►
From YouTube: OpenSSF Vulnerability Disclosures (July 12, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA
Repo: https://github.com/ossf/wg-vulnerability-disclosures
A
B
A
A
B
B
A
E
A
D
A
Also,
how
to
cook
a
biscuit
on
top
of
a
fire
I
made
with
straw
and
rubbing
two
sticks
together.
D
B
C
A
All
right
so,
as
folks
join
us,
please
add
things
to
the
agenda:
Jonathan
added
an
item
underneath
the
cve
auto
fix
subgroup.
B
B
On
it,
the
specification
for
open,
ssf
compliant
automated
vulnerability,
fixed
campaign
is
in
a
state
in
which
we
are.
We
are
seeking
additional
feedback
on
the
document,
given
the
changes
we've
made
to
determine
if
it
is
missing
anything
that
people
think
we
really
need
to
have
in
there.
B
For,
for
the
specification
and
I
presume
that
there's
given
a
specification,
there's
a
lot
of
verbiage
in
this
document
that
currently
doesn't
is
not
specification
standard
sort
of
like
so
we
should
probably
make
it
better
in
that
aspect,
but
I
will
screen
share
real
fast.
B
Okay,
so
a
couple
of
main
areas,
this
document
covers
I,
should
have
sent
this
to
the
email
list
for
this
meeting.
Adhd
yeah
all
right.
So
the
goal
of
this
document
is
to
Define
what
it
means
to
be
operating
in
an
open,
ssf,
compliant
automated
vulnerability,
fixed
campaign,
and
it
describes
a
set
of
constraints
under
which
you
must
operate
in
order
to
be
considered
unconditionally
compliant.
B
So
the
first
requirement
is
to
report
all
vulnerabilities
Upstream
in
particular,
the
vulnerability
must
be
reported
Upstream
before
you
attempt
to
do
a
bulk
pull
request
like
so.
For
example,
you
must
try
to
get
like
you
can't,
just
like
you
know,
start
doing
both
lower
Quest
generation
without
having
worked
with
the
Upstream
maintainer
to
try
to
fix
it
in
the
vulnerable
library
right
like
we.
If
you
can
fix
it
Upstream,
it's
always
best
to
fix
it
Upstream
than
trying
to
fix
all
the
downstream
consumers.
D
B
When
vulnerability
exists
in
code
generated
by
created
by
code,
generator
I
have
firsthand
experience
with
this.
There
was
a
vulnerability
in
15
000,
open
source
Java
projects
across
the
industry
across
GitHub,
because
some
code
generator
was
generating
in
vulnerable
code
and
people
kept
pumping
it
out
and
creating
GitHub
repositors
from
it
or
the
vulnerabilities
in
a
project.
That's
vendored
widely,
as
is
often
the
case
in
civil.
B
Or
libraries
pre-package
manager,
for
example,
jQuery.
B
Then
there's
a
requirement
to
do
coordinated
non
non-automated,
private
disclosure.
This
is
mostly
in
cases
where
the
vulnerability
is
not
newer
or
is
newer
novel
right.
So
if
you're
dealing
with
a
new
or
not
vulnerability,
then
then
you
must
at.
B
Number
some
number
of
of
projects
privately,
if
they're
not
vulnerable,
it's
not
new
level.
B
Entity
processing
to
do
in
properties,
so
the
Java
standard
Library,
which
is
very
well
understood,
vulnerability.
We've
talked
you
know,
there's
a
bunch
of
documents
about
it,
then
coordinated
non-linear
product
disclosure
is
not
required.
B
Then
private
disclosure
there's
a
discussion
around.
What
is
private
disclosure?
What
is
PVR?
What
should
be
you
know,
pmpvr,
which
is
a
programmatic
means
of
private
vulnerability.
Reporting
GitHub
just
calls
this
private
vulnerability.
Reporting
gitlab
has
private
pull
requests,
requirements
of
how
to
use
this
and
then
Additionally.
You
must
use
the
open
source
project.
B
Osf,
slash,
disclosed
check
tool
to
find
the
relevant
security
contacts
and
email
them
at
the
same
time
as
you
try
to
request
Disclosure
by
it,
you
basically,
you
simultaneously
ask
them
by
issue
to
enable
the
feature
and
also
send
them
an
email
with
the
pat
with
the
vulnerability
in
the
patch
and
then
there's
this
flow
chart
that
describes
describes
how
pmpvr
or
sorry
how
this,
how
this
entire
flow
Works
there's
a
line.
