►
C
F
A
D
D
D
C
So
I
spoke
to
I
spoke
to
Brian
bellendorf
about
the
calendar
topic
and
the
current
best
practice
for
managing
calendar
invites
from
the
open.
Ssf
is
to
copy
the
or
have
the
openness
as
a
calendar,
and
then
on
all
of
the
calendar
invites
you
can
do
a
drop
down
and
then
there's
a
copy
button
and
that
will
copy
the
calendar
invite
to
your
own
calendar.
C
And
so
that's
the
best
way
to
manage
invites
because
the
open
ssf
doesn't
want
the
project
maintain
or
the
project
leads
and
the
and
the
or
the
the
to
manage
calendar
invites
and
there's
no
great
way
for
people
to
opt
into
the
calendar
invites
themselves
by
like
an
email
group
or
something
like
that.
So
best.
C
C
Let's
do
intros,
there
are
some
new
faces
here,
so
let's
just
go
around
and
introduce
ourselves.
I'll
start
thanks.
Jonathan,
let
you
I
am
the
a
senior
software
security
researcher
for
Linux
Foundation
under
project
Alpha
Omega,
which
is
under
open
source
security.
Foundation
I'm
known,
are
the
work
that
I've
been
doing
over
the
past.
E
A
A
I'm
gonna
go
next
I'm
co-founder
at
the
Modern,
the
the
company
behind
opener,
right,
refactoring
engine
and
recipes
working
with
a
lot
of
vendors
working
with
Jonathan
light
show.
Thank
you,
Jonathan
for
your
contributions
with
security
recipes
and
around
control
flow
in
the
data
flow
really
enjoy
working
with
you
push
the
boundaries
of
so
many
things.
I
really
enjoy
working
with
you.
G
We
do
management
based
on
runtime
analysis,
so
we
prioritize
vulnerability
based
on
the
fact
that
there
are,
they
have
active
code,
that's
loaded
to
memory
and
we
do
a
bunch
of
other
stuff.
It's
also
involved
in
several
other
open
ssf
working
groups,
as
well
as
the
sister,
mainly
the
Vex
working
group
when
I
when
I
find
the
time
I
try
to
pop
in
to
a
few
others
around
s-bomb.
F
All
right,
I
can't
get
my
video
working
there's
a
browser
but
I'm
Matt,
Smith
I'm
working
at
Google
right
now,
I'm
in
the
Google
Cloud
section,
but
I'm
really
interested
in
the
you
know
over
the
the
overlay
between
open
source-
and
you
know
what
cloud
customers
need.
So
essentially
you
know
that
most
of
the
dependencies
are
open
source.
So
how
do
we
you
know?
How
do
we
understand
how
to
fix
open
source
and
bring
it
to
the
cloud
customers?
B
C
D
C
C
This
is
the
specification
defining.
What
is
a
the
proposed
idea
is
defining
an
open
source
security,
Foundation
compliant
automated
vulnerability
fix
campaign.
So
it's
at
a
high
level.
It's
a
it's
a
document
that
states.
If
you
follow
these
sets
of
rules,
you
can
throw
the
open
source
security,
Foundation
name
on
your
campaign,
and
you
know
it
it
will.
It
will
have.
C
Hopefully
it
will
mean
that
your
campaign
is
following
the
best
practices
in
that
that
the
open
source
security
Foundation
is
defined
around
around
this
topic,
so
I've
I've
had
it
get
reviewed
from
people
from
like
Kate
Catlin
who's,
the
PM
for
github's
security,
Xavier
who's,
the
head
of
the
GitHub
security
lab
I've,
run
it
by
a
couple.
Other
people
there's
some
open
topics
and
open
questions
that
exist
within
this
document
that
we
want
to
discuss.
C
C
Yes,
but
opting
out
doesn't
mean
PR
not
said
it
means
PR
as
a
public
ID
like
so
the
diff
will
be
public
by
default,
and
then
the
other
option
is
yes,
which
means
the
project
is
skipped
entirely,
and
then
we
we
publish
that
list.
You
can
always
publish
that
list
of
pros
of
projects
who
have
opted
out
on
a
public
website,
or
something
like
that.
Does
anybody
here
have
any
opinions
on
this
topic.
