►
From YouTube: OpenSSF Vulnerability Disclosures (July 12, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA
Repo: https://github.com/ossf/wg-vulnerability-disclosures
A
B
A
A
B
B
A
E
A
D
D
B
C
B
B
B
Okay,
so
a
couple
of
main
areas,
this
document
covers
I,
should
have
sent
this
to
the
email
list
for
this
meeting.
Adhd
yeah
all
right.
So
the
goal
of
this
document
is
to
Define
what
it
means
to
be
operating
in
an
open,
ssf,
compliant
automated
vulnerability,
fixed
campaign,
and
it
describes
a
set
of
constraints
under
which
you
must
operate
in
order
to
be
considered
unconditionally
compliant.
B
So
the
first
requirement
is
to
report
all
vulnerabilities
Upstream
in
particular,
the
vulnerability
must
be
reported
Upstream
before
you
attempt
to
do
a
bulk
pull
request
like
so.
For
example,
you
must
try
to
get
like
you
can't,
just
like
you
know,
start
doing
both
lower
Quest
generation
without
having
worked
with
the
Upstream
maintainer
to
try
to
fix
it
in
the
vulnerable
library
right
like
we.
If
you
can
fix
it
Upstream,
it's
always
best
to
fix
it
Upstream
than
trying
to
fix
all
the
downstream
consumers.
D
B
When
vulnerability
exists
in
code
generated
by
created
by
code,
generator
I
have
firsthand
experience
with
this.
There
was
a
vulnerability
in
15
000,
open
source
Java
projects
across
the
industry
across
GitHub,
because
some
code
generator
was
generating
in
vulnerable
code
and
people
kept
pumping
it
out
and
creating
GitHub
repositors
from
it
or
the
vulnerabilities
in
a
project.
That's
vendored
widely,
as
is
often
the
case
in
civil.
B
B
B
Then
private
disclosure
there's
a
discussion
around.
What
is
private
disclosure?
What
is
PVR?
What
should
be
you
know,
pmpvr,
which
is
a
programmatic
means
of
private
vulnerability.
Reporting
GitHub
just
calls
this
private
vulnerability.
Reporting
gitlab
has
private
pull
requests,
requirements
of
how
to
use
this
and
then
Additionally.
You
must
use
the
open
source
project.
B
Through
some
scenarios
that
explain
like
what
would
happen,
these
are
really
useful
use
cases
they're
contrived
examples,
but
it
helps
explain,
sort
of
some
of
the
flows
and
then
four
automated
fixed
patch
avoid
patching
test
code
exclusively.
So
you
should
try
to
fix
non.
You
should
try
to
fix
it.
You
should
try
to
not
create
pull
requests
that
only
fix
test
code.
B
Basically,
the
pack
Target
should
be
the
default
Branch
external
review
requirement
campaigns
should
be
the
fixes
should
be
reviewed
by
a
third
party
in
the
past.
I've
used
GitHub
security
lab
to
review
like
patches
and
stuff,
like
that.
So,
like
you
know,
make
sure
it
compile
stuff
like
that,
offer
a
requirement
to
offer
disclosure
assistance
during
the
process
and
then
some
requirements
around
messaging
anyway,
so
like
what
what
must
be
included
in
the
in
the
vulnerability
disclosure,
what
should
be
included?
B
B
B
The
problem
is
that
this
is
the
minimal
spec
and
some
of
the
feedback
that
we
got
from
people
are
is
that
this
specification
is
too
verbose
to
be
a
a
valid
opt-out.
We
should
have
something
that's
simpler
than
having
to
drop
an
entire
file
in
your
repository
that,
like
and
I'm,
going
to
fill
out
all
this
information
in
a
valid
way,
the
goal
upside
was.
We
were
trying
to
encourage
the
use
of
the.
If
you're
going
to
opt
out,
we
were
hoping
that
you
would
at
least
follow
a
different
standard.
B
B
There
was
a
discussion
about
using
a
standardized
flag
and
a
security.nb
file,
something
in
the
git
ignore
or
get
attributes
file
or
using
something
like
the
GitHub
robots.txt
file,
which
I
currently
am
using
for
my
campaigns
in
the
past
on
what
the
opt-out
behavior
is
is
that
you
must
create
a
private
public
fork
or
sorry.
You
might
must
create
a
public
Fork
from
the
vulnerable
repository
and
create
a
dedicated
branch
and
apply
the
patch,
but
you
must
not
create
a
pull
request
against
the
opt
out
or
opted
out
repository.
B
You
would
publish
a
link
to
that
publicly.