B
That's
missing
that
I'm
going
to
update
the
image
there
we
go
and
then
we
have
some
example:
scenarios
that
were
written
up
around
like
take.
B
Through
some
scenarios
that
explain
like
what
would
happen,
these
are
really
useful
use
cases
they're
contrived
examples,
but
it
helps
explain,
sort
of
some
of
the
flows
and
then
four
automated
fixed
patch
avoid
patching
test
code
exclusively.
So
you
should
try
to
fix
non.
You
should
try
to
fix
it.
You
should
try
to
not
create
pull
requests
that
only
fix
test
code.
B
Basically,
the
pack
Target
should
be
the
default
Branch
external
review
requirement
campaigns
should
be
the
fixes
should
be
reviewed
by
a
third
party
in
the
past.
I've
used
GitHub
security
lab
to
review
like
patches
and
stuff,
like
that.
So,
like
you
know,
make
sure
it
compile
stuff
like
that,
offer
a
requirement
to
offer
disclosure
assistance
during
the
process
and
then
some
requirements
around
messaging
anyway,
so
like
what
what
must
be
included
in
the
in
the
vulnerability
disclosure,
what
should
be
included?
B
What
must
not
be
included
in
particular
marketing
should
be
excluded
and
then
sponsorship
messages
must
be
posted
on
if
you're
into
your
sponsorships
or
stuff.
Then
that
goes
in
an
attach
you
can
you
can
link
to
a
document
that
describes
the
campaign,
and
that
is
where
sponsorship
information
goes.
B
This
is
the
part.
That's
a
little
bit
less
fleshed
out
this
topic
of
opt
out,
so
there's
a
requirement
that
you
do
have
an
opt-out
mechanism.
The
only
one
that
we
have
for
like
a
standard
is
the
open,
SS
security,
Insight
spec,
which
is
the
thing
that's
being
developed
by
Luigi.
B
The
problem
is
that
this
is
the
minimal
spec
and
some
of
the
feedback
that
we
got
from
people
are
is
that
this
specification
is
too
verbose
to
be
a
a
valid
opt-out.
We
should
have
something
that's
simpler
than
having
to
drop
an
entire
file
in
your
repository
that,
like
and
I'm,
going
to
fill
out
all
this
information
in
a
valid
way,
the
goal
upside
was.
We
were
trying
to
encourage
the
use
of
the.
If
you're
going
to
opt
out,
we
were
hoping
that
you
would
at
least
follow
a
different
standard.
B
The
open
SF
is
offering
downside.
It
is
more
verbose
and
heavy
more
heavyweight.
So,
there's
a
discussion
around
like
what
alternative
opt-out
mechanisms
we
want
to
support.
B
There
was
a
discussion
about
using
a
standardized
flag
and
a
security.nb
file,
something
in
the
git
ignore
or
get
attributes
file
or
using
something
like
the
GitHub
robots.txt
file,
which
I
currently
am
using
for
my
campaigns
in
the
past
on
what
the
opt-out
behavior
is
is
that
you
must
create
a
private
public
fork
or
sorry.
You
might
must
create
a
public
Fork
from
the
vulnerable
repository
and
create
a
dedicated
branch
and
apply
the
patch,
but
you
must
not
create
a
pull
request
against
the
opt
out
or
opted
out
repository.
B
You
would
publish
a
link
to
that
publicly.
A
Global
Security
database
ID
might
can
be
assigned
and
the
maintainers
must
not
be
contacted
by
the
campaign
operators
regarding
the
disclosure
of
the
vulnerability.
So,
if
you've
opted
out,
the
vulnerability
still
gets
published,
it
still
gets
public
made
public
the
maintainers
just
don't
get
made
aware
of
it.
B
Let's
see
vulnerability
fix
origin.
There's
a
discussion
of
like
what
get
up
what
what
style
of
GitHub
account
you
should
be
using
maintain
their
communication.
Responsiveness.
B
Like
you
know
you
might
you
can't
just
run
one
of
these
campaigns
and
like
be
done,
you
have
to
actually
engage
with
a
maintainers
when
they
have
feedback
the
ability
to
redeploy
and
rebase
changes.
So
you
must.
Your
campaign
must
have
the
ability
to
if
the
maintainer
says
hey,
this
is
broken.