C
E
C
E
C
Okay,
so
GitHub
security
advisor
is
the
way
so
when
you're
disclosing
a
vulnerability,
the
current
flow
is
you
ask
a
maintainer
hey?
Can
you
open
a
GitHub
security
advisory?
They
say:
yes,
they
open
the
advisory,
they
invite
you
to
it.
You
have
the
discussion
there.
The
problem
with
that
is
that
there's
this
lead
time
where
you
have
to
ask
the
maintainer
to
open
a
GHSA
to
let
you
report
the
vulnerability
to
them
and
so
current.
So
the
current
model
is
like
two
stages
right.
C
The
goal
of
this
new
feature
that
get
announced
back
in
November
is-
or
this
new
feature
they
announced-
is
the
ability
for
main
security
researchers
to
report
security
vulnerabilities
to
projects
proactively.
So
there's
a
a
under
the
security
tab.
You
can
select
I
want
to
disclose
a
vulnerability
and
that'll
immediately
create
the
private
Channel
you
can
discuss
things
in
GitHub
is
not
open
this
up
publicly
for
or
it's
it's
an
it's
an
opt-in
feature
that
you
can
enable
on
a
repository.
F
C
C
C
Right
so
GitHub
is
adding
support
for
an
API
for
opening
phase
or
opening
private
disclosure
channels,
and
also
interacting
with
ghsas
via
GitHub,
the
so
that
that
is
coming,
hopefully
within
the
next
two
three
weeks.
So
we
should
see
that
the
outstanding
problem
is,
if
so,
maintain
or
opts
out.
The
way
that
I've
been
handling
opt
out
to
this
point
is
I.
I
will
screen
share
I've
been
doing
this,
so
I
have.
C
Vulnerability
security
fixes
please
consider
adding
a
file
called
GH
or
dot
pH
or
sorry
dot,
GitHub,
ghrobots.txt,
I'm
sure
repository
with
the
following
line
for
many
years.
No
repository
did
this,
but
more
recently,
some
projects
like
the
Apache
software
Foundation,
has
done
this,
and
the
Jenkins
team
did
this
at
a
at
the
top
level
in
their
dot.
Github
repository
I
wasn't
really
necessarily
considering
that
one,
the
Jenkins
case,
but
the
Apache
software
foundation
in
a
couple
of
their
Apache
Commons
libraries
has
done
this.
C
So
this
is
the
kind
of
standard
that
I
was
proposing
that
we,
you
know
if
we
were
to
do
an
opt-out
mechanism.
This
would
be
the
opt-out
mechanism
or
there's
another
standard.
That's
Luigi
is
working
on
a
project
that
is
like
some
Json
file.
You
drop
in
your
GitHub
repository
that
defines
a
bunch
of
characteristics
about
it.
Like
is
this
project
alive?
Is
it
dead?
Do
you
accept?
You
know,
contributions,
yada
yada,
and
so
this
could
be
another
optional
field
in
that
standard
as
well.
C
C
E
E
B
Because
otherwise,
if
it's
just
a
blanket
turn,
everything
off
I,
don't
know
that
it
would
get
the
job
done,
but
and
I
guess
the
other
side
of
that
is.
If
you
make
it
per
project,
then
it's
also
well.
If
they
have
like
20
different
things,
they
have
to
opt
out
of
that
might
also
piss
them
off.
So
granular.
B
D
C
F
F
Like
to
me,
they
would
have
legitimacy
and
be
more
like
mailing
lists
versus
spam,
but
I
just
I,
don't
think
I
understand
what
would
be
the
Dynamics
between
if
you
wanted,
only
certain
campaigns
or
certain
submitters
to
do
it.
Yeah
so
I
think
exploring
the
granularity
and
like
what
do
some.
What
do
package
maintainers
want?
It's
interesting.
C
C
C
So
GSD
is
a
database
of
vulnerabilities
and
it
it
I've
spoken
to
culinary
gsds
is
like
cve
light,
so
it's
an
IV
id4
vulnerability,
but
it
doesn't
necessarily
need
to
go
through
the
vetting
process
that
CBE
requires
and
so
you're
saying
that
we
could
theoretically
assign
a
G's
GSD
to
it.
