►
C
F
A
D
D
C
No
I
heard
there's
a
saying
that
on
the
internet,
nobody
knows
if
you're,
a
dog
or
not.
D
Know
right
all
right.
D
C
The
invite,
if
you
could
ungray
your
name,
if
you
are
here
that.
D
Would
be
very
helpful.
C
So
I
spoke
to
I
spoke
to
Brian
bellendorf
about
the
calendar
topic
and
the
current
best
practice
for
managing
calendar
invites
from
the
open.
Ssf
is
to
copy
the
or
have
the
openness
as
a
calendar,
and
then
on
all
of
the
calendar
invites
you
can
do
a
drop
down
and
then
there's
a
copy
button
and
that
will
copy
the
calendar
invite
to
your
own
calendar.
C
And
so
that's
the
best
way
to
manage
invites
because
the
open
ssf
doesn't
want
the
project
maintain
or
the
project
leads
and
the
and
the
or
the
the
to
manage
calendar
invites
and
there's
no
great
way
for
people
to
opt
into
the
calendar
invites
themselves
by
like
an
email
group
or
something
like
that.
So
best.
C
Go
to
the
working
group
calendar
select
the
calendar,
invite
and
copy
the
reoccurring
event
onto
your
calendar.
If
you
would
like
to
attend
in
the
future,.
C
Let's
do
intros,
there
are
some
new
faces
here,
so
let's
just
go
around
and
introduce
ourselves.
I'll
start
thanks.
Jonathan,
let
you
I
am
the
a
senior
software
security
researcher
for
Linux
Foundation
under
project
Alpha
Omega,
which
is
under
open
source
security.
Foundation
I'm
known,
are
the
work
that
I've
been
doing
over
the
past.
C
Several
years
is
automating
fixing
vulnerabilities
at
scale
across
open
source,
using
tools
like
modern,
and
you
know
Bots
that
I've
written
to
just
you
know,
bulk,
generate
pull
requests
and
so
I've
been
part
of
the
vulnerability
disclosures
working
group
and
decided
to
break
this
topic
out
into
an
independent
Discussion.
E
A
B
A
I'm
gonna
go
next
I'm
co-founder
at
the
Modern,
the
the
company
behind
opener,
right,
refactoring
engine
and
recipes
working
with
a
lot
of
vendors
working
with
Jonathan
light
show.
Thank
you,
Jonathan
for
your
contributions
with
security
recipes
and
around
control
flow
in
the
data
flow
really
enjoy
working
with
you
push
the
boundaries
of
so
many
things.
I
really
enjoy
working
with
you.
G
So
I'll
I'm
Jordan
purple
I'm
from
I'm,
currently
a
director
of
vulnerability
research
at
a
startup
security,
startup
based
in
Israel
called
Brazilian.
G
We
do
management
based
on
runtime
analysis,
so
we
prioritize
vulnerability
based
on
the
fact
that
there
are,
they
have
active
code,
that's
loaded
to
memory
and
we
do
a
bunch
of
other
stuff.
It's
also
involved
in
several
other
open
ssf
working
groups,
as
well
as
the
sister,
mainly
the
Vex
working
group
when
I
when
I
find
the
time
I
try
to
pop
in
to
a
few
others
around
s-bomb.
F
All
right,
I
can't
get
my
video
working
there's
a
browser
but
I'm
Matt,
Smith
I'm
working
at
Google
right
now,
I'm
in
the
Google
Cloud
section,
but
I'm
really
interested
in
the
you
know
over
the
the
overlay
between
open
source-
and
you
know
what
cloud
customers
need.
So
essentially
you
know
that
most
of
the
dependencies
are
open
source.
So
how
do
we
you
know?
How
do
we
understand
how
to
fix
open
source
and
bring
it
to
the
cloud
customers?
F
B
D
Oh
great
so.
C
All
right,
I'll
take
care
of
that
opens.
Are
there
any
opens?
Any
any
open
discussion
points
that
people
want
to
discuss
before
we
dive
into
anything
else
or
any
questions,
concerns
ideas.
C
Perfect
okay,
so
there
is
a
specification
that
I
will
open
up
or
I'll,
send
a
link.
