►
From YouTube: OpenSSF Vulnerability Disclosures (May 31, 2023)
A
C
What
evil
plans
do
you
have
for
us
today?
Hey.
C
A
Mass
disclosure
of
vulnerabilities
without
without
any
any
controlled
you
know,
disclosure
timelines.
Just
watch
the
world
burn
how
to
make
Madison's
job
really
painful,
really
fast.
A
Someone
sent
me
this
this
GIF
or
this
or
not
not
GIF,
this
meme
with
respects
to
a
vulnerability
that
keeps
rearing
its
ugly
head.
Let's
pull
it
up
here,
screen
share.
B
A
Snake
ban
at
yaml's
been
the
bane
of
the
inexistence
of
the
Java
ecosystem.
Recently
it
just
yeah
every
time
you
suppress
it,
it
just
pops
up
on
a
with
another
one.
Yep
anyways
welcome
to
the
yeah
I,
just
I
thought
that
was
funny
and
we're
sharing
with
the
working
group
so
yep
all
right.
Let
me
pull
up
my
calendar,
pull
up
my
so
starting
off
just
to
just
to
get
everybody
rolling.
A
If
you
could
go
into
the
working
group
meeting
notes
and
add
your
attendance,
it
helps
validate
that
we
are
indeed
a
functioning
working
group
that
is
worth
notice
in
the
open
SF.
Your
your
attendance
validates
our
existence.
A
Yeah,
so
we
would
love
a
scribe
to
ascribe
what
we
chat
about
today.
So
if
anybody
wants
to
take
that
one
on
we'd
love
to
have
you.
A
Thank
you,
okay,
new
friends,
do
we
have
anybody
who's?
This
is
their
first
time
or
they've,
never
piped
up
before
at
the
the
working
group,
this
working
groups
before
and
I'll
say
hello
and
introduce
themselves.
A
Michael
has
to
scoot
No
New
Friends,
okay,
and
he
opens
anything
that
anybody
wants
to
talk
about
and
specifically
was
not
in
the
meeting
notes
about
anything.
B
C
For
it,
there
was
a
document
that
folks
were
working
on
I
think
there
were
like
a
couple
of
meetings
like
scheduled
out
of
band
for
it
for
like
kit,
Hub
or
sem
best
practices.
A
Okay,
any
other
opens
or
anything
else
that
anybody
wants
to
bring
out.
In
you
know,
topics
vulnerabilities
that
were
interesting
pains
with
vulnerabilities
closure.
Anything.
A
Can
I
T
updates
from
the
sub
sub
projects?
Do
we
have
anybody
here
from
the
OSS
cert
worker
group.
F
Hi
I
am,
although
I
believe
we
went
as
far
as
canceling
or
temporarily
canceling
the
weekly
meetings
unless
I'm
mistaken.
The
proposal
has
been
written
for
quite
some
time
and
the
decision-making
process
is
somewhere
in
process
for
weather
and
or
how
to
actually
operate
the
open
source,
sirt
search.
F
F
The
details,
my
impression
it
has
been
done,
the
working
group
has
done
everything
in
its
power
to
present
pitch,
seek
approvals
and
again
I'm.
Pretty
sure
krobe
asked
the
calendar
maintainers
to
pause
the
pause,
the
weekly
meetings
until
something
happens,
Madison.
E
E
Yeah
right
yeah,
we
have
it
somewhere
a
couple
Pages
down
and
everything
notes
for
this
meeting.
Basically,
this
is
paused
until
the
governing
board
gives
them
more
direction.
To
makes
a
decision
is
the
last
update
we
have.
A
F
I
think
so
I
mean
right.
This
doesn't
happen
without
you
know,
either
effort
or
dollars,
or
some
combination
right,
The
Proposal
talks
about
right.
It
is
open
to
the
idea
of
volunteers,
so
you
definitely
get
volunteer.
Contributions
are,
hopefully
you
know
expected
or
planned,
but
right
there's
the
difference
between
Community
volunteer
and
right,
open,
ssf
member.
F
You
know
direct
or
allows
one
of
their
employees
to
spend
10
hours
a
week
on
this
versus
LF
or
open
ssf.
You
know
paid
one
full-time
person
to
make
sure
the
thing
keeps
running.
There
were
some
combination
of
things
like
that
in
The
Proposal.
F
There
are
lots
of
effort,
estimates
so
I
think
it.
Finally,
at
this
point
is
really
a
air
quotes
around
it
fund
or
not,
or
how
much
funding.
A
Does
it
have
I
guess?
Is
there
a
champion
for
it
to
the
governing
board.
