►
From YouTube: OpenSSF Vulnerability Disclosures (May 31, 2023)
A
C
A
A
B
A
Snake
ban
at
yaml's
been
the
bane
of
the
inexistence
of
the
Java
ecosystem.
Recently
it
just
yeah
every
time
you
suppress
it,
it
just
pops
up
on
a
with
another
one.
Yep
anyways
welcome
to
the
yeah
I,
just
I
thought
that
was
funny
and
we're
sharing
with
the
working
group
so
yep
all
right.
Let
me
pull
up
my
calendar,
pull
up
my
so
starting
off
just
to
just
to
get
everybody
rolling.
A
A
A
B
A
A
F
Hi
I
am,
although
I
believe
we
went
as
far
as
canceling
or
temporarily
canceling
the
weekly
meetings
unless
I'm
mistaken.
The
proposal
has
been
written
for
quite
some
time
and
the
decision-making
process
is
somewhere
in
process
for
weather
and
or
how
to
actually
operate
the
open
source,
sirt
search.
F
F
E
E
F
I
think
so
I
mean
right.
This
doesn't
happen
without
you
know,
either
effort
or
dollars,
or
some
combination
right,
The
Proposal
talks
about
right.
It
is
open
to
the
idea
of
volunteers,
so
you
definitely
get
volunteer.
Contributions
are,
hopefully
you
know
expected
or
planned,
but
right
there's
the
difference
between
Community
volunteer
and
right,
open,
ssf
member.
F
F
B
A
F
I,
don't
really
I
will
you
know
personal
opinion?
There
are
parts
of
the
OSS
search
that
I
think
could
be
executed
pretty
quickly
and
would
be
generally
helpful.
Other
parts
would
sort
of
take
more
upfront
work.
There
was
sort
of
an
education
training
component
in
there
that
we
debated
right.
Does
this?
Does
this
live
in
the
open,
SS
assert?
Does
it
ossr?
Does
it
live
elsewhere
and
there
are
other
I
believe
there
are
a
number
of
other
sort
of
education,
training
security
advice,
pieces
of
openssf?
F
F
A
E
E
A
A
At
two
o'clock,
P.M
EST,
so
we're
meeting
every
Tuesday
at
2
pm
EST
discussing
the
work
that
Alpha
Omega
will
be
doing
bulk,
generating
security
fixes
that
have
scale
across
open
source.
I
would
love
to
have
you
involved
in
the
conversation
on
that
topic,
the
that
Sig
is
seeking
a
discussion
on
this
document
which
we
created,
which
describes
a
proposed
disclosure
flow
for
automated
vulnerability,
fixing
I'm
happy
to
dive
through
this
real
quickly
with
everybody
here
at
a
high
level.
A
This
is
an
or
ores
are
any
of
these
things
that
are
coming
into.
It
have
to
have
finished
before
we
move
forward,
and
then
the
topic
piano.
The
word
PM
PVR
is
pragmatic,
means
of
pro
no
programmatic
means
of
private
vulnerability,
reporting,
which
is
basically
like
for
GitHub
private
pbrs
private
vulnerability.
Reports
for
gitlab
gitlab
has
an
option
that
on
any
polar
price
you
can
make
it
private.
A
So
at
least
that's
what
I've
heard
so
when
you're
trying
to
bulk
automate
security
fixing
at
scale
we'd
start
reposit,
we
check
if
the
repository
host
supports
pmpdr,
which,
like
GitHub
and
gitlab,
because
the
answer
is
yes
bitbucket
and
the
answer.
Maybe
you
know,
and
then
we
check
if
the
repository
is
enabled
pmpvr.
If
the
repository
is
enabled
pmpvr,
then
we
just
use
that
to
create
the
private
pull
request
to
fix
the
vulnerability.
A
B
A
Request
security
fix
to
fix
the
vulnerability
being
open.
If
no
has
the
repository
enabled
pmpvr,
so
we
just
Loop.
We
run
this
continuous
loop.
If
the
vulnerability
has
been
fixed
or
public
pool
request
has
been
open,
then
we're
finished.
Otherwise,
if
90
days
is
a
lap
since
the
process
has
begun,
then
we
create
a
public
polar
here
simultaneously.
A
If,
if
issues
and
emails
are
found,
then
we
go
down
both
of
these
flows,
but
if
we
only
find
email,
sorry,
if
we
only
find
that
issues
are
enabled
but
not
emails,
or
if
we
only
find
the
emails
but
not
issues,
we
go
down.
One
of
these
two
exclusive
flows-
the
top
one
up
here
is-
is
following
issue
based
private
vulnerability,
reporting,
where
we
attempt
to
reach
out
to
the
maintainer
Via
a
public
issue
where
we
say
create
a
new
issue
requesting
that
they
enable
pmpvr.
A
Otherwise,
if
there's
an
existing
issue,
that's
been
created,
we
use
that
issue.
If
the
issue
is
closed
or
deleted
without
a
response,
then
we
immediately
go
to
assuming
that
just
the
vulnerability
we
immediately
complete
the
step
or
if
the
issue
has
been
open
for
at
least
35
days.
We
just
complete
this
this
phase.
A
A
B
A
The
person
implementing
the
specification
can
follow.
They
can
either
just
wait
90
days
or
if
they
get
a
response,
that
this
is
not
a
vulnerability,
then
they
can
immediately
help
create
a
public
pull
request.