B
Like
you
know,
you
should
be
able
to
rebase
those
changes
with
an
updated
fix
from
your
campaign
and
then
some
standardized
messaging
around,
like
you
know,
GPT
key
signing
and
ccom
conventions
and
then
coordination
with
the
host
around
contacting
GitHub
in
order
in
in
in
or
whoever
the
host
is
before
you
do
this
work
or
you
use
their
apis
in
this
way.
This
is
a
high
level
of
the
the
specification.
Yes
art,
it's
in
the
I'm.
Sorry,
you
know
I.
B
We're
looking
for
feedback
on
are
there
things
we
even
thought
about?
Are
there?
Are
there
things
we
even
thought
about?
Is
there
more
that
we
need
for
this
to
become
a
proper
specification
stuff
like
that,
so
Crow.
B
Yeah
no
I'm
I'm
I'm,
going
away
on
vacation
for
the
next
two
weeks.
So
sometime
within
the
next
two
weeks
to
be
lovely.
B
Also
so
I'm
gonna
be
running
the
I'm
gonna
run
this
week's
autofix
Sig,
but
I'm
gonna
be
in
California
from
next
Tuesday
to
the
following
set
for
10
days
from
that
next
Tuesday.
So
the
six
that
I've
been
running
are
probably
gonna.
Go
unpaused
for
both
of
those
and
I
will
not
be
making
the
next
one
of
these
meetings.
I
think
because
that's
in
two
weeks,
right,
yeah,
so
I
will
be
I'll,
be
seeing
you
all
in
four
weeks.
E
B
Yeah
success
metrics,
so
he.
B
Agree
that
the
alpha
omega
should
be
tracking
this
information
I'm,
not
certain.
If
we
want
to
include
this
in
the
specification
for
because
this,
the
idea
for
the
specifications
to
Define
the
set
of
requirements
for
anybody
who's
implementing
this
specification
implementing
this
do.
Do
you
want
to
see
success
metrics
for
everybody
that
does
work
like
this?
Or
do
you
just
want
to
see
it
for
Alpha
Omega?
Because
we'll
be
you
know,
you're
you're,
a
stakeholder
in
Alpha,
Omega.
E
Yeah
I
mean
it's,
it
I
would
say.
Ideally
you
know
we
kind
of
have
visibility
into
everyone.
That's
involved,
but
Alpha
Omega
would
be
the
main
starting
point
for
me,
and
you
know
I
I
note
in
the
comment
too
I'm
not
sure
if
it's
really
right
for
the
specification
either
but
I
I
think
thinking
about
it
having
it
down
somewhere
such
that
you
know
we
can
kind
of
see.
E
Is
this
process
working
because
I
I
think
I
think
everything
that
that
you've
laid
out
just
generally
makes
sense,
I
think
for
any
process,
though,
that
you
put
out
there
there's
kind
of
an
unknown
of
of
how
well
it's
it's
actually
doing
the
job
it
set
out
to
do
so.
That's
why
I
think
it's
important
to
really
track
is
this?
B
Oh
there
we
go
so
this
is
the
this.
This
diagram
here
is
a
flow
graph.
That's
gonna,
take
it
slow,
okay,.
B
This
project,
which
is
the
open
Audible
and
this
blows
project
which
I've
been
working
on
to
to
basically
take
the
this
flow
graph
and
turn
it
into
something
that
we
could
actually
operationalize
in
in
a
code
base.
So
this
is
a
state
machine
for
that
flow
graph,
and
ideally
this
would
be
something
that
would
have
a
database,
backend
and
stuff
like
that.
So
you
could
take.
You
know
information
about
how
long
it
takes
to
transition
between
these
states
and
stuff
like
that
and
use
that
for
metrics
as
well
as
understanding.
B
Like
is
the
issue
closed.
You
know
what
stage
is
every
single
thing
in
so
so
this
this
would
be
more
the
portal
for
that
information
to
get
captured,
but
yes,
the
the
that
it
is
something
that
we
want
to
consider
capturing
I.
Just
don't
know
if
it's
good
in
the
specification
or
more
just
like.
Let's
make
that
something
that
we
put
into
the
code
base
for
this.
E
I
mean
I
I
think
what
you
could
do
is
maybe
start
a
separate
dock
link
to
it.
So
it's
not
it's
not
really
blocking
the
proposal
to
get
the
success
metrics
down,
but
I
think
you
know.
If
you
said
you
know,
the
specification
is
linked
with
these
metrics
and
you
know
we
we
can
always
just
pick
arbitrary
metrics,
but
I
think
we
have
to
be
a
little
bit
more
thoughtful.