B
A
F
A
Okay,
do
you
have
any
other
points
or
comments,
or
anything
else
that
you
want
to
discuss
on
this
topic.
F
I,
don't
really
I
will
you
know
personal
opinion?
There
are
parts
of
the
OSS
search
that
I
think
could
be
executed
pretty
quickly
and
would
be
generally
helpful.
Other
parts
would
sort
of
take
more
upfront
work.
There
was
sort
of
an
education
training
component
in
there
that
we
debated
right.
Does
this?
Does
this
live
in
the
open,
SS
assert?
Does
it
ossr?
Does
it
live
elsewhere
and
there
are
other
I
believe
there
are
a
number
of
other
sort
of
education,
training
security
advice,
pieces
of
openssf?
F
So
there's
some,
you
know
discussion
about
where
these
things
should
or
shouldn't
live
or
if
it
does
live
in
the
cert
right,
how
to
coordinate
or
how
to
you
know,
cooperate
across
across
pieces
of
openssf
I
will
say,
though:
I
have
no
I,
have
no
sense
of
right,
open,
ssf's,
sort
of
resources,
priorities,
I,
don't
know
if
and
how
to
make
this
a
priority
or
not
I
don't
know
if
they
have
10
other
things,
they're
much
more
important
and
also
I
come
from
a
background
of
this
sort
of
thing.
F
F
A
Given
that
Crow
seems
to
be
heavily
subscribed
to
a
lot
of
different
things
in
a
lot
of
different
initiatives,
does
anybody
from
this
working
group
or
the
Sig
want
to
allocate
some
time
to
become
a
champion
of
this
proposal
to
the
to
the
board
end
of
the
attack
and
try
to
seek
out
funding
and
funding
Avenues
on
this.
F
I
would
I
talked
to
Pro
briefly
about
this
I
put
in
a
talk
somewhere
to
it
was
stupidly
titled
right,
let's,
let's
do
open
OSS
cert
now
already,
but
yeah
I
hard
to
say
if
a
different
person
or
a
different
you
know,
different
Champion
or
a
different
voice
would
make
a
difference.
F
A
With
him,
yep,
okay
and
then
and
then
take
whatever
that
is
and
try
to
toss
it
back
into
the
working
group
meeting
notes.
Thank
you
will
do
perfect
all
right
that
good
for
this.
That
topic
all
right.
Cbd
guide
for
consumers
issue
115,
who
wants
to
lead
that
topic.
E
I
I
think
his
ass.
There
is
just
who
would
love
contributors
to
work
on
the
document
he
made
the
document
an
issue,
there's
not
a
lot
in
it,
so
I
suspect
is
just
asking
for
more
contributors
here.
E
A
A
Alrighty
then
I
will
take
over
what
the
the
projects
that
I've
been
leading
on
this
charge.
So
there's
two
documents
that
I've
been
working
with
the
autofix
Sig
first,
so
for
the
autofix
Sig.
Just
a
heads
up
the
meeting
time
has
changed.
We're
now
meeting
new
meeting
time,
Wednesdays.
A
At
two
o'clock,
P.M
EST,
so
we're
meeting
every
Tuesday
at
2
pm
EST
discussing
the
work
that
Alpha
Omega
will
be
doing
bulk,
generating
security
fixes
that
have
scale
across
open
source.
I
would
love
to
have
you
involved
in
the
conversation
on
that
topic,
the
that
Sig
is
seeking
a
discussion
on
this
document
which
we
created,
which
describes
a
proposed
disclosure
flow
for
automated
vulnerability,
fixing
I'm
happy
to
dive
through
this
real
quickly
with
everybody
here
at
a
high
level.
A
A
This
is
an
or
ores
are
any
of
these
things
that
are
coming
into.
It
have
to
have
finished
before
we
move
forward,
and
then
the
topic
piano.
The
word
PM
PVR
is
pragmatic,
means
of
pro
no
programmatic
means
of
private
vulnerability,
reporting,
which
is
basically
like
for
GitHub
private
pbrs
private
vulnerability.
Reports
for
gitlab
gitlab
has
an
option
that
on
any
polar
price
you
can
make
it
private.
A
So
at
least
that's
what
I've
heard
so
when
you're
trying
to
bulk
automate
security
fixing
at
scale
we'd
start
reposit,
we
check
if
the
repository
host
supports
pmpdr,
which,
like
GitHub
and
gitlab,
because
the
answer
is
yes
bitbucket
and
the
answer.
Maybe
you
know,
and
then
we
check
if
the
repository
is
enabled
pmpvr.
If
the
repository
is
enabled
pmpvr,
then
we
just
use
that
to
create
the
private
pull
request
to
fix
the
vulnerability.