D
C
C
This
is
the
specification
defining.
What
is
a
the
proposed
idea
is
defining
an
open
source
security,
Foundation
compliant
automated
vulnerability
fix
campaign.
So
it's
at
a
high
level.
It's
a
it's
a
document
that
states.
If
you
follow
these
sets
of
rules,
you
can
throw
the
open
source
security,
Foundation
name
on
your
campaign,
and
you
know
it
it
will.
It
will
have.
C
Hopefully
it
will
mean
that
your
campaign
is
following
the
best
practices
in
that
that
the
open
source
security
Foundation
is
defined
around
around
this
topic,
so
I've
I've
had
it
get
reviewed
from
people
from
like
Kate
Catlin
who's,
the
PM
for
github's
security,
Xavier
who's,
the
head
of
the
GitHub
security
lab
I've,
run
it
by
a
couple.
Other
people
there's
some
open
topics
and
open
questions
that
exist
within
this
document
that
we
want
to
discuss.
C
C
There
was
a
topic
of
whether
or
not
we
should
support
some
sort
of
opt-out
mechanism,
for
this
so
should
should
we
should
should
automated
pull
request.
Generation
campaigns
be
required
to
support
an
opt-out
mechanism.
C
C
Yes,
but
opting
out
doesn't
mean
PR
not
said
it
means
PR
as
a
public
ID
like
so
the
diff
will
be
public
by
default,
and
then
the
other
option
is
yes,
which
means
the
project
is
skipped
entirely,
and
then
we
we
publish
that
list.
You
can
always
publish
that
list
of
pros
of
projects
who
have
opted
out
on
a
public
website,
or
something
like
that.
Does
anybody
here
have
any
opinions
on
this
topic.
B
I
guess
just
chiming
in
as
a
Dev
having
an
opt-out
would
definitely
be
mandatory
in
my
opinion,
because
otherwise
you're
going
to
piss
people
off.
B
So,
as
far
as
what
that
looks,
like
probably
just
skipping
the
PRS
or
some
other
mechanism
where
they
don't
really
have
to
deal
with
it,
but.
C
That,
yes,
there
is
GitHub
is
going
to
be
publishing
that
API
Kate
said
in
let's
see,
features
like
in
a
private
vulnerability.
Disclosure
currently
does
not
have
an
API.
She
responded
on
March
9th
that
this
will
be
coming
out
in
two
weeks,
but.
E
C
E
C
Okay,
so
GitHub
security
advisor
is
the
way
so
when
you're
disclosing
a
vulnerability,
the
current
flow
is
you
ask
a
maintainer
hey?
Can
you
open
a
GitHub
security
advisory?
They
say:
yes,
they
open
the
advisory,
they
invite
you
to
it.
You
have
the
discussion
there.
The
problem
with
that
is
that
there's
this
lead
time
where
you
have
to
ask
the
maintainer
to
open
a
GHSA
to
let
you
report
the
vulnerability
to
them
and
so
current.
So
the
current
model
is
like
two
stages
right.
C
The
goal
of
this
new
feature
that
get
announced
back
in
November
is-
or
this
new
feature
they
announced-
is
the
ability
for
main
security
researchers
to
report
security
vulnerabilities
to
projects
proactively.
So
there's
a
a
under
the
security
tab.
You
can
select
I
want
to
disclose
a
vulnerability
and
that'll
immediately
create
the
private
Channel
you
can
discuss
things
in
GitHub
is
not
open
this
up
publicly
for
or
it's
it's
an
it's
an
opt-in
feature
that
you
can
enable
on
a
repository.
F
C
Right
so
researchers
can
report
directly,
yes,
they're.
Also.
The
other
problem
is
that
GitHub
security,
advisories
ghsas
when
you're
interacting
with
them.
They
previously
have
not
had
an
Epi.
C
That's
so
there's
been
no
public
GitHub
API.
For
them
you,
the
only
way
to
interact
them
with
them,
is
by
the
UI.
C
C
Right
so
GitHub
is
adding
support
for
an
API
for
opening
phase
or
opening
private
disclosure
channels,
and
also
interacting
with
ghsas
via
GitHub,
the
so
that
that
is
coming,
hopefully
within
the
next
two
three
weeks.