E
Think
about
a
statement
of
of
what
we're
trying
to
achieve,
maybe
some
goals
of
of
how
we
know
basically
make
the
goals,
explain
how
we
know
we're
getting
there
and
then
make
make
the
metrics
back
those
goals
up
and
I
think.
B
E
E
E
It
might
be
better,
looked
at
as
an
MVP
where
it's
like
everybody
thought
this
was
probably
the
best
that
we
could
do,
but
sometimes
the
real
world
kind
of
resets
expectations
once
you
start
going
through
it
and
and
I
think
if
you
have
metrics
to
work
against
you
know,
then,
when
you
make
changes,
you
can
also
cite
those
and
say
Hey.
You
know
we're
trying
to
close
more
issues,
so
we're
modifying
what
we're
doing
here.
We've
changed
the
language
of
this
email
or
we've.
We've
changed
the
time
that
we
we
resend
emails.
B
Wouldn't
it
wouldn't
it
just
absolutely
suck
if
we
found
out
that
actually
opening
public
pull
requests
for
security
vulnerabilities
was
actually
faster
and
quicker
and
and
got
more
things
fixed
than
doing
it
privately
sort
of
thing
right.
B
E
B
B
B
To
this
document,
but
this
document
was
under
active
development
people
like
the
lawyers
and
stuff
like
that.
Don't
love
it
when
you're
trying
to
productize
a
final
document-
and
you
have
another
document-
that's
a
work
in
progress.
So
so
we
will
tie
them
together
in
some
way
dependently
conceptually
in
our
own
hands,
but
we
may
not
have
a
direct
link
between
the
two
of
them
within
the
contents
of
the
of
the
reading
of
the
document.
E
E
And
I
I
think
you
can
be
very
explicit
and
say
this
document
doesn't
need
to
be
blocked
on
agreement
on
success.
B
Yeah,
so
that
might
be
above
the
protocols
right.
That
might
be
a
section,
then,
if
it's,
if
it's
like
these
are
things
that
you
may
want
to
consider
in
terms
of
considering
success
that
could
either
above
or
below
protocols.
Right,
like
you
know,
not
something
that
you
must
implement,
but
these
are
some
things
you
might
want
to
consider
success,
metrics,
yeah,.
C
D
B
Thing
yeah
yeah,
that
makes
sense
all
right,
I
will
I
will
poke
putting
finding
a
home
for
that
somewhere.
In
this
document,
then
that's
outside
of
the
protocols
all.
B
We
will
be
meeting
today
and
2
p.m.
Eastern
Perfect
come.
B
B
Anybody
else
any
other
comments,
questions
concerns
issues
with
this
document,
things
that
you
know
you
want
to
see
change
things
you
want
to
see
improved.
You
don't
like
a
word.
A
Yeah,
if
anyone
has
any
additional
feedback,
as
Jonathan
mentioned,
let's
comment
on
the
doc-
we'll
probably
talk
about
this
later
this
afternoon
in
the
autofix
Sig,
but
please
try
to
provide
some
feedback
and
the
worst
case
within
the
next
two
weeks.
We
want
to
try
to
get
this
thing
wrapped
up
as
Jonathan
returns,
home.
D
F
I
don't
know
if
this
is
a
collaboration
topic,
but
I
just
wanted
to
say.
Thank
you,
everybody
for
commenting
on
our
vulnerability
disclosure
policy
template.
We
really
appreciated
it.
F
We
you
know,
took
I,
think
pretty
much
all
of
your
feedback
in.
So
thank
you
very
much
awesome.
A
Man
you're
very
welcome.
I
still
owe
you
a
couple
comments
from
comments.
It's
not
gonna
happen
today,
no
worries
but
yeah
we're
glad
to
help
I'm
glad
you
found
it
useful
and
I
hope
your
community,
you
know,
gets
value
out
of
it.
Yeah.
F
We
definitely
will,
and
thank
you
all
for
thank
you
all
for
interacting
with
us
and
yeah
yeah,
we're
happy
if
you've.
C
A
Do
we
have
any
additional
topics
we
wanted
to
talk
about.
B
Art,
do
you
want
to
talk
at
all
about
our
conversation
that
we
had
about
CE
drama,
or
is
there
any
valuable
takeaways
that
we
can?
We
can
share
with
the
group
from
that
conversation.
G
G
To
not
to
say
it's
not
a
problem,
but
it
is
fairly
common
and
it's
my
position
is
it's
understandably
common.
It's
a
little
bit.