A
If
that's
not
the
case,
then
we
go
to
this
Fork
join
where
we
run
two
porosities
in
parallel,
where
we
constantly
look
to
see
is
the
vulnerability
fixed
if
it's
not
have
90
days
of
lapse
since
the
process
began?
If
no
has
the
public
PR
has
a
public.
B
A
Request
security
fix
to
fix
the
vulnerability
being
open.
If
no
has
the
repository
enabled
pmpvr,
so
we
just
Loop.
We
run
this
continuous
loop.
If
the
vulnerability
has
been
fixed
or
public
pool
request
has
been
open,
then
we're
finished.
Otherwise,
if
90
days
is
a
lap
since
the
process
has
begun,
then
we
create
a
public
polar
here
simultaneously.
A
We
try
to
communicate
with
the
maintainers
about
the
vulnerability,
so
we
used
Michael
scavetta's,
open
ssf,
disclose
check
thing
that
code
that
he
wrote
to
try
to
find
contact
emails
on
the
repository
that
we're
trying
to
report
the
vulnerability
to,
and
then
we
use
that
we
check
to
see
if
the
repository
has
issues
enabled
some
GitHub
repositories,
for
example,
have
disabled
issues
and
they
use
jira
only
for
their
issues.
A
If,
if
issues
and
emails
are
found,
then
we
go
down
both
of
these
flows,
but
if
we
only
find
email,
sorry,
if
we
only
find
that
issues
are
enabled
but
not
emails,
or
if
we
only
find
the
emails
but
not
issues,
we
go
down.
One
of
these
two
exclusive
flows-
the
top
one
up
here
is-
is
following
issue
based
private
vulnerability,
reporting,
where
we
attempt
to
reach
out
to
the
maintainer
Via
a
public
issue
where
we
say
create
a
new
issue
requesting
that
they
enable
pmpvr.
A
Otherwise,
if
there's
an
existing
issue,
that's
been
created,
we
use
that
issue.
If
the
issue
is
closed
or
deleted
without
a
response,
then
we
immediately
go
to
assuming
that
just
the
vulnerability
we
immediately
complete
the
step
or
if
the
issue
has
been
open
for
at
least
35
days.
We
just
complete
this
this
phase.
A
Meanwhile,
assuming
that
we
can
find
an
email
to
communicate
with,
we
send
automated
emails
with
the
vulnerability
details,
a
request
to
enable
pmpvr,
and
then
the
fix
is
a
patch
file.
If
all
the
emails
bounce
or
we
receive
automated,
please
fill
out
this
form
on
this
website
responses.
A
Then
this
is
completed.
Otherwise
we
wait
90
days,
but,
alternatively,
there's
two
different
flows:
there's
either
either
you
wait
90
days
or
you
can
engage
in
this
flow.
This
is
up
to
the
implementation,
like
the
decision.
B
A
The
person
implementing
the
specification
can
follow.
They
can
either
just
wait
90
days
or
if
they
get
a
response,
that
this
is
not
a
vulnerability,
then
they
can
immediately
help
create
a
public
pull
request.
Otherwise
you
wait
90
days
since
the
email
is
sent
and
then
this
site
is
completed.
So
if
both
of
these
completed
right,
if
the
issue
flow
is
completed
and
the
email
flow
is
completed,
if
the
repository
at
this
time
is
not
enabled
PM
PBR,
then
you
create
a
public
pull
request.
A
Otherwise,
you
end,
and
this
will
trigger
the
the
public
disclosure,
because
90
days
have,
since
the
processes
began,
a
public
pool
request
will
get
opened
so
either
flow
on
this,
a
public
pool
request
gets
opened
if,
if
they're,
they're
unresponsive,
this
is
a
high
level
flow
proposed
flow
for
for
automated
disclosure
would
love
to
hear
any
feedback.
Questions
concerns
about
this
proposed
flow
from
the
Sig.
G
So
essentially,
there
are
two
things:
one
is
a
private
private,
like
pmpvr
or
or
a
public
pool
request
right
right,
so
the
public
pool
request.
It
is
like
they're
just
shown
differently.
So
is
there
a
reason
like
this
has
like
a
rectangle,
whereas
that
that's
like
a
pentagon.
A
This
is
going
to
link
out
to
another
document
which
I
haven't
done
anything
with.
Yet
this
will
be
another
flow.
This
one
is
a
predefined
process,
that'll
be
described
in
the
document.
G
I,
see,
okay
and
and
and
there's
the
the
loop
that's
just
underneath
that
pmpvr.
What's
the
frequency
of
executing
that
loop
with.