A
Global
Security
database
ID
might
can
be
assigned
and
the
maintainers
must
not
be
contacted
by
the
campaign
operators
regarding
the
disclosure
of
the
vulnerability.
So,
if
you've
opted
out,
the
vulnerability
still
gets
published,
it
still
gets
public
made
public
the
maintainers
just
don't
get
made
aware
of
it.
B
B
B
Like
you
know,
you
should
be
able
to
rebase
those
changes
with
an
updated
fix
from
your
campaign
and
then
some
standardized
messaging
around,
like
you
know,
GPT
key
signing
and
ccom
conventions
and
then
coordination
with
the
host
around
contacting
GitHub
in
order
in
in
in
or
whoever
the
host
is
before
you
do
this
work
or
you
use
their
apis
in
this
way.
This
is
a
high
level
of
the
the
specification.
Yes
art,
it's
in
the
I'm.
Sorry,
you
know
I.
B
B
B
Also
so
I'm
gonna
be
running
the
I'm
gonna
run
this
week's
autofix
Sig,
but
I'm
gonna
be
in
California
from
next
Tuesday
to
the
following
set
for
10
days
from
that
next
Tuesday.
So
the
six
that
I've
been
running
are
probably
gonna.
Go
unpaused
for
both
of
those
and
I
will
not
be
making
the
next
one
of
these
meetings.
I
think
because
that's
in
two
weeks,
right,
yeah,
so
I
will
be
I'll,
be
seeing
you
all
in
four
weeks.
E
B
Agree
that
the
alpha
omega
should
be
tracking
this
information
I'm,
not
certain.
If
we
want
to
include
this
in
the
specification
for
because
this,
the
idea
for
the
specifications
to
Define
the
set
of
requirements
for
anybody
who's
implementing
this
specification
implementing
this
do.
Do
you
want
to
see
success
metrics
for
everybody
that
does
work
like
this?
Or
do
you
just
want
to
see
it
for
Alpha
Omega?
Because
we'll
be
you
know,
you're
you're,
a
stakeholder
in
Alpha,
Omega.
E
Yeah
I
mean
it's,
it
I
would
say.
Ideally
you
know
we
kind
of
have
visibility
into
everyone.
That's
involved,
but
Alpha
Omega
would
be
the
main
starting
point
for
me,
and
you
know
I
I
note
in
the
comment
too
I'm
not
sure
if
it's
really
right
for
the
specification
either
but
I
I
think
thinking
about
it
having
it
down
somewhere
such
that
you
know
we
can
kind
of
see.
E
Is
this
process
working
because
I
I
think
I
think
everything
that
that
you've
laid
out
just
generally
makes
sense,
I
think
for
any
process,
though,
that
you
put
out
there
there's
kind
of
an
unknown
of
of
how
well
it's
it's
actually
doing
the
job
it
set
out
to
do
so.
That's
why
I
think
it's
important
to
really
track
is
this?
B
B
This
project,
which
is
the
open
Audible
and
this
blows
project
which
I've
been
working
on
to
to
basically
take
the
this
flow
graph
and
turn
it
into
something
that
we
could
actually
operationalize
in
in
a
code
base.
So
this
is
a
state
machine
for
that
flow
graph,
and
ideally
this
would
be
something
that
would
have
a
database,
backend
and
stuff
like
that.
So
you
could
take.
You
know
information
about
how
long
it
takes
to
transition
between
these
states
and
stuff
like
that
and
use
that
for
metrics
as
well
as
understanding.
B
Like
is
the
issue
closed.
You
know
what
stage
is
every
single
thing
in
so
so
this
this
would
be
more
the
portal
for
that
information
to
get
captured,
but
yes,
the
the
that
it
is
something
that
we
want
to
consider
capturing
I.
Just
don't
know
if
it's
good
in
the
specification
or
more
just
like.
Let's
make
that
something
that
we
put
into
the
code
base
for
this.
E
I
mean
I
I
think
what
you
could
do
is
maybe
start
a
separate
dock
link
to
it.
So
it's
not
it's
not
really
blocking
the
proposal
to
get
the
success
metrics
down,
but
I
think
you
know.
If
you
said
you
know,
the
specification
is
linked
with
these
metrics
and
you
know
we
we
can
always
just
pick
arbitrary
metrics,
but
I
think
we
have
to
be
a
little
bit
more
thoughtful.
B
E
E
It
might
be
better,
looked
at
as
an
MVP
where
it's
like
everybody
thought
this
was
probably
the
best
that
we
could
do,
but
sometimes
the
real
world
kind
of
resets
expectations
once
you
start
going
through
it
and
and
I
think
if
you
have
metrics
to
work
against
you
know,
then,
when
you
make
changes,
you
can
also
cite
those
and
say
Hey.
