►
From YouTube: OpenSSF Vulnerability Disclosures (July 5, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA
Repo: https://github.com/ossf/wg-vulnerability-disclosures
A
B
It
flag
does
it,
does
it
comment
and
flag
the
parameter
as
an
as
a
as
a
source,
or
does
it
just
tag
the
the
usage
of
it
just.
C
Do
you
want
to
tag
the
parameter
itself.
B
B
I
think,
in
order
to
do
that,
in
order
to
support
that
you'll
need
to
make
sync
flow
instead
of
holding
a
cursor
hold
a
data
flow
node.
D
E
In
Arizona,
this.
F
B
Hello,
Yesenia
hello,
so
let
me.
B
So
the
I
should
have
done
meeting
notes,
Here.
B
B
B
Somebody
was
working
on
coming
up
with
the
Stories,
the
user
story
or
the
the
case
that
not
the
case
studies.
The
colon
example
scenarios.
B
D
B
Foundation
yeah
zombies
proposals
that
the
change
gets
reviewed
by
another
org
to
make
sure
that,
like
it's,
compiling
fixing
all
test
cases
like.
B
Basically,
reviewing
you.
F
E
D
B
G
B
B
B
Xavier's
right,
it
should
be
4.3.
External
review
reveal.
B
Where
is
that?
What
zombie
was
asking
for.
B
B
Before
deplying
that
before
deploying
the
campaign,
okay,
thank
you
and
then
to
cover.
C
E
A
B
B
Okay,
all
right,
that's
handled!
So
that's
silly.
B
Good,
so
do
you
want
to
discuss
the
cases
that
you
wanted
to
propose
for
covering?
In
the
example
scenarios.
G
I,
don't
think
I've
created
for
the
last
two
I
haven't
finished
it,
but
I
can
try
to
Pace
it
and
then
format
it
later.
But
this
is
what
I
have
okay
now,
hopefully
I
won't
warm.
It.
E
G
Defeat
p.m:
P
VR
is
able,
then,
in
that
case,
let's
see
the
we
can
just
like.
Let
them
know
about
the
vulnerability
and
fix
it
immediately
and
then
the
other
one
was
if
it's
not
unable
and
the
issue
is
disabled
and
the
disclosure
email
can
be
found
in
this
case,
we
want
to
like
create
a
public.
Well,
what
I
understood
is
that
we
create
a
public
pull
request
to
notify
the
maintainer.
B
F
B
Communication,
the
repository
host
has
pmpvr
wait
pmpvr
by
the
way
the
repository
host
wait
where
they're
the
maintain
their
Repository
Repository
does
not
have
ampvr
enabled
and
the
vulnerable
is
not
fixed
after
90
days.
Yeah.
Incredible,
pull
request
in
this
case.
B
In
the
case
where
the
repository
is
not
a
pmpvr
and
after
reaching
out
by
both
email
and
issued
tracker,
the
vulnerability
is
not
fixed.
After
90
days,
you
can
create
a
public
pool,
request
yeah.
So
there's
the
Reach
Out
step
that
still
occurs
here
on
the
right
side.
C
B
Does
not
support
pmpvr
then
find
security.
Reporting
email
with
the
open,
OS
disclose
check
instead.
B
To
request
yes:
well,
so
the
repository
host
does
not
support
pmbvr.
So
there's
a
difference
here:
the
if
the
repository
post
doesn't
support
pmpvr,
that's
like
GitHub,
GitHub
or
gitlab,
or
bitbucket
non-sporting
pmpvr.
So
if
the
host
doesn't
support
it,
then
they
may
spend
the
repository
can't
turn
it
on,
because
they
mean
because
the
the
code
base
itself
does
like
the
the
where.
C
B
If
we
can
send
on
any
emails,
we
can't
request
with
Daniel
pvm
PVR.
We
send
automated
emails
with
the
patch
and.
B
A
patch
it's
means
two
things
kind
of
so
in
the
general
sense
of
patch
means
a
contribution,
but
a
patch
file
which
is
dot
p-a-t-c-h,
is
a
standard
format
for
defining
a
diff
that
is
like
from
what
currently
the
code
is
the
diff
to
what
we
want
it
to
be
is
a
standard
format
of
dot
patch
files
that
tooling,
like
git
and
other
other
other
things.
Can
you
be
be
used
to
apply
get
commits
when
you
see
the
commits
commits
are
always
in
patch
format.
B
B
E
B
B
There
won't
be
an
existing
issue
yeah
also,
if
they
don't
support
pmpvr,
then
so
yeah.
So
if
the
pmpvr
is
not
enabled
this
case
right
and
the
vulnerability
is
not
fixed
so
earlier
right,
this
might
be
like
pmpvr.
Let's
do
this
3.1
Dot
three.
B
F
B
Issue,
detector,
requesting
PM,
PVR
enabled
and
then
3.1
Dot
3.1
would
be
vulnerability,
is
not
fixed.
B
If
equivalent
so
then
so
like
this
is
a
subsection
under
three
Dot
one
right.
So
let's
say
the
vulnerability
is
not
so.
In
this
case,
right
pmpvr
is
not
enabled
in
the
case
where
the
repositors
not
fpmpvr,
enabled.
B
Reach
Out,
viable
email
and
the
issue
track
requesting
pmpvr
be
enabled.
The
email
will
also
include
the
patch
with
the
fix
or
the
vulnerability.
B
B
And
then
email's
not
found
emails
bounced
back,
this
would
be
so
emails
emails
are
not
found
could
be
under.
Pmpvr
is
not
enabled
right.
F
B
B
Yes,
fine
love,
okay,
so
in
this
case,
if
PMP
have
already
nailed,
the
issues
are
enabled
if.