A
This
one
here:
yes,
your
choice,
okay,
yeah,
it's
just
you
can
throw
whatever
delay
you
want
in
there.
Just
you
know
this.
D
Yeah,
just
one
thing:
I
noticed
that
I
didn't
notice
the
other
day.
What
happens
right
at
the
beginning?
If,
if
the
host
doesn't
support
pmpvr.
A
Oh
good
question.
D
A
So
if
the
host
doesn't
support
pmpvr,
that's
a
good
question.
If
the
host
doesn't
support,
pmpvr
I
think
that
we
go
immediately
into
this
flow
over
here.
A
Sense
start
start
starting
here,
I
think
the
only
thing
that's
missing,
though,
out
of
that
flow
is
the
90s
elapsed,
creating
a
public
pull
request
right.
So
that's
a.
G
A
That
is
a
conditional
that
has
no
no
option.
Thank
you.
That's
a
good!
That's
a
good
good
spot.
I'll
fix
that
we're
meeting
in
in
at
2PM
and
so
I'll
fix
that
between
now
and
the
next
meeting
sounds
good
yeah.
You
just
add
a
comment.
A
Don't
I
have
upgraded
I
own
this,
the
Lord
I
hone
I
own
a
license
with
this
thing.
Why
is
it
telling
me
I
need
to
upgrade
all
right.
I
don't
know,
needs
a.
B
A
All
right,
yeah
anybody.
B
A
Okay,
any
I'll
put
you
on
the
spot,
but
anybody
from
a
repository
host
that
will
be
the
target
of
this
sort
of
work.
Wanna
have
any
comments
that
bucket
gitlab.
Anybody
like
that
GitHub.
A
Nope:
okay,
perfect!
That's
totally.
E
Fine
yeah,
nothing,
you
don't
already
know
about
people.
Containers
have
lots
of
opinions
about
getting
what
they
consider
to
be
drive
by
PRS
and
issues.
So
that
is
the
only
thing.
I
would
caution.
Yeah.
A
That's
that's
very
fair.
It's
very
fair!
A
Okay,
other
update,
okay!
Let
me
go
back
to
here:
autofix,
oh
yeah.
We
are
looking
for
someone
to
assist
with
taking
this
document
and
turning
this
into
actual
use
cases,
like
example,
walkthroughs
of
this
flow.
So
if
anybody
is
interested
in
in
collaborating
in
taking
this
this
flow
and
walking
through
an
example
and
writing
that
out
into
the
specification
that
would
be
greatly
appreciated,
we
would
love
your
assistance
with
that.
A
Does
anybody
have
any
interest
in
doing
so
immediately?
That
wants
to
wants
to
offer
their
time
to
assist
with
that.
A
Okay,
all
right
what
else
and
then
from
there
once
we
have
this
we're
going
to
start
working
back
on
the
original
specification
document
describing
vulnerability
disclosure
flow.
A
B
Okay,
is
there
anybody
here.
H
H
So
that's
that
as
far
as
I
can
remember,
that
was
the
status.
The
last
time
I
attended.
H
On
Monday
evening,
like
Europe
time
but
I,
think
it
kind
of
it
dropped
from
my
schedule,
at
least
from
the
calendar,
so
I'm
not
sure
where
it's
like.
What's
the
current
status,
because
oh
yeah,
no,
so
it's
still
there.
So
it's
10
P.M
on
my
clock,
which
is
probably
like
three
no
I,
don't
know
Eastern
Time.
H
Yeah,
it
is
a
regular
bi-weekly,
meaning,
okay,.
A
A
A
A
Okay,
anybody
from
open,
osv
the
open
source,
vulnerability,
project-
I-
guess
that's
right!
That's
osv-
is
that:
how
is
that?
What
it
stands
for
open
source,
vulnerability.
A
Okay,
who
who's
running
that
or
who's
in
charge
of
osv.
E
It's
Oliver,
Chang
and
I
cannot
remember
these
yeah.
E
A
A
All
right,
so
that
that
explains
why
we're
not
having
them
here,
I'm
like
where,
where
where
are
we,
the
people
running
this
project?
Okay,
great
perfect,
anybody
have
any
comments.
Questions
concerns
yeah,
Australia,
yes,
it's
there.
It
makes
sense
to
why
they're
not
I
had
a
manager
in
my
previous
job
that
was
in
Australia
and
I'm
on
the
east
coast
of
Boston.
My
day
would
be
like
I'd,
be
done
finishing
my
day
at
five.
Six
pm
and
he'd
be
waking
up
really
early
to
meet
with
me
and
it
was
terrible.
A
A
A
I
have
an
open,
then,
if
we
have
time
I
just
want
to
kind
of
give
an
update
on
this
is
not
under
the.