So
we
should
see
that
the
outstanding
problem
is,
if
so,
maintain
or
opts
out.
The
way
that
I've
been
handling
opt
out
to
this
point
is
I.
I
will
screen
share
I've
been
doing
this,
so
I
have.
C
Vulnerability
security
fixes
please
consider
adding
a
file
called
GH
or
dot
pH
or
sorry
dot,
GitHub,
ghrobots.txt,
I'm
sure
repository
with
the
following
line
for
many
years.
No
repository
did
this,
but
more
recently,
some
projects
like
the
Apache
software
Foundation,
has
done
this,
and
the
Jenkins
team
did
this
at
a
at
the
top
level
in
their
dot.
Github
repository
I
wasn't
really
necessarily
considering
that
one,
the
Jenkins
case,
but
the
Apache
software
foundation
in
a
couple
of
their
Apache
Commons
libraries
has
done
this.
C
So
this
is
the
kind
of
standard
that
I
was
proposing
that
we,
you
know
if
we
were
to
do
an
opt-out
mechanism.
This
would
be
the
opt-out
mechanism
or
there's
another
standard.
That's
Luigi
is
working
on
a
project
that
is
like
some
Json
file.
You
drop
in
your
GitHub
repository
that
defines
a
bunch
of
characteristics
about
it.
Like
is
this
project
alive?
Is
it
dead?
Do
you
accept?
You
know,
contributions,
yada
yada,
and
so
this
could
be
another
optional
field
in
that
standard
as
well.
C
C
Do
we
want
to
support,
opt
out
and
and
Josh
you
you're
arguing
that?
Yes,
we
should,
because
otherwise
you're
going
to
piss
off
maintainers.
C
Is
it
a
global
opt-out
or
is
it
an
opt-out
or
a
specific
actor
right?
Is
it
I,
don't
want
anything
or
do
I
only
want.
E
E
B
Have
this
Ruby
Library
I'm,
maintaining
it
could
be
that
you
find
a
particular
actor,
is
not
up
to
the
Quality
that
you
want,
or
maybe
you
tend
to
handle
the
patches
for
those
directly
rather
than
through
whatever
automation
they
have
set
up.
B
Because
otherwise,
if
it's
just
a
blanket
turn,
everything
off
I,
don't
know
that
it
would
get
the
job
done,
but
and
I
guess
the
other
side
of
that
is.
If
you
make
it
per
project,
then
it's
also
well.
If
they
have
like
20
different
things,
they
have
to
opt
out
of
that
might
also
piss
them
off.
So
granular.
B
Yeah,
if
that
wouldn't
be
too
much
trouble,
I
think
that
would
be
nice
from
the
maintainer
perspective.
Yeah.
D
C
So
we'll
add
I
will
add
a
section
for
opt
out,
defining
what
opt
out
means
and
how
that
works.
Denver.
Is
there
anybody
else
who
has
a
Counterpoint
or
counter
argument
to
whether
or
not
they
should
opt
out
or
support
for
opting
out.
F
F
Like
to
me,
they
would
have
legitimacy
and
be
more
like
mailing
lists
versus
spam,
but
I
just
I,
don't
think
I
understand
what
would
be
the
Dynamics
between
if
you
wanted,
only
certain
campaigns
or
certain
submitters
to
do
it.
Yeah
so
I
think
exploring
the
granularity
and
like
what
do
some.
What
do
package
maintainers
want?
It's
interesting.
C
C
B
Yeah,
my
thought
would
be
like,
at
the
end
of
the
day,
you're
going
to
get
a
security
vulnerability
ID
for
it
and
whether
you
care
is
kind
of
up
to
you,
but
that
protects
the
end
users,
because
hey
this
project
has
security
vulnerabilities,
they're,
choosing
not
to
patch
them,
but
you
still
give
them
the
option
of
not
having
to
be
bothered
by
it.
C
So
we
could
still
get
so
contacts.
Josh
works
for
GSD
still.