It
is
truly
tricky
to
figure
out
what
this
is
very,
very
quick
summary.
G
B
Go
ahead,
I
mean
the
XML
specification
bill
as
not
authentication
special,
but
the
XML
specification,
as
written
has
extent
or
external
entity
resolution
built
into
the
specification.
So
anybody
that
conforms
to
the
specification
in
their
parser
is
themselves
vulnerable
to
an
a
well
understood,
vulnerability,
called
external
entity
processing
the
Java
standard,
Library
influenced
this
specification
correctly
and
is
vulnerable,
and
my
kind
of
tirade
in
the
industry
is.
Can
we
like
make
it
so
that
this
known
vulnerability
is
not
something
that's
opted
into
by
default
across
all
parsers?
C
G
Run
on
the
money
yeah,
so
this
and
this
this
has
happened
before
right,
faithful
implementation
of
a
vulnerable
stacker
protocol,
and
you
know
you
can
get
into
pretty
interesting
questions
about
vulnerability
and
should
the
should
the
spec
even
take
care
of
this
or
not,
but
practically
it
comes
down
to.
If
this
could
be
addressed
at
closer
to
the
root
of
the
graphs,
it
saves
a
lot
of
other
people
a
lot
of
time.
G
It
may
be
a
breaking
change.
There
is
some
real
consideration
to
sort
of
go
through
here
and
then
so.
There's
there's
that
fundamental
issue,
and
then
how
does
CDE
deal
with
this
as
sort
of
a
another
piece
of
the
puzzle
and
I'm
going
to
say
a
number
of
hours
have
been
spent
by
Jonathan
and
others
arguing
and
discussing
and
trying
to
decide
to
assign
or
not
and
pretty
much.
G
My
position
has
become
if,
if
more
than
one
learned
expert
has
spent
more
than
an
hour
or
two
talking
about
it,
the
answer
has
already
been
for
another
hour
sign
the
cve.
Already
we
can
discuss
the
thing
and
publish
the
things,
and
instead
of
talking
about
that
thing
like
she
was
talking
about
about
Java
or
whatever
or
xxc
I
forget
what
it
is.
We
can
just
say:
cve
blah
the
ID.
G
We
can
go
decide
it's
not
a
bug.
We
can
go,
decide
that
the
spec
is
going
to
be
fixed
or
not.
We
can
go
decide
that
Java.
Is
there
isn't
going
to
do
something?
We're
talking
about
hardening,
which
means
to
me
seems
to
me
like
they're,
going
to
respond,
which
means
it
should
have
a
cve
ID,
but
that
whole
conversation
is
sticky.
G
I
may,
if
we
wanted
to
Jonathan
I
may
try
to
raise
it
up
at
cve
again,
I
believe
Jonathan
has
exhausted
the
official
CBE
escalation
path
and
the
higher
Court
upheld
the
lower
courts
ruling
to
not
assign
in
CBE
terms.
B
G
And
there's
precedent
for
this
there
by
the
vulnerable,
vulnerable
specs
in
the
past,
and-
and
it
is
a
reasonable
thing
to
discuss
but
again-
and
this
gets
a
little
bit-
sometimes
argumentative
within
the
CDE
sort
of
board.
G
What
really
is
CBE
about
I
take
a
somewhat
personal
position
that
it
is
about
identification
of
the
abstract
thing,
which
is
a
vulnerability
and
nothing
more,
and
it
should
not
try
to
do
more
and
that's
where
we
get
argumentative
yes,
anyway.
I
grew
up.
But
again,
if
you
spend
a
couple
hours
with
some
knowledgeable
people
talking
about
it,
the
answers
should
already
be
set.
Have
a
cve
go
figure
it
out.
You
can
reject
you
can
dispute.
G
You
can
modify
cves
later,
but
we
have
to
talk
about
the
thing
we
should
have
an
ID
and
we
should
not
spend
I.
Did
this
recently
with
a
very
large
multinational,
Hardware
software
manufacturer.
No
one
should
be
spending
fifty
thousand
dollars
in
time
discussing
whether
or
not
there
should
be
a
cve
ID
you're.
G
No,
not
even
yet
that
would
be.
That
would
be
like
double
the
price
I
mean.
So
there's
a
there's.
This
THX
1183
scene,
where
the
guy
is
climbing
up
the
ladder
and
the
computer
decides
to
stop
chasing
him.
I
think
everyone
remember
that
if
you're
arguing
when
you've
spent
more
than
a
dollar
fifty
on
a
CPE
assignment,
did
you
spent.