This
is
not
under
the
this
working
group.
It's
under
the
securing
software
reposit
for
his
working
group,
but
just
an
update
from
last
did
I
I,
don't
know
I,
don't
think
I
presented
this
in
this
working
group
I
presented
in
the
in
the
APAC
call.
A
Is
that
correct
the
great
artifacts,
the
great
artifact
repository
security
audit
did
I
present
that
at
this
meeting
last
week,
but
I
don't
think
so.
A
Okay,
nobody's
saying
yes,
okay,
so
high
level.
This
is
a
proposal
that
I've
put
together
to
try
to
fund
so
okay.
So
the
postulate
that
I'm
I'm
basing
this
upon
is.
We
have
a
lot
of
artifact
servers
in
the
industry
right,
npm,
rubygems,
Pi,
Pi
or
Pi
Pi
I'm,
saying
that
wrong.
I'm!
Sorry,
please
don't
hate
me!
A
Maven
Central
Gradle
plug-in
portal,
nuke
it
right
all
these
artifact
servers
I
pause
it
that,
because
these
artifact
servers
are
predominantly
not
sold
to
corporations,
they
are
available
for
free
for
open
source
and
for
anybody
to
consume.
Because
of
that,
these
things
that
are
fundamental
to
supply
chain
are
yes.
A
I
can
share
a
PDF,
I,
think
art
I
think
I've
posted
it
a
pdf
version
of
it
in
the
email
in
the
vulnerability
exposure
working
group
I'll
go
look
first,
thanks:
okay,
if
not
it's
either
in
the
slack
or
in
the
in
the
email.
So
harass
me
if
it's
not
okay,.
A
Yeah
we'll
do
perfect.
Okay,
so
I
pause
it
that
all
these
major
artifact
servers
that
you
know
because
their
software
is
given
a
road
for
free
most
of
the
time,
a
the
forcing
function
on
requiring
a
pen
test.
Is
the
software
being
purchased
right
from
a
company
and
so
I'm
not
sharing
my
screen?
That's
that's,
probably,
okay.
So
the
the
idea
behind
this
is
because
these
things
have
never
been
purchased
because
there's
never
been
a
pen
test
done.
We
have
this
critical
infrastructure
out
there.
A
That's
that's
likely
not
been
thoroughly
security
tested
and
I
would
like
to
change
that,
and
so
the
proposal
for
this
this
proposal
is:
let's
actually
get
the
money
together
and
and
pay
for
pen
tests
and
Red
Team
engagements
against
the
organizations
that
run
the
this
critical
infrastructure.
A
Repositories
are
freely
available,
operate
as
both
a
public
service
and
as
a
significant
cost
center
for
the
organizations
that
run
them
I.E.
They
do
not
generate
revenue
and
are
often
expensive,
expensive
to
run
and
there's
a
cost
sensor
there
are
are
likely
under-resourced
and
under
maintained.
A
Also
dependency,
resolvers
and
Publishers
are
available
for
free
they're,
open
source
and
they're
development
and
maintenance
is
a
cost
center
and
there's
likely
never
been
sufficient.
Market
forces
justify
spending
additional
money,
commissioning
a
pen
test
against
this
infrastructure
for
community-run
artifact
servers
the
it's
likely
that
they've
never
had
enough
money
to
actually
pay
for
a
pen
test,
and
so
and
also
pen
tests
are
expensive,
require
dedicating
time
and
resources
to
actually
addressing
the
vulnerabilities
identified.
A
There
we
go-
hopefully
I
wasn't
just
kicked
out
of
my
company
I,
don't
think
that's
something
so
anyways,
so
the
the
idea
behind
this
is:
let's
actually
get
these
audits
done.
The
thing
that's
relevant
to
this
working
group
is
the
proposal
around
leveraging
the
vulnerability,
closure
working
groups
and
and
the
open
source
security
foundations,
model
vulnerability
disclosure
policy
as
the
policy
for
disclosing
the
vulnerabilities
found
under
this
audit.
A
The
way
that
that
would
work
is
if
the
if
the
repository
is
run
by
a
community
I.E,
a
non-for-profit,
then
the
the
audit
will
be
performed
for
free
and
the
open,
ssf
or
whoever's
running.
This
project
would
also
pay
for
the
a
contractor
to
come
in,
or
you
know,
some
resource
to
help
fix
these
vulnerabilities
that
are
identified
as
part
of
this
audit.
A
If
the
artifact
server
is
Corporate
run
run
by
company
and
it's
not
open
source,
then
we
give
two
options:
either
you
pay
for
it
right
use
the
corporation
you
pay
for
the
audit.