C
So
GSD
is
a
database
of
vulnerabilities
and
it
it
I've
spoken
to
culinary
gsds
is
like
cve
light,
so
it's
an
IV
id4
vulnerability,
but
it
doesn't
necessarily
need
to
go
through
the
vetting
process
that
CBE
requires
and
so
you're
saying
that
we
could
theoretically
assign
a
G's
GSD
to
it.
Even
though
right
you
fix
it
or
you
fix
it,
but
you
don't
contribute
it
and
you
publish
it
somewhere,
saying
hey!
This
fix
is
pending
with
the
maintainer
rejected.
It.
D
B
C
So
should
the
would
it
be
good
to
generate
the
the
diff
and
maybe
have
that
sitting
on
a
commit
Branch,
but
not
have
the
Polar
Express
get
generated,
so
you
can
have
it
get
to
the
point
where
the
diff
has
been
generated,
but
not
the
pull
request.
B
C
C
Ok
Okay
so
then
so
you're
still
disclosing
the
vulnerability
in
that
way,
but
you're,
not
okay,
and
so
you
you
can
so
communicating
that
this
is
the
flow
right
in
in
the
main,
to
the
maintainer
saying
like
hey.
If
you
opt
out
in
the
future,
just
a
heads
up
you're
still
the
vulnerability
will
still
get
published
and
still
go
public,
but
you're
just
not
going
to
get
harassed
about
it
like.
If
that,
if.
B
D
D
F
Sorry
I
was
interrupting.
I
think
it'd
be
nice
to
have
if
there's
a,
if
there's
a
global
opt-out
to
have
that
data
accessible
because
I
know
some
some
folks
are
they're
putting
together
sort
of
scorecards
and
you
know
other
ways
of
evaluating
open
source
repositories
so
yeah,
if
they're,
if
they're
not
accepting
these,
maybe
that'll
factor
into
a
signal
so
having
one
Global
opt-out
list,
that's
accessible.
C
Yeah
I
I
well
I
mean
the
way
that
I'm
there's
no.
What
do
you
mean
a
little
Loft
at
like
requiring
people
to
register
to
a
single
central
location
instead
of
having
them
put
put
it
in
their
GitHub
repository.
F
I
was
thinking
that,
if,
if
let's
say
you
know
yeah,
they
might,
they
might
have
it
in
their
GitHub
repository.
But
if
I'm
developing
a
tool
and
I'm
going
to
use
that
automated
to
put
a
bunch
of
pull
requests
that
I'm
going
to
have
to
go
and
look
up
the
opt-out
lists
at
some
point.
So
that
I'm
not
bothering
those
folks
because
that's
sort
of
like
what
I'm
imagining
is
the
coordination
from
different
people.
Trying
to
you
know
like
comply
with
this
specification.
C
So
there
I
think
maybe
ties
in
to
another
component,
which
is
around
security
assertions,
and
so,
given
that
security
assertions,
which
is
a
project
that
is
also
someone
under
Alpha
Omega,
is
being
built
out
as
a
a
platform
to
show
the
stuff
that
could
be
a
place
where
this
information
gets
encoded.
It's.
So
it's
not
a
requirement
of
this
working
group
that
that
information
be
centralized,
but
it
could
be
something
that
the
security
assertions
working
group
UI
presents
as
one
of
those
assertions
that
hey
this
project
has
opted
out.
F
C
Yeah,
and
so
that
would
make
that
something
that
is
encode
I
think
that
the
the
encoding,
the
information
that
the
opt-out
is
present
into
the
repository,
so
source
code
means
that
you
can
always
be
using
the
late
like
if
they
decide
to
opt
back
in
they
can
just
change,
delete
a
file
from
the
repository
right.
So,
but
you
want
that
centralized
location
for
that
information,
so
security,
surgeons,
I
think,
could
stop
that
problem.
C
Are
there
any
other?
Yes,
you
gotta
hand
up,
go
for
it.
G
Yeah
just
another
use
case,
I
see
for
the
opt-out,
is
for
end
of
life,
end
of
support
versions,
so
you
could
have
a
vulnerability
in
a
in
a
version
of
a
package
that
is
no
longer
supported
and
the
maintainer
will
tell
you:
okay,
I'm,
not
going
to
fix
it.