Even
though
right
you
fix
it
or
you
fix
it,
but
you
don't
contribute
it
and
you
publish
it
somewhere,
saying
hey!
This
fix
is
pending
with
the
maintainer
rejected.
It.
D
B
B
C
C
Ok
Okay
so
then
so
you're
still
disclosing
the
vulnerability
in
that
way,
but
you're,
not
okay,
and
so
you
you
can
so
communicating
that
this
is
the
flow
right
in
in
the
main,
to
the
maintainer
saying
like
hey.
If
you
opt
out
in
the
future,
just
a
heads
up
you're
still
the
vulnerability
will
still
get
published
and
still
go
public,
but
you're
just
not
going
to
get
harassed
about
it
like.
If
that,
if.
B
D
D
F
Sorry
I
was
interrupting.
I
think
it'd
be
nice
to
have
if
there's
a,
if
there's
a
global
opt-out
to
have
that
data
accessible
because
I
know
some
some
folks
are
they're
putting
together
sort
of
scorecards
and
you
know
other
ways
of
evaluating
open
source
repositories
so
yeah,
if
they're,
if
they're
not
accepting
these,
maybe
that'll
factor
into
a
signal
so
having
one
Global
opt-out
list,
that's
accessible.
C
F
I
was
thinking
that,
if,
if
let's
say
you
know
yeah,
they
might,
they
might
have
it
in
their
GitHub
repository.
But
if
I'm
developing
a
tool
and
I'm
going
to
use
that
automated
to
put
a
bunch
of
pull
requests
that
I'm
going
to
have
to
go
and
look
up
the
opt-out
lists
at
some
point.
So
that
I'm
not
bothering
those
folks
because
that's
sort
of
like
what
I'm
imagining
is
the
coordination
from
different
people.
Trying
to
you
know
like
comply
with
this
specification.
C
So
there
I
think
maybe
ties
in
to
another
component,
which
is
around
security
assertions,
and
so,
given
that
security
assertions,
which
is
a
project
that
is
also
someone
under
Alpha
Omega,
is
being
built
out
as
a
a
platform
to
show
the
stuff
that
could
be
a
place
where
this
information
gets
encoded.
It's.
So
it's
not
a
requirement
of
this
working
group
that
that
information
be
centralized,
but
it
could
be
something
that
the
security
assertions
working
group
UI
presents
as
one
of
those
assertions
that
hey
this
project
has
opted
out.
F
C
Yeah,
and
so
that
would
make
that
something
that
is
encode
I
think
that
the
the
encoding,
the
information
that
the
opt-out
is
present
into
the
repository,
so
source
code
means
that
you
can
always
be
using
the
late
like
if
they
decide
to
opt
back
in
they
can
just
change,
delete
a
file
from
the
repository
right.
So,
but
you
want
that
centralized
location
for
that
information,
so
security,
surgeons,
I
think,
could
stop
that
problem.
G
Yeah
just
another
use
case,
I
see
for
the
opt-out,
is
for
end
of
life,
end
of
support
versions,
so
you
could
have
a
vulnerability
in
a
in
a
version
of
a
package
that
is
no
longer
supported
and
the
maintainer
will
tell
you:
okay,
I'm,
not
going
to
fix
it.
It's
it's
out
of
scope
and
that's
a
use
case
where
he'll
probably
opt
to
opt
out
for
those
specific
versions.
G
G
So
so
the
the
the
the
reason
this
pop
to
mind
is
there
was
this
vulnerability
recently
where
you
had
with
open,
SSL
and
node
had
it
built
in
into
their
code,
and
then
it
was
relevant
from
node
16
through
note,
17
and
up
to
node
18,
and
then,
when
node
issued
their
security
advisory.
They
said
folks
that
are
using
node,
17
and
18.
Please
be
advised.
We
have
this
vulnerable,
open,
SSL
and
upgrade,
and
then
I
told
I
reached
out
to
the
one
of
the
core
maintainers
and
I
told
you.
G
You
have
open
SSL
in
note
16
as
well,
and
then
his
response
was
yeah,
but
we
no
longer
supported
it.
So
we
expect
user
to
to
update
to
17
or
18..
So
they
didn't
even
thought
to
mention
it,
but
the
vulnerability
is
still
there
so
that
and
it's
not
something
that
they're
planning
to
fix,
because
it's
end
of
life
right.