B
B
If
emails
are
not
found,
then
we
this
in
this
case
public
disclosure.
B
E
G
B
B
B
E
B
E
B
B
B
E
B
All
right,
3.1.1
pmpvr,
is
enabled
in
a
case
where
the
repository
hosts,
Sports
pmpvr
and
the
repository
has
its
enabled
then
vulner,
then
the
vulnerability
and
the
fix
will
be
provided
immediately
by
a
PM.
Pbr
pmpvr
is
not
enabled.
Issues
are
disabled
and
disclosure.
Emails
can't
be
found
in
a
case
where
the
repository
pmpvr
is
not
enabled.
D
B
F
B
Are
only
we
do
so
where
pmpvr
is
not
enabled
the
issues
are
disabled
and
the
email
is
not
found,
then
create
a
public
pool
request
immediately.
So
that's
that's
a
that.
The
public
pool
request
is
the
fix
with
the
disclosure
of
the
details.
D
Okay,
I,
don't
know
if
you
want
to
just
put
that
out.
Just
noting
that
it
does
include
the
there.
You
go.
D
F
E
B
Email
and
hit
the
issue
tracker
requesting
pmpvrv
enabled
the
email
also
include
the
patch
with
default
fiction
for
the
vulnerability
3.1.3.1,
if
pmpvr,
if
within
90
days
of
contacting
the
maintainers,
if
VR
is,
enabled
contribute
the
patch
by
a
private
pull
request,
leveraging
PMB
VR
3.1.3.2.
If
the
vulnerability
is
not
fixed
after
90
days,
then
create
a
public
pull
request.
B
Pmpvr
is
not
supported
by
the
repository
host
in
the
case
of
the
repositories
does
not
support
pmpbr
if
emails
are
found,
find
the
security
reporting
emails
with
the
open,
SS
expose
check
and
send
automated
emails
with
the
patch
and
indicate
the
disclosure
timeline
before
pull
request
be
opened
it
in
the
other
case,
emails
are
not
found,
or
all
emails
bounce
immediately
publicly
explosive
vulnerability
by
public
pull
request.
B
B
B
D
D
D
On
point
five:
three
one:
five:
is
there
a
recommendation,
you
said
either
create
a
new
issue
or
use
an
existing
one.
B
It
doesn't
overlap
if
a
and,
let's
no,
no,
so
you
wanna
yeah.
So
if,
if
and
issue
was
previously
created,.
B
B
D
Maybe
we
can
wait
and
get
further
feedback
from
other
folks
that
may
like
hey
what
about
this
use
case.
But
what
about
the
use
case
of
archive
repositories?
B
It
needs
to
be
yeah
three
point,
one
point:
six.
A
B
Lord,
okay,
Mr
rosary's
archive
leverage.
Openness
is
to
try
to
find
the.
B
B
B
B
That
was
an
opinion
from
I
was
of
the
opinion
that
we
should
just
just
do
nothing
and
or
publicly
disclose.
It
was
the
opponent
opinion
of
Jordan
her
that
there
may
be
repositories
out
there
that
there
may
be.
There
may
be
repositories
out
there
that
are
archived,
but
the
maintainers
still
care
about.
B
C
D
Do
we
have
any
other
special
cases,
I
remember
there
was
like
one
where
we
had
to
create
a
specialized
Fork
of
it.
If
the
maintainer
didn't
want
to
accept
it,
did
we
cover
that
case.
B
Yeah
we
got
on
seven
yeah.
A
A
D
F
E
Kind
of
insert
the
link.
B
E
F
A
E
D
Different
example
scenarios
and
then
you
could
put
at
the
end
like
for
more
specific
details.
Look
at
the
sections
below
or
something.
E
D
Yeah
I
think
I
think
this
document's
ready
to
move
forward.
Do
we
know
what
the
next
step
is.
B
B
Are
easily
detractable
and
fixes
and
the
fix
can
be
entirely
automated.
In
these
cases,
the
scope
of
the
vulnerability
is
often
beyond
what
can
be
reasonably
reported
to
meet
each
maintainer
privately
in
a
one-on-one
Exchange,
essentially
automated
they
created
a
creation
of
thousands
of
bug.
Reports
also
isn't
useful
element
even
more
of
our
non-volunteer
maintainers,
of
open
social
projects.
A
B
B
A
Of
the
existing
mechanisms,
we
cover
the
automation
part.
This.
F
A
D
B
By
setting
up
by
supporting
a
limited
set
of
automatable
disclosure
mechanisms,
this
specification
aims
to
strike
a
balancing
security,
researchers
and
maintainers
around
at
that
scale.
Disclosure
and
security
scale.
B
This
specification
describes
our
current
events
that
must
be
satisfied
for
any
campaign
to
be
compliant
any
campaign.
Any
can
can
any
compliant
campaign
can
attach
the
openness
of
compliant
automated
model
disclosure
badge
to
any
communication
or
pull
request
issued.
B
F
B
E
B
Coordinated
on
it,
not
automated
private
disclosure,
yada
yada,
basically
limiting
it
to
like
you
know
if
it's
new
or
novel,
you
better
disclose
privately,
but
if
it's
not
new
or
novel,
go
for
it.
Pirates
closure.
If
you
open,
SF,
closing
provider
Sports
a
pragmatic
means
of
private
disclosure,
for
example,.
B
B
D
B
No
I
think
that
I'm
just
gonna
Focus
this
a
little
bit
further
just
to
make
it
clean
it
up
a
little
bit
and
then
then
move
forward.
We
can
present
it
to
the
I
mean
when's.
The
next
meeting.
B
I
will
I
will
send
this
over
to
the
Alpha
Mega
staff
to
get
them
to
review
it
and
read
it
like
management
Brian
ballador
from
such,
like
that.