As
long
as
your
audit
is
within
the
scope
of
what
we
you
know,
it
matches
the
scope
that
we
would
like,
otherwise,
we'll
pay
for
it.
If
you
pay
for
it,
we
want
to
hear
we
just
want
to
see
your
results
and
a
retest
result
within
180
days.
A
If
we
do
it,
our
disclosure
deadline
will
be
the
90-day
disclosure
policy
that
the
open
SF
has
for
this
work,
so
that
you
know,
there's
there's
a
financial
incentive
for
or
there's
there's
a
a
rat
there's
an
incentive
for
these
organizations
to
not
just
you
know,
just
take
our
money
for
it
like.
If
they
want
to
control
the
disclosure
on
it,
they
can
pay
for
it
and
then
the
site.
This
proposal
also
comes
with
a
concept
of
repeat
testing.
A
A
The
funding
for
each
one
of
these
is
that
each
each
we
assume
that
each
artifact
server
would
cost
about
a
hundred
150
000
for
the
the
the
pen
test,
and
you
know,
between
10
and
85,
for
the
red
team
engagement
for
each
each
artifact
server
for
public
disclosure
parts
of
this.
The
the
vulnerabilities
that
are
found
as
a
part
of
the
audit
would
be
publicly
disclosed
the
red
for
the
red
team
engagement.
A
However,
the
because
red
team
engagements
include
an
aspect
of
social
engineering
and
attacking
the
actual
infrastructure,
we
wouldn't
be
disclosing
the
full
report
from
that.
We
would
disclose,
however,
that
that
the
red
team
engagement
incurred
and
the
impact
they
were
able
to
achieve
you
know
and
currently
The
Who
as
to
who
you
would
involve.
A
In
this
we
we
would
like
to
involve
GitHub
for
npm
Gradle
for
the
Gradle
plug-in
portal,
jfrog
for
the
Conan
Center
sonotype
for
Maven
Central
Ruby
for
rubygems
Pi,
Pi
for
and
the
or
python
what
python
software
Foundation,
golang
Drupal
cargo,
Docker
nougat,
there's
some
questions
about
alari,
actually,
there's
Drupal
and
Hilaria
too,
that
we
were
considering,
maybe
not
including
immediately
and
then
packages
for
PHP,
so
I've
actually
taken
this
proposal
and
sent
it
sent
an
email
out
to
all
of
the
security
teams
for
all
these
different
artifact
servers,
except
for
GitHub
and
nougat,
because
their
contact
is
security
at
Microsoft
and
that's
a
very
large
black
box.
A
That
I
don't
want
to
try
to
shuffle
this
email
into
because
I'm
I'm
just
gonna
get.
This
is
not
a
security
report
go
away,
but
all
the
other
part
packaging
ecosystems
have
been
reached
out
to
directly
to
try
to
propose
this
and
say.
Would
you
like
to
be
involved
and
the
meetings
for
this
will
be
happening
both
in
the
securing
software
repositories
working
group
meeting
and
the
the
there's
a
cig?
A
Now
that
is
meeting
in
that
same
time
slot
every
Thursday
where
the
working
group
meeting
is
not
so
the
meetings
are
at
9
00
a.m
on
Thursdays.
So
if
you
are
interested
in
this
topic,
would
love
to
see
you
and
yes,
Madison
I
would
love
the
contact
information
for
the
PM
or
the
security
lead
specifically
directly
to
for
npm,
so
that
I
don't
have
to
go
through
the
security
at
and
also
if
you
have
contacts
with
the
nougat
team.
That
would
also
be
helpful
because
nougat
is
also
Microsoft.
A
A
And
the
only
other
thing
is
I
just
follow
on
work
proposal
of
potentially
at
the
end
of
this
funding
after
the
first
wave
of
audits
is
done,
potentially
funding
a
bug,
value
program
to
encourage
future
Research
into
the
area
of
securing
software
repositories.
It's
not
necessarily
in
the
scope
of
this
immediately
but
yeah.
F
I've
got
a
brief
comment
that
fits
right
in
the
follow-on
work
section.
Yeah
critical
critical
component
may
be
underserved
security,
wise
auditing,
it
funding
an
audit
for
it
great.
Yes,
that's
a
point
in
time
thing
so
bug
Bounty
is
an
option.
Repeat
the
audit,
every
So
yeah.
Thank
you
rolling
basis.
You
don't
have
a
like
a
time
frame.
Yet
I
saw
a
two-year
upfront,
yep,
okay,
foreign.
F
Audit's
any
cheaper,
or
is
it
still
just
a
full
like
clean
audit
every
time?