It's
it's
out
of
scope
and
that's
a
use
case
where
he'll
probably
opt
to
opt
out
for
those
specific
versions.
G
But
we
still
want
people
to
know
that
if
they're
using
these
versions
that
these
vulnerabilities
exist,
they're
not
going
to
get
fixed
but
and
also
the
maintenance
will
probably
won't
want
to
get
a
constant
VR
request.
So
that's
a
use
case
where
I
see
the
update
will
be
helpful.
So.
G
So
so
the
the
the
the
reason
this
pop
to
mind
is
there
was
this
vulnerability
recently
where
you
had
with
open,
SSL
and
node
had
it
built
in
into
their
code,
and
then
it
was
relevant
from
node
16
through
note,
17
and
up
to
node
18,
and
then,
when
node
issued
their
security
advisory.
They
said
folks
that
are
using
node,
17
and
18.
Please
be
advised.
We
have
this
vulnerable,
open,
SSL
and
upgrade,
and
then
I
told
I
reached
out
to
the
one
of
the
core
maintainers
and
I
told
you.
G
You
have
open
SSL
in
note
16
as
well,
and
then
his
response
was
yeah,
but
we
no
longer
supported
it.
So
we
expect
user
to
to
update
to
17
or
18..
So
they
didn't
even
thought
to
mention
it,
but
the
vulnerability
is
still
there
so
that
and
it's
not
something
that
they're
planning
to
fix,
because
it's
end
of
life
right.
C
C
A
B
I
guess
one
thing
I
was
going
to
add
to
that
really
quick
is
one
thing
to
be
cautious
of.
If
you
do
start
looking
at
branches
is
there
might
be
branches
that
aren't
tied
to
a
major
version
and
if
you
start
opening
PR's
against
those,
oh
boy,
I.
A
C
I
think
that
makes
the
most
amount
of
sense,
so
is
that
is
that
a
rule
that
we
want
to
encode
in
the
in
this
in
this
policy
that
the
the
the
change
should
always
be
contributed
against
the
the
default
branch.
D
A
D
A
And
I
think
sorry
to
bring
this
up
again,
but
I
think
private
pivars
for
security
vulnerability.
Disclosures
are
critical,
I,
don't
know
how
we
can
have
GitHub
enable
those
by
default.
Yes,
that's
I,
think
that's
the
main
pushback
that
you've
been
getting
from
maintainers
is
that
you
announce
the
vulnerability
before
they
can
merge
it
and
incorporate
in
all
of
their
versions.
A
C
Yeah
the
I
I
need
to
so
so
Michael
scovera
is
communicated
with
me
that
he's
gonna
be
sitting
down
with
the
GitHub
folks
about
that
shortly.
To
discuss
that
feature
and
having
it
being
enabled
by
default.
C
There's
one
so
under
mandatory
private
disclosure,
this
other
topic
the
I.
So
what
what
I
originally
said
was
the
top
10
vulnerable
projects
within
the
top
10
000
critical,
open
source
projects,
as
defined
by
the
open
SSS
security
critical
projects
working
group
must
receive
private
disclosure
reports
manually
if
needed.
Disclosures
may
follow
a
standard
disclosure
timeline
example.
90
day
disclosure
timeline
the
so
two
problems
with
this
line
when
I
wrote
it
first
off
the
top
10
000
critical
OSS
projects
list
is
not
an
ordered
list.
C
It's
an
unordered
list
and
the
second
problem
with
it
is
that
that
list
actually
wasn't
developed
by
the
open
source
security,
Foundation
critical
projects
working
group.
It
was
developed
by
Alpha
Omega.
So
one
of
the
concerns
that
I
have
is
if
there
is
a
list
of
top
10
000
projects
and
you've
got
a
vulnerability
that
impacts
the
top.
You
know
or
impacts
100
of
them,
or
you
know
a
thousand
of
them.
C
C
It's
a
difficult
proposition
to
say:
you've
got
to
go
through
manual
disclosure
on
all
all
of
these
projects
and
so
Brian,
spelling
Brian,
Bell
North's
response
to
this
is
why
only
the
top
ten
shouldn't
reports
all
be
private
at
first
and
my
thought
is:
I,
don't
know
how
to
solve
this
problem
right
like
you
want.