G
Sorry
yeah,
so
that's
Jonathan
and
that's
that's
the
issue.
We
might
take
another
crack
at
it
from
the
spec
side
approach
with
CDE
and
I'll.
Tell
you
this
when
I
spend
my
hours
and
still
think
that
I'm
wasting
my
time
yep,
it
is
good
to
push
the
edge
cases,
because
that's
how
we
advance
the
cve
rules
and
the
cve
culture
and
all
those
things
you
have
to
take
one
to
the
highest
port
in
CBE
land
in
order
to
kind
of
push
anything
around
anyway.
I'm
done
ranting
and
croak.
A
Please
I
would
suggest,
since
this
is
not
an
isolated
incident,
this
potentially
could
be
an
excellent
panel
and
or
birds
of
a
feather
session
at
the
forthcoming.
Much
talked
about
Volcan
next
year
since
we'll
have
all
the
industry
luminaries
together.
It
would
be
a
great
topic
to
kind
of
talk
through
what
how
we
could
potentially
do
improve
in
the
future.
B
Is
there
a
cfp
open
for
that
yet
or
is
it
just.
G
G
This
comes
from
the
land
of
sort
of
peace,
art,
Sig
and
cve
Summit,
and
the
idea
I've
been
proposing
even
if
I
was
asked,
was
a
day
of
pisert
Sig
and
the
day
of
cve
and
a
day
of
other
stuff.
And
then
the
fourth
day
is
with
the
whole
thing.
Can
we
assemble
this
all
together,
because
these
islands
of
isolation
are
not
solving
our
Collective
problems
and
I'm,
saying
that
partly
because
CBE
definitely
wants
to
have
a
summit
and
they
want
to
do
all
their
cve
stuff.
G
So,
let's
CV
have
a
day
with
peace
have
a
day
have
a
day
of
other
stuff,
which
is
also
code
for
open
source
stuff
and
then,
but
that's
I'm,
not
running
the
show.
G
So
that's
just
my
suggestion,
but
I
think
there's
real
interest
from
multiple
sectors
this
year
and
it's
a
great
way
to
get
together
right,
all
US,
Open,
Source,
hippies
and
all
the
commercially
money
oriented
people
and
the
government
to
see
people
and
the
coordinators
and
the
sissas
and
the
all
of
the
folks
and
see
if
we
could
stream
together
a
more
functional
vulnerability,
architecture.
A
And
I
could
say
just
for
this
foundation
and
it's
a
particular
working
group.
We've
got
a
very
strong
response
of
interest
to
want
to
participate
and
I.
Think
if
you
as
we
expand
that
out
like
the
cncf
or
the
GSD
people
kind
of
the
open,
ssf
adjacent
things,
I
think
you
get
I
think
there's
a
lot
of
interest.
People
would
love
to
participate.
A
It
sounds
like
Jonathan
has
a
cfp
in
mind
already
yeah,
but
I
think
this
topic
would
be
a
great
example.
Birds
of
a
feather
thing,
great
topic.
G
A
A
H
I
guess
I
have
a
quick
update.
I
had
mentioned
last
week
about
the
tc39
tg3,
the
security
test
group
for
tc39
and
that
the
chair
election
was
coming
up.
So
the
meeting
was
this
week
yesterday
the
Share
Group
was
elected,
so
I
think
still
working
out
the
exact
frequency,
whether
it's
bi-weekly
monthly,
but
those
meetings
will
be
resuming
imminently.
B
Gotta
I
mean
you
don't
have
to
you
can
go
fix
your
air
travel.
It's
not.
You
can
I
got
another
one
if
you
want
it.
Just
had
a
quick
update
on
the
great
artifact
repository
audit,
they're,
active
disc
I.
Think
I
mentioned
this
a
couple
weeks
ago.
It's
the
idea
that
so
see
there's
another
working
group
with
the
Sig
under
the
open
source
Security
fund,
no
under
the
or
securing
software
repositories
working
group.
B
The
goal
of
the
Sig
is
to
try
to
see
if
we
can
find
organizations
to
fund
pen
tests
of
all
the
major
artifact
servers
in
the
industry.
That
conversation
is
continuing
to
move
forward.
Alpha
omega's,
there's
interest
from
alpha
omega's
leadership
to
fund
it,
potentially
so
that'll,
be
a
discussion
later
today
or
happening
soon.
Hopefully,
the
other
topic
that
I
wanted
to
bring
up.