Basically,
these
things
really
work.
I.
F
A
That's
a
really
good
question.
It
probably
depends
upon
whether
or
not
we
hiring
the
same
firms
yeah
and
yes.
So
this
is
a
proposal
that
is
also
collaboration
with
ostiff
I
just
had
a
chat
with
Amir
and
Amir
was
the
one
that
came
up
with
the
cost
of
he's
like
when
we've
done
audits,
they've
run
about
150,
000
yeah,
so
that's
yeah,
I'm
logged
out,
so
I
can't
even
add
them.
I
can't
even
approve
my
own.
My
own
proposed.
F
Change
I
can
here
yeah,
okay,
no
got
it.
Yeah
you've
already
thought
of
this.
The
last
I
looked
at
this
like
for
real,
then
that
I
might
have
spent
money
on
it.
I
came
across
at
least
one
firm
with
a
paradigm
of
more
of
a
continuous
thing.
As
opposed
and
it's
you
know,
it's
a
reasonable
response
to
We
did
an
audit
great
okay.
Now
what
time
went
by
right?
F
So
there
are,
you
know
it's
probably
a
subscription-ish
business
model
which
has
its
own
issues,
but
there
are,
you
know
something
something
more
continuous
or
repeatable
might
be
a
an
engagement
option
we
could
consider.
But
yes,
the
fact
that
it
repeat
testing
is
in
here
handles
it
so
never
mind.
A
A
The
just
in
terms
of
managing
this
continuously
occurring
right,
I
believe
that
I
I
I
work
for
the
open,
SF
I
work
for
the
Linux
Foundation,
but
I
don't
think
that
I'm
the
right
resource
to
run
this
long
term,
The
Proposal,
does
call
for
at
least
one
staff
member
to
be
assigned
from
the
open
SF
to
manage
this
on
a
continuous
basis.
It's
probably
not
a
full-time
resource
right.
A
This
is
not
something
they
need
to
be
doing
full-time,
but
it
is
going
to
be
some
chunk
of
time
that
will
require
a
full-time
person
managing
and
making
sure
it's
occurring.
So
yes,
that
that
that's
another,
that's
another
aspect
of
this
that,
because
I
don't
think
that
a
working
group
of
a
bunch
of
volunteers
is
the
necessarily
the
right
way
to
night
right
place
to
make
sure
that
something
like
this
reoccurs
on
a
regular
basis.
A
Any
other
questions
comments
concerns
on
this
topic.
A
I
A
Just
read
through
it
I
mean
at
a
high
level,
and
then,
if
you'd
like
to
excuse
me
if
you'd
like
to
participate,
we
are
again
we're
meeting
every
Thursday
at
9am.
So
that's
the
place
to
have
this
conversation.
I
think
that
the
Eastern
yes
9am,
Eastern,
the
biggest
I,
think
the
biggest
thing
that
we're
going
to
run
into
is.
A
This
hasn't
been
an
issue
so
far,
that's
been
raised
by
the
majority
of
the
organizations
we
reach
out
to,
but
we
would
I
think
that
the
the
carrot
stick
model
of
this
is
like
you
know.
We
love
to
do
the
audit
they're
willing
to
collaborate,
but
if
we're
paying
for
it
at
least
against
the
corporate
artifact
servers
trying,
including
in
that
that
we're
going
to
be
leveraging
the
90-day
disclosure
deadline,
the
one
caveat
that
I
pull
out
in
the
in
the
technology
audit.
A
Is
that
caveat
here
we
go
the
one
caveat
that
I
have
called
out
here:
all
vulnerabilities
disclosed
during
the
course
the
technology
audit
for
against
corporate
run,
if
they're
not
paying
for
it
themselves,
we'll
be
bound
by
the
open,
ssf,
outbound
vulnerability,
disclosure
policy
with
one
change,
while
the
pen
test
firm,
May,
disclose
vulnerabilities
immediately
upon
Discovery
to
the
Target,
the
open,
SF,
outbound,
vulnerability,
closure
policy
notice
date
will
be
one
business
day
after
the
scheduled
pen
test
concludes
not
including
the
retest,
so
that
gives
them
90
days
from
the
pen
test
finishing
but
they'll
have
been
receiving.
A
The
record
I
mean
usually
when
a
pen
test
occurs,
you
get
like
here's
a
vulnerability
we
found
like
do
you,
you
know,
and
people
are
actively
able
to
work
on
those
as
the
as
the
pen
test
is
occurring,
but
the
the
start
date
of
the
90-day
disclosure
deadline
will
occur
as
soon
as
one
day
post
the
disclosure,
the
the
the
the
pen
test
occurring.