You
want
to
privately
disclose
to
the
critical
projects,
but
if
there's,
if
they
haven't,
enabled
get
a
private
disclosure,
how
do
you
do
this
in
a
way?
That's
same.
C
There
was
a
flow
that
was
proposed
by
yes
Nia
and
myself.
That
is
a
corollary
to
this,
where
you
automate
the
process
of
issuing
an
issue
requesting
that
the
maintainer
enable
private
disclosure
and
then
from
there
you.
C
C
C
So
the
top
10
000
is
intended
to
be
a
list
of
top
critical
open
source
projects,
as
defined
by
either
the
open
source
security,
Foundation
critical
projects.
There's
like
a
there's,
a
calculation
that
I
can't.
You
can
run
against
a
repository
to
determine
if
it's
in
the
critical
like
give
it
a
criticality
score,
then
there's
also
the
Harvard
census.
That
was
done
that
determined
what
critical
open
source
projects
were.
So
there's
a
couple
of
lists
out
there
that
were
kind
of
glommed
together
to
become
the
critical
10
000
list.
C
C
C
B
Hope,
maybe
a
dumb
question.
So
what's
the
distinction
with
these
critical
projects
or
like
wanting
to
do
the
private
disclosure
versus
public?
Is
that
just
because
the
Fallout
from
doing
a
public
disclosure
could
be
more
significant,
yeah.
B
C
C
When,
when
this
feature
get
like
when,
when
there's
an
API
finally
for
get
a
security
advisories,
we
can
get
to
the
point
where
we
say
all
right.
C
D
E
C
Yeah,
the
the
other
big
issue
that
I've
run
into
is:
there's
a
lot
of
projects
that
are
unmaintained
and
so
someone
coming
across
a
project.
It's
more
I
think
at
a
certain
point,
it's
more
important
for
somebody
to
come
across
an
open
source
project
and
see
the
pull
request,
but
I
guess
we're
still
putting
that
20-day
timeline
on
there
right,
like
you,.
E
B
C
So
I
would
love
to
get
here
when
GitHub
supports
it.
But
do
we
build
this
document
around
what
GitHub
doesn't
support
today,
but
will
be
or
we
theorize
that
they're
supporting
or
do
we
build
it
around?
What
GitHub
is
currently
supporting
and
then
modify
it
once
there
are
more
capabilities
that
we
can
work
with.
B
Something
else
that
comes
to
mind
is
what,
if
projects
are
hosted
on,
say
a
different
platform
that
doesn't
support
this
yet
so
maybe
the
same
thing
would
be
having
something
to
find
where,
if
the
platform
doesn't
support
automated
private
disclosures,
you
do
one
thing
and
if
it
does,
then
you
just
use
automated
private
disclosures.
C
D
Yes,
all.
C
Right,
let's
so
so
the
current
state
of
the
world
is
no
platform
supports
this
right.
No
platform
supports
this.
So,
given
that
no
platform
supports
this,
we're
currently
left
with
open
pull,
requests
right
and
the
thing
we're
trying
to
avoid
is
private
disclosure
or
sorry.
The
thing
we're
trying
to
avoid
is
the
problem.
We're
trying
to
solve
is
the
scale
of
the
problem
right.
The
scale
of
the
problem
is:
you've,
got
50
60,
100
000
projects
all
with
the
same
vulnerability.
C
No,
because
every
single
project
has
a
different
disclosure
channel
right,
some
of
them
use
hacker
one,
some
of
them
use
security.txt.
You
know
some.
Some
of
them
have
a
security
email
address.
Some
of
them
use
bug
crowd
because
the
the
disclosure,
because
there's
no
standardized
disclosure
Channel.
B
I
mean
dumb
idea,
and
probably
don't
do
this.
What
if
it's
something
like
creating
automated
issues
to
say,
hey,
we
suspect
we
have
a
vulnerability
for
your
project.
Please
contact
us.
F
So,
with
respect
to
do
we
make
the
dock
for
what's
available
today
versus,
what's
available
next
I
think
maybe
I
haven't.