E
C
C
A
B
A
D
D
D
A
And
I
think
sorry
to
bring
this
up
again,
but
I
think
private
pivars
for
security
vulnerability.
Disclosures
are
critical,
I,
don't
know
how
we
can
have
GitHub
enable
those
by
default.
Yes,
that's
I,
think
that's
the
main
pushback
that
you've
been
getting
from
maintainers
is
that
you
announce
the
vulnerability
before
they
can
merge
it
and
incorporate
in
all
of
their
versions.
A
C
C
There's
one
so
under
mandatory
private
disclosure,
this
other
topic
the
I.
So
what
what
I
originally
said
was
the
top
10
vulnerable
projects
within
the
top
10
000
critical,
open
source
projects,
as
defined
by
the
open
SSS
security
critical
projects
working
group
must
receive
private
disclosure
reports
manually
if
needed.
Disclosures
may
follow
a
standard
disclosure
timeline
example.
90
day
disclosure
timeline
the
so
two
problems
with
this
line
when
I
wrote
it
first
off
the
top
10
000
critical
OSS
projects
list
is
not
an
ordered
list.
C
It's
an
unordered
list
and
the
second
problem
with
it
is
that
that
list
actually
wasn't
developed
by
the
open
source
security,
Foundation
critical
projects
working
group.
It
was
developed
by
Alpha
Omega.
So
one
of
the
concerns
that
I
have
is
if
there
is
a
list
of
top
10
000
projects
and
you've
got
a
vulnerability
that
impacts
the
top.
You
know
or
impacts
100
of
them,
or
you
know
a
thousand
of
them.
C
C
It's
a
difficult
proposition
to
say:
you've
got
to
go
through
manual
disclosure
on
all
all
of
these
projects
and
so
Brian,
spelling
Brian,
Bell
North's
response
to
this
is
why
only
the
top
ten
shouldn't
reports
all
be
private
at
first
and
my
thought
is:
I,
don't
know
how
to
solve
this
problem
right
like
you
want.
You
want
to
privately
disclose
to
the
critical
projects,
but
if
there's,
if
they
haven't,
enabled
get
a
private
disclosure,
how
do
you
do
this
in
a
way?
That's
same.
C
C
C
So
the
top
10
000
is
intended
to
be
a
list
of
top
critical
open
source
projects,
as
defined
by
either
the
open
source
security,
Foundation
critical
projects.
There's
like
a
there's,
a
calculation
that
I
can't.
You
can
run
against
a
repository
to
determine
if
it's
in
the
critical
like
give
it
a
criticality
score,
then
there's
also
the
Harvard
census.
That
was
done
that
determined
what
critical
open
source
projects
were.
So
there's
a
couple
of
lists
out
there
that
were
kind
of
glommed
together
to
become
the
critical
10
000
list.
C
C
C
B
B
C
C
D
E
C
Yeah,
the
the
other
big
issue
that
I've
run
into
is:
there's
a
lot
of
projects
that
are
unmaintained
and
so
someone
coming
across
a
project.
It's
more
I
think
at
a
certain
point,
it's
more
important
for
somebody
to
come
across
an
open
source
project
and
see
the
pull
request,
but
I
guess
we're
still
putting
that
20-day
timeline
on
there
right,
like
you,.
E
B
C
So
I
would
love
to
get
here
when
GitHub
supports
it.
But
do
we
build
this
document
around
what
GitHub
doesn't
support
today,
but
will
be
or
we
theorize
that
they're
supporting
or
do
we
build
it
around?
What
GitHub
is
currently
supporting
and
then
modify
it
once
there
are
more
capabilities
that
we
can
work
with.
C
C
Right,
let's
so
so
the
current
state
of
the
world
is
no
platform
supports
this
right.
No
platform
supports
this.
So,
given
that
no
platform
supports
this,
we're
currently
left
with
open
pull,
requests
right
and
the
thing
we're
trying
to
avoid
is
private
disclosure
or
sorry.
The
thing
we're
trying
to
avoid
is
the
problem.
We're
trying
to
solve
is
the
scale
of
the
problem
right.
The
scale
of
the
problem
is:
you've,
got
50
60,
100
000
projects
all
with
the
same
vulnerability.
