
particular
format.
D
We
can
get
that
process
started
whenever
there's
Comfort
I,
guess
that
this
works.
The
ietfs,
Motto,
I,
guess
philosophically,
is
what
aligns
with
me
of
working
code
and
rough
consensus,
so
showing
some
amount
of
working
code
end
to
end
I.
Think
we'd
like
to
do
first,
showing
is
Flowing
all
the
way
from
a
software
distributor
through
a
scanner
down
to
a
customer
when
we've
proven
that
works
all
the
way,
then
I
think
I'd
be
happy
to
push
this
through.
A
standardization
process
did
I
didn't,
say
any
of
that
correctly.
Art
and.
K
I
was
going
to
just
quickly
back
that
up.
This
is
a
dock
which
should
be
published
any
any
any
any
day.
Now,
waiting
for
a
legal
review,
I
think
is
sort
of
a
requirements,
level
minimum
requirements.
It
is
supposed
to
supposedly
carefully
abstract
it
away
from
an
actual
implementation.
There
can
be
many
implementations.
You
can
call
the
fields
what
you
want.
You
can
get
into
details
about
how
you
want
to
do
things
as
long
as
in
theory
you
meet,
you
know,
you've
got
these
informational
elements
and
they
relate
in
a
reasonable
way.
K
We
tried
very
hard
to
sort
of
meet
this
weird
Middle.
Ground
of
you
know,
there's
a
couple
implementations
already
out
there.
Openvx
came
along
at
a
great
time
in
that
process.
This
will
show
another
implementation:
a
much
cleaner,
simpler,
smaller
one
and
yeah.
The
system
work
is
intended
to
be
a
requirements,
level,
high
level
requirements,
level,
minimum
requirements,
level
a
layer
away,
at
least
on
the
implementation.
So
right
on
down
here,
thanks.
M
Yeah
I
understand
you
know
it's
logical,
but
it
it
still
doesn't
sort
of
help.
The
problem
yeah
customers
are
all
struggling
with.
You
know
what
do
I
do
about
my
basic
s-bomb,
much
less
Vex
and
oh,
my
God
I'm
just
going
to
run
in
the
opposite
direction,
because
I
can't
keep
up
with
the
volume
of
churn
that
seems
to
be
happening
out
in
these
communities.
D
If
we
do,
it
correctly,
I
think
it's
a
it's
a
concern
for
software
Distributors
to
deal
with
and
a
concern
for
scanner
vendors
to
deal
with,
but
those
same
soccer,
Distributors
we've
heard
in
all
of
yes
Mom
working
groups
that
they're
one
of
their
main
fears
of
s-bomb
is
that
added
transparency
will
lead
to
their
customers
blowing
up
their
phone
lines
of
all
the
noise
from
the
scanners,
and
so
Vex
is
solving
a
real
pain
point
for
them.
So
I
think
that
there
is
going
to
be
motivation
to
do
something
there.
D
D
D
Yeah,
my
understanding
of
that
group
they're
working
on
ledgers
and
Technologies
for
kind
of
Distributing
information
like
this
I
follow
the
list
like
repositories
for
storing
and
interchanging
s-bombs
and
Vex
documents,
and
all
of
that
that
kind
of
sits
in
that
section,
I
guess
below
the
now.
We
have
the
documents.
How
do
we
get
them
around
to
people?
How
do
they
find
them?
How
do
they
know
which
ones
they
can
trust
I,
think
that
it
would
align
that
way,
pretty
well.
D
I
Not
a
question
just
more
like
a
comment,
you
know,
I
think,
first
of
all,
a
great
presentation:
I
had
a
chance
to
see
Adolf
will
do
it
at
the
sisa
effects
working
group
meeting
on
Monday
and
he
had
a
different
Spin
and
it
was
actually
a
live
demo
and
all
that
kind
of
stuff
which
was
really
cool
too.
So
third
time
going
through
something
like
this
a
lot
of
great
stuff
going
on.
I
If
the
desire
is
towards
ISO
specification,
I
guess,
there's
no
better
place
to
begin
than
than
right
here,
because
openness
and
stuff
and
what
you're
describing
is
the
past
submitter
process,
and
you
know
working
on
it
here
in
the
openness
and
stuff,
and
it's
of
course,
going
to
a
jury
over
there
in
the
jdf,
there's
actually
a
step-by-step
process
that
they're
actually.
Currently,
it's
not
written.
It's
not
written
down
on
paper
yet,
but
it
is
currently
being
written
down
on
paper.
I
D
C
D
Yeah
I
think
we're
only
five
minutes
left,
so
we
probably
won't
get
through
the
whole
thing,
but
yeah
we'd
like
to
move
the
open
Vex
project
to
part
of
this
working
group
and
I
know
we're
just
an
attack.
Call
yesterday
going
through
details
of
exactly
how
that
happens
in
general,
in
the
open,
ssf
Chrome,
but
yeah
we'd
like
to
follow
that
process
and
be
adopted
by
this
working
group
and
then
eventually
go
through
the
full
jdf
stuff
and
become
a
real
International
standard.
C
Right
and
what
we'll
do
is
we
will
start
that
process
off
with
a
issue
in
our
repository
in
a
node
after
our
working
group
soliciting
our
collaborators
and
contributors
to
vote
on,
you
know:
do
they
think
this
is
something
that
aligns
with
our
working
group
goals
and
Mission,
and
as
we
get
that
feedback,
we
will
take
the
steps
following
the
exciting
new
process
that
has
some
better
documentation,
I
heard
late
yesterday,
but
we
can
follow
that
through.
If
the
group
feels
that
there
is
Merit
in
this
collaboration,
hey.
D
C
C
All
right,
but
I
want
to
thank
the
Dans
for
coming
and
sharing
this
with
us.
I
think
it's
a
very
interesting
idea,
I
think
it's
something
that
can
be
very
useful
to
the
ecosystem
and
I'll
get
that
issue
set
up
and
sent
out
to
everybody
to
express
your
opinion
on
to
see
if
this
is
something
we
want
to
formally
adopt
and
start
official
collaboration
on-
and
you
know
thank
you
again
for
your
time
and
your
dedication
to
this.
Helping
make
the
world
a
little
bit
better.