You
know,
I
missed
parts
of
that.
F
You
know
the
maybe
it's
written
here
in
somewhere
in
the
dock,
but
it
sounds
like
if
the
time
is
going
to
take
to
you
know
to
review
and
ratify
this
document
and
then
to
get
people
that
actually
put
in
practice.
It's
going
to
be
longer
than
some
things
like
that.
You
know
you
mentioned
earlier,
maybe
two
to
three
weeks
for
some
things
to
become
available
or
apis
for
the
I
think
you
know
they
could
have.
F
What's
it
called
they
GitHub
security
advisory.
You
know
and
something
like
a
timeline
like
that
I
think
it's
reasonable
to
plan
it
out
and
have
the
discussion.
Otherwise,
maybe
you
know
have
a
section
or
for
proposed,
like
you
know
next
version
of
this,
so
you
could.
We
could
have
a
broken
out
in
section
of
for
okay
like
what's
you
know
what
is
going
to
be
the
you
know,
the
next
version.
E
F
The
stock
with
future
facing
features
that
we
expect
to
be
there
and
then
that
can
help
shape
what
we're
a
Consolidated
view
of
whether
the
request
would
be
to
different.
You
know
different
repositories.
C
C
So
I
think
that
what
so
yes,
given
the
timeline
that
this
document
is
getting
processed,
I,
think
that
if
we've
seen
two
weeks,
we'll
get
up
supports,
that'll
be
really
valuable.
I
mean
this
is
this.
This
working
group
doesn't
meet
until
two
weeks
out
anyway,
so
we
will
hopefully
see
what
GitHub
announces
between
now
and
then
yeah
I
think
I
think
that
so
there's
two
solutions.
C
This
problem
either
we
order
the
10
000
like
either
we
get
someone
to
order
the
top
10
000
projects
list,
and
then
we
can
say
like
these
are
the
top
10
or
20
some
odd
projects
within
this
list
right
like
or
these
are
like
10,
20,
critical
impacted
projects
or
we
remove
this
or
environment
and
like
make
it
a
general
rule,
if
you
have
to
you,
have
to
use
ghsas
whenever
those
that's
supported,
but
then
how
do
you
right?
So
how
do
you?
How
do
you?
B
G
C
G
C
E
C
There
was
another
thing
that
Brian
wanted
in
this
document.
He
said
a
public
so
for
vulnerability.
Messaging,
a
campaign
must
include
information
like
the
impact
of
the
vulnerability
being
fixed,
a
description
of
the
code
change
with
the
fixed.
C
For
real
humans
who
could
follow
up
on
the
pr
I
was
thinking
that
that
so
he
wants
to
add
that
as
a
requirement,
I
was
thinking.
If
we,
if
we
leave
that
requirement
in
there,
that's
fine,
but
something
that
can
satisfy
that
constraint
is
just
an
issue
that,
like
all
these
like
that
can
be
a
website
or
a
page.
C
Well,
so
what
I've
done
previously
is
I,
just
if
you
go
to
my
issues,
I
just
have
like
both
PR
tracking.
So
these
are
the
tracking
issues,
and
literally
every
time
you
open
these
tracking
links.
Every
single
pull
request
is
linked
back
to
this
issue,
so
you
can
see
all
the
pull
requests
that
were
generated
from
this
that
and
so
that
information
could
satisfy
this
policy
right.
You
can
just
use
a
GitHub
issue
with
that.
B
That
question
so
having
the
contact
information
makes
a
lot
of
sense.
The
page
for
the
campaign
I'm
trying
to
understand
the
distinction
between
that
and
just
the
description,
that's
already
in
the
pr.
C
B
C
So
Brian's
argument
is
that
it
should
should
be
an
initial
PR
message
that
people
see
it
immediately
at
Ru.
Why
wait
until
you
know
wait
that
was
the
point
of
the
public
page
is
describe
the
campaign
and
give
reference
Authority.
C
C
I
don't
know
I'm
gonna
talk
to
Brian
about
that
and
ask
him
to
give
further
feedback
on
this
on
this
issue.
Xavier
wanted
to
add
this
requirement
that
there
was
a
statement
that
the
pull
request
had
been
reviewed
by
a
third
party.