You
know
we're
trying
to
close
more
issues,
so
we're
modifying
what
we're
doing
here.
We've
changed
the
language
of
this
email
or
we've.
We've
changed
the
time
that
we
we
resend
emails.
B
E
B
B
To
this
document,
but
this
document
was
under
active
development
people
like
the
lawyers
and
stuff
like
that.
Don't
love
it
when
you're
trying
to
productize
a
final
document-
and
you
have
another
document-
that's
a
work
in
progress.
So
so
we
will
tie
them
together
in
some
way
dependently
conceptually
in
our
own
hands,
but
we
may
not
have
a
direct
link
between
the
two
of
them
within
the
contents
of
the
of
the
reading
of
the
document.
E
B
Yeah,
so
that
might
be
above
the
protocols
right.
That
might
be
a
section,
then,
if
it's,
if
it's
like
these
are
things
that
you
may
want
to
consider
in
terms
of
considering
success
that
could
either
above
or
below
protocols.
Right,
like
you
know,
not
something
that
you
must
implement,
but
these
are
some
things
you
might
want
to
consider
success,
metrics,
yeah,.
C
D
B
B
B
A
Yeah,
if
anyone
has
any
additional
feedback,
as
Jonathan
mentioned,
let's
comment
on
the
doc-
we'll
probably
talk
about
this
later
this
afternoon
in
the
autofix
Sig,
but
please
try
to
provide
some
feedback
and
the
worst
case
within
the
next
two
weeks.
We
want
to
try
to
get
this
thing
wrapped
up
as
Jonathan
returns,
home.
D
F
A
C
B
G
G
G
B
Go
ahead,
I
mean
the
XML
specification
bill
as
not
authentication
special,
but
the
XML
specification,
as
written
has
extent
or
external
entity
resolution
built
into
the
specification.
So
anybody
that
conforms
to
the
specification
in
their
parser
is
themselves
vulnerable
to
an
a
well
understood,
vulnerability,
called
external
entity
processing
the
Java
standard,
Library
influenced
this
specification
correctly
and
is
vulnerable,
and
my
kind
of
tirade
in
the
industry
is.
Can
we
like
make
it
so
that
this
known
vulnerability
is
not
something
that's
opted
into
by
default
across
all
parsers?
C
G
Run
on
the
money
yeah,
so
this
and
this
this
has
happened
before
right,
faithful
implementation
of
a
vulnerable
stacker
protocol,
and
you
know
you
can
get
into
pretty
interesting
questions
about
vulnerability
and
should
the
should
the
spec
even
take
care
of
this
or
not,
but
practically
it
comes
down
to.
If
this
could
be
addressed
at
closer
to
the
root
of
the
graphs,
it
saves
a
lot
of
other
people
a
lot
of
time.
G
It
may
be
a
breaking
change.
There
is
some
real
consideration
to
sort
of
go
through
here
and
then
so.
There's
there's
that
fundamental
issue,
and
then
how
does
CDE
deal
with
this
as
sort
of
a
another
piece
of
the
puzzle
and
I'm
going
to
say
a
number
of
hours
have
been
spent
by
Jonathan
and
others
arguing
and
discussing
and
trying
to
decide
to
assign
or
not
and
pretty
much.
G
My
position
has
become
if,
if
more
than
one
learned
expert
has
spent
more
than
an
hour
or
two
talking
about
it,
the
answer
has
already
been
for
another
hour
sign
the
cve.
Already
we
can
discuss
the
thing
and
publish
the
things,
and
instead
of
talking
about
that
thing
like
she
was
talking
about
about
Java
or
whatever
or
xxc
I
forget
what
it
is.
We
can
just
say:
cve
blah
the
ID.
G
We
can
go
decide
it's
not
a
bug.
We
can
go,
decide
that
the
spec
is
going
to
be
fixed
or
not.
We
can
go
decide
that
Java.
Is
there
isn't
going
to
do
something?
We're
talking
about
hardening,
which
means
to
me
seems
to
me
like
they're,
going
to
respond,
which
means
it
should
have
a
cve
ID,
but
that
whole
conversation
is
sticky.
B
G
What
really
is
CBE
about
I
take
a
somewhat
personal
position
that
it
is
about
identification
of
the
abstract
thing,
which
is
a
vulnerability
and
nothing
more,
and
it
should
not
try
to
do
more
and
that's
where
we
get
argumentative
yes,
anyway.