A
Okay,
Chrome,
going
back
to
you,
there's
two
topics
that
I
wanted
to
ask
you
about,
because
you
were
not
here
or.
A
Know
do
you
want
to
dive
into
anything
about
this?
The
CBD
guide
for
consumers.
A
Perfect
anything
else
on
that
one
nope
perfect,
open
vexig.
Do
you
know
what
the
status
of
this
is.
I
A
Sorry
you're
right
the
awesome
there
was
a
question
here
about
what
is
its
current
status.
I
Beige
and
it's
currently
under
review
by
assorted
funding
parties,
so
it's
kind
of
on
hold
for
now.
A
Okay,
are
you
the
champion
for
this
initiative,
or
do
you
need
someone
else
to
Champion
it?
Do
you
have
the
resources
to
adequately
champion
this?
If
you
are
the
champion
for
it,.
I
Anyone
that's
interested
in
helping
is
welcome,
but
I
have
been
handling
it
myself.
So
far,
we
had
an
interview
with
the
new
executive
director
of
the
foundation,
omkar
kind
of
explaining
what
that
and
the
education
Sig
were
about,
and
we
are
planning
on
how
we
want
to
move
forward
as
we
both
update
and
rewrite
the
mobilization
plan,
but
also
Circle
back
to
the
people
that
had
put
funding
pledges
together
to
see
if
those
were
topics
that
inspired
them
to
throw
money
at
us.
B
I
If
there's
anything
that
anyone
is
interested
in
collaborating
on
the
certsig
that
costs
zero
dollars,
they
are
welcome
to
participate,
but
anything
that
needs
money.
We
have
to
kind
of
wait.
A
What
are
the
current
largest
blockers
and
the
current
your
current
per
like
perspective
on
chance
of
success
of
this
initiative?
Yeah.
I
It's
been
six
months
since
we
submitted
the
revised
plan
and
we've
gotten
zero
feedback,
so
we
have
lost
most
of
the
volunteers
interest.
I
So
if
it
is
indeed
picked
up
for
funding,
it'll
be
a
little
bit
challenging
to
re-engage
with
the
people
that
were
there
and
to
try
to
get
new
folks
engaged.
A
A
Okay,
all
right,
that's
good
to
know!
Do
you
I
I,
don't
think
I
can
allocate
any
of
my
time
but
yeah.
If
anybody
else
is
interested
in
making
this
a
reality,
you
know
art.
You
seem
like
one
of
the
few
people.
That's
like
you
know,
really
got
you.
You
and
Madison
both
seem
pretty
well.
Pretty
would
like
to
see
this
occur
yeah.
A
If,
if
there's
anything
that
anybody
is
there
anything
that
anybody
can
do
to
help
push
this
forward
or
or
evangelize
it
to
the
the
right,
the
right
people
that
you
think
would
help
anybody.
I
That's
interested
is
welcome
to
read
the
plan.
There
are
many
items
there
that
don't
require
funding
that
could
be
worked
on
by
volunteers
and
just
people
talking
and
working
out
process,
and
we
would
like
to
go
interview
like
upstream
maintainers
and
security
teams.
So
we
have
a.
We
had
an
idea
of
assert
putting
together
a
survey,
so
there's
a
lot
of
things
that
could
be
done
and
if
anyone's
welcome,
I
can
get
operations
to
turn
the
meeting
back
on.
I
But
after
six
months
of
me
showing
up
saying,
there's
no
update
people
stopped
showing
up
and
I
got
tired
of
hanging
out
for
15-20
minutes
each
time.
A
That's
very
fair,
very,
very
fair,
okay
is
it
that
was
the
one
that
Emily
from
Apple
was
also
involved
in
right.
I
Yeah
she
was
involved,
she's
also
involved
in
the
education
again.
So
there
were
a
lot
of
folks
involved
in
art,
myself,
I
Randall,
Emily,
okay,.
A
Okay,
all
right,
we
have
six
minutes,
seven
minutes
left.
Does
anybody
else
have
anything
else
that
was
not
covered
in
this
meeting
that
they
want
to
address
before
we
adjourn.
A
Going
once
going
twice
sold
to
the
silence
the
Doctor
Who
Silence,
all
right,
he
goes
yay
there
we
go.
Thank
you
for
whoever's
writing
on
my
screen.
I
appreciate
it
all
right.
I
want
to
thank
you
guys,
all
for
coming
or
you
all
for
coming
and
I
hope
to
see
some
of
you
at
two
o'clock
at
the
vulnerable
disclosure
autofix
working
group,
Sig,
meeting
yeah
catch
you
real
soon
and
keep
keep
the
internet
secure.