C
The
topic
being
like
he
said,
okay,
so
this
be
a
can,
not
a
must
the
the
idea
being
that,
like
the
pull
request,
has
had
some
third
third
party
externally
say
like
yes,
this
looks
like
a
valid
security
fix,
so
it
can't
be
within
your
organization.
So
let's
say,
you've
got
tralex
issuing
the
polar
price
you've
got
to
ask
some
other
third
party
organization
to
vet.
Your
change.
C
C
So
in
the
past,
I
have
asked
to
get
up
security
lab
to
review
the
change
that
I'm
going
to
be
making
so
like
I
tell
them
like
hey.
This
is
the
this
is
the
this
is
the
what
the
change
is
going
this.
This
is
what
the
change
will
be
that
I'm
making.
Does
this
make
sense.
C
It
so
his
his
point
is
that
it
it
so
it
says,
I
think
that
adding
this
info
in
the
pr,
if
this
third
party
is
willing
to
add
its
name
to
The
Campaign,
which
might
always
be
the
case,
adds
more
weight
and
decreases
the
suspicion
of
bad
intention.
G
So
so
the
idea
is
in
terms
of
the
flow
that
this,
this
kind
of
peer
review
will
happen
before
the
actual
automatic
VR
is
created,
and
then
in
the
pr
it
will,
it
will
be
listed,
for
example,
this
this
was
reviewed
by.
D
D
B
B
Maybe
you
could
distinguish
that,
as
this
campaign
has
been
reviewed
by
a
third
party.
Yes,.
C
E
B
D
C
D
C
E
B
I
guess
my
two
cents
would
be
being
pretty
explicit
about
it
being
the
campaign
and
not
the
pr,
because
they
assume
the
intent
is
hey.
This
isn't
spam
here
is
this
third
party
that
took
a
look
at
the
campaign
that
we're
doing
yeah.
D
E
B
Especially
because
one
pain
point
that
you
could
run
into,
if
you
say
hey,
this
PR
was
reviewed
by
the
third
party,
is
then
what
if
the
pr
happens
to
be
one
of
the
edge
cases
that
you
missed
with
your
unit
tests
and
they're
like
freak
out
over
the
code,
change
being
either
incorrect
or
applying
to
the
wrong
section
of
code?
B
C
We're
at
time,
but
I
want
the
one
final
thing
I
want
to
cover
is
I
agree
with
zavier's
Point
here
and
automated
vulnerability.
Fixed
campaign
must
not
be
used
to
advertise
a
company
or
product
or
service.
Does
that
make
sense.
C
C
Out
sponsorship
and
support:
this
is
what
I
put
previously
in
campaigns
like
this
contribution
was
sponsored
by
human
security
and
the
new
Dan
Community
Fellowship,
a
fellowship
creative,
celebrate
dance
memory
and
Legacy
by
funding
open
source
work
that
makes
the
world
a
better
and
more
secure
place
is
PR
was
generated
by.
D
C
For
open
for
free
for
open
source
SAS
offering
that
uses
format,
preserving
AST
transformations
to
fix
bugs
standardized
code
and
apply
best
practices,
my
migrate
Library
versions
and
fix
common
vulnerabilities
at
scale,
so
it's
not
really
is
it.
Is
that
an
advertisement.
B
C
I
will
I
will
I
will
say
so.
I
added
it
to
the
spec.
All
right,
I
will
work
on
this
document
more
and
try
to
review
some
more
feedback.
I
do
want
to
close
it
out.
We
are
five
minutes
over
anybody.
Thank
you
for
coming.
I,
hope,
I'll,
see
you
all
in
two
weeks,
it'd
be
lovely
to
see
you
all
again.
C
Hopefully,
we'll
have
a
little
bit
more
attendance
too
I
know
some
people
that
meant
to
make
it
but
couldn't
and
feel
free
to
continue
to
look
over
this
document,
read
it
through
and
add
comments
and
and
suggestions
throughout
it.
You
know
the
more
we
can
move
this
document
forward,
the
the
best
yeah.
So
thank
you
all
any
other
questions
or
concerns
or
final
points.