I
grew
up.
But
again,
if
you
spend
a
couple
hours
with
some
knowledgeable
people
talking
about
it,
the
answers
should
already
be
set.
Have
a
cve
go
figure
it
out.
You
can
reject
you
can
dispute.
G
You
can
modify
cves
later,
but
we
have
to
talk
about
the
thing
we
should
have
an
ID
and
we
should
not
spend
I.
Did
this
recently
with
a
very
large
multinational,
Hardware
software
manufacturer.
No
one
should
be
spending
fifty
thousand
dollars
in
time
discussing
whether
or
not
there
should
be
a
cve
ID
you're.
G
No,
not
even
yet
that
would
be.
That
would
be
like
double
the
price
I
mean.
So
there's
a
there's.
This
THX
1183
scene,
where
the
guy
is
climbing
up
the
ladder
and
the
computer
decides
to
stop
chasing
him.
I
think
everyone
remember
that
if
you're
arguing
when
you've
spent
more
than
a
dollar
fifty
on
a
CPE
assignment,
did
you
spent.
G
Sorry
yeah,
so
that's
Jonathan
and
that's
that's
the
issue.
We
might
take
another
crack
at
it
from
the
spec
side
approach
with
CDE
and
I'll.
Tell
you
this
when
I
spend
my
hours
and
still
think
that
I'm
wasting
my
time
yep,
it
is
good
to
push
the
edge
cases,
because
that's
how
we
advance
the
cve
rules
and
the
cve
culture
and
all
those
things
you
have
to
take
one
to
the
highest
port
in
CBE
land
in
order
to
kind
of
push
anything
around
anyway.
I'm
done
ranting
and
croak.
A
Please
I
would
suggest,
since
this
is
not
an
isolated
incident,
this
potentially
could
be
an
excellent
panel
and
or
birds
of
a
feather
session
at
the
forthcoming.
Much
talked
about
Volcan
next
year
since
we'll
have
all
the
industry
luminaries
together.
It
would
be
a
great
topic
to
kind
of
talk
through
what
how
we
could
potentially
do
improve
in
the
future.
G
G
This
comes
from
the
land
of
sort
of
peace,
art,
Sig
and
cve
Summit,
and
the
idea
I've
been
proposing
even
if
I
was
asked,
was
a
day
of
pisert
Sig
and
the
day
of
cve
and
a
day
of
other
stuff.
And
then
the
fourth
day
is
with
the
whole
thing.
Can
we
assemble
this
all
together,
because
these
islands
of
isolation
are
not
solving
our
Collective
problems
and
I'm,
saying
that
partly
because
CBE
definitely
wants
to
have
a
summit
and
they
want
to
do
all
their
cve
stuff.
A
And
I
could
say
just
for
this
foundation
and
it's
a
particular
working
group.
We've
got
a
very
strong
response
of
interest
to
want
to
participate
and
I.
Think
if
you
as
we
expand
that
out
like
the
cncf
or
the
GSD
people
kind
of
the
open,
ssf
adjacent
things,
I
think
you
get
I
think
there's
a
lot
of
interest.
People
would
love
to
participate.
A
G
A
C
A
H
I
guess
I
have
a
quick
update.
I
had
mentioned
last
week
about
the
tc39
tg3,
the
security
test
group
for
tc39
and
that
the
chair
election
was
coming
up.
So
the
meeting
was
this
week
yesterday
the
Share
Group
was
elected,
so
I
think
still
working
out
the
exact
frequency,
whether
it's
bi-weekly
monthly,
but
those
meetings
will
be
resuming
imminently.
B
Gotta
I
mean
you
don't
have
to
you
can
go
fix
your
air
travel.
It's
not.
You
can
I
got
another
one
if
you
want
it.
Just
had
a
quick
update
on
the
great
artifact
repository
audit,
they're,
active
disc
I.
Think
I
mentioned
this
a
couple
weeks
ago.
It's
the
idea
that
so
see
there's
another
working
group
with
the
Sig
under
the
open
source
Security
fund,
no
under
the
or
securing
software
repositories
working
group.
B
The
goal
of
the
Sig
is
to
try
to
see
if
we
can
find
organizations
to
fund
pen
tests
of
all
the
major
artifact
servers
in
the
industry.
That
conversation
is
continuing
to
move
forward.
Alpha
omega's,
there's
interest
from
alpha
omega's
leadership
to
fund
it,
potentially
so
that'll,
be
a
discussion
later
today
or
happening
soon.
Hopefully,
the
other
topic
that
I
wanted
to
bring
up.