C
No,
because
every
single
project
has
a
different
disclosure
channel
right,
some
of
them
use
hacker
one,
some
of
them
use
security.txt.
You
know
some.
Some
of
them
have
a
security
email
address.
Some
of
them
use
bug
crowd
because
the
the
disclosure,
because
there's
no
standardized
disclosure
Channel.
B
F
F
You
know
the
maybe
it's
written
here
in
somewhere
in
the
dock,
but
it
sounds
like
if
the
time
is
going
to
take
to
you
know
to
review
and
ratify
this
document
and
then
to
get
people
that
actually
put
in
practice.
It's
going
to
be
longer
than
some
things
like
that.
You
know
you
mentioned
earlier,
maybe
two
to
three
weeks
for
some
things
to
become
available
or
apis
for
the
I
think
you
know
they
could
have.
F
What's
it
called
they
GitHub
security
advisory.
You
know
and
something
like
a
timeline
like
that
I
think
it's
reasonable
to
plan
it
out
and
have
the
discussion.
Otherwise,
maybe
you
know
have
a
section
or
for
proposed,
like
you
know
next
version
of
this,
so
you
could.
We
could
have
a
broken
out
in
section
of
for
okay
like
what's
you
know
what
is
going
to
be
the
you
know,
the
next
version.
E
F
C
C
So
I
think
that
what
so
yes,
given
the
timeline
that
this
document
is
getting
processed,
I,
think
that
if
we've
seen
two
weeks,
we'll
get
up
supports,
that'll
be
really
valuable.
I
mean
this
is
this.
This
working
group
doesn't
meet
until
two
weeks
out
anyway,
so
we
will
hopefully
see
what
GitHub
announces
between
now
and
then
yeah
I
think
I
think
that
so
there's
two
solutions.
C
This
problem
either
we
order
the
10
000
like
either
we
get
someone
to
order
the
top
10
000
projects
list,
and
then
we
can
say
like
these
are
the
top
10
or
20
some
odd
projects
within
this
list
right
like
or
these
are
like
10,
20,
critical
impacted
projects
or
we
remove
this
or
environment
and
like
make
it
a
general
rule,
if
you
have
to
you,
have
to
use
ghsas
whenever
those
that's
supported,
but
then
how
do
you
right?
So
how
do
you?
How
do
you?
B
G
C
G
C
E
C
C
For
real
humans
who
could
follow
up
on
the
pr
I
was
thinking
that
that
so
he
wants
to
add
that
as
a
requirement,
I
was
thinking.
If
we,
if
we
leave
that
requirement
in
there,
that's
fine,
but
something
that
can
satisfy
that
constraint
is
just
an
issue
that,
like
all
these
like
that
can
be
a
website
or
a
page.
C
Well,
so
what
I've
done
previously
is
I,
just
if
you
go
to
my
issues,
I
just
have
like
both
PR
tracking.
So
these
are
the
tracking
issues,
and
literally
every
time
you
open
these
tracking
links.
Every
single
pull
request
is
linked
back
to
this
issue,
so
you
can
see
all
the
pull
requests
that
were
generated
from
this
that
and
so
that
information
could
satisfy
this
policy
right.
You
can
just
use
a
GitHub
issue
with
that.
B
B
C
C
C
C
The
topic
being
like
he
said,
okay,
so
this
be
a
can,
not
a
must
the
the
idea
being
that,
like
the
pull
request,
has
had
some
third
third
party
externally
say
like
yes,
this
looks
like
a
valid
security
fix,
so
it
can't
be
within
your
organization.
So
let's
say,
you've
got
tralex
issuing
the
polar
price
you've
got
to
ask
some
other
third
party
organization
to
vet.
Your
change.
C
C
D
D
C
E
B
D
C
D
C
E
B
D
E
B
C
C
D
C
B
C
C
Hopefully,
we'll
have
a
little
bit
more
attendance
too
I
know
some
people
that
meant
to
make
it
but
couldn't
and
feel
free
to
continue
to
look
over
this
document,
read
it
through
and
add
comments
and
and
suggestions
throughout
it.
You
know
the
more
we
can
move
this
document
forward,
the
the
best
yeah.
So
thank
you
all
any
other
questions
or
concerns
or
final
points.