Otherwise
you
wait
90
days
since
the
email
is
sent
and
then
this
site
is
completed.
So
if
both
of
these
completed
right,
if
the
issue
flow
is
completed
and
the
email
flow
is
completed,
if
the
repository
at
this
time
is
not
enabled
PM
PBR,
then
you
create
a
public
pull
request.
A
Otherwise,
you
end,
and
this
will
trigger
the
the
public
disclosure,
because
90
days
have,
since
the
processes
began,
a
public
pool
request
will
get
opened
so
either
flow
on
this,
a
public
pool
request
gets
opened
if,
if
they're,
they're
unresponsive,
this
is
a
high
level
flow
proposed
flow
for
for
automated
disclosure
would
love
to
hear
any
feedback.
Questions
concerns
about
this
proposed
flow
from
the
Sig.
G
A
G
A
D
A
A
G
A
A
B
B
A
E
A
Okay,
other
update,
okay!
Let
me
go
back
to
here:
autofix,
oh
yeah.
We
are
looking
for
someone
to
assist
with
taking
this
document
and
turning
this
into
actual
use
cases,
like
example,
walkthroughs
of
this
flow.
So
if
anybody
is
interested
in
in
collaborating
in
taking
this
this
flow
and
walking
through
an
example
and
writing
that
out
into
the
specification
that
would
be
greatly
appreciated,
we
would
love
your
assistance
with
that.
A
H
B
H
On
Monday
evening,
like
Europe
time
but
I,
think
it
kind
of
it
dropped
from
my
schedule,
at
least
from
the
calendar,
so
I'm
not
sure
where
it's
like.
What's
the
current
status,
because
oh
yeah,
no,
so
it's
still
there.
So
it's
10
P.M
on
my
clock,
which
is
probably
like
three
no
I,
don't
know
Eastern
Time.
A
A
A
E
A
A
All
right,
so
that
that
explains
why
we're
not
having
them
here,
I'm
like
where,
where
where
are
we,
the
people
running
this
project?
Okay,
great
perfect,
anybody
have
any
comments.
Questions
concerns
yeah,
Australia,
yes,
it's
there.
It
makes
sense
to
why
they're
not
I
had
a
manager
in
my
previous
job
that
was
in
Australia
and
I'm
on
the
east
coast
of
Boston.
My
day
would
be
like
I'd,
be
done
finishing
my
day
at
five.
Six
pm
and
he'd
be
waking
up
really
early
to
meet
with
me
and
it
was
terrible.
A
A
A
I
have
an
open,
then,
if
we
have
time
I
just
want
to
kind
of
give
an
update
on
this
is
not
under
the.
This
is
not
under
the
this
working
group.
It's
under
the
securing
software
reposit
for
his
working
group,
but
just
an
update
from
last
did
I
I,
don't
know
I,
don't
think
I
presented
this
in
this
working
group
I
presented
in
the
in
the
APAC
call.
A
Okay,
nobody's
saying
yes,
okay,
so
high
level.
This
is
a
proposal
that
I've
put
together
to
try
to
fund
so
okay.
So
the
postulate
that
I'm
I'm
basing
this
upon
is.
We
have
a
lot
of
artifact
servers
in
the
industry
right,
npm,
rubygems,
Pi,
Pi
or
Pi
Pi
I'm,
saying
that
wrong.
I'm!
Sorry,
please
don't
hate
me!
A
Maven
Central
Gradle
plug-in
portal,
nuke
it
right
all
these
artifact
servers
I
pause
it
that,
because
these
artifact
servers
are
predominantly
not
sold
to
corporations,
they
are
available
for
free
for
open
source
and
for
anybody
to
consume.
Because
of
that,
these
things
that
are
fundamental
to
supply
chain
are
yes.
A
A
Yeah
we'll
do
perfect.
Okay,
so
I
pause
it
that
all
these
major
artifact
servers
that
you
know
because
their
software
is
given
a
road
for
free
most
of
the
time,
a
the
forcing
function
on
requiring
a
pen
test.
Is
the
software
being
purchased
right
from
a
company
and
so
I'm
not
sharing
my
screen?
That's
that's,
probably,
okay.
So
the
the
idea
behind
this
is
because
these
things
have
never
been
purchased
because
there's
never
been
a
pen
test
done.
We
have
this
critical
infrastructure
out
there.
A
A
Also
dependency,
resolvers
and
Publishers
are
available
for
free
they're,
open
source
and
they're
development
and
maintenance
is
a
cost
center
and
there's
likely
never
been
sufficient.
Market
forces
justify
spending
additional
money,
commissioning
a
pen
test
against
this
infrastructure
for
community-run
artifact
servers
the
it's
likely
that
they've
never
had
enough
money
to
actually
pay
for
a
pen
test,
and
so
and
also
pen
tests
are
expensive,
require
dedicating
time
and
resources
to
actually
addressing
the
vulnerabilities
identified.
A
There
we
go-
hopefully
I
wasn't
just
kicked
out
of
my
company
I,
don't
think
that's
something
so
anyways,
so
the
the
idea
behind
this
is:
let's
actually
get
these
audits
done.
The
thing
that's
relevant
to
this
working
group
is
the
proposal
around
leveraging
the
vulnerability,
closure
working
groups
and
and
the
open
source
security
foundations,
model
vulnerability
disclosure
policy
as
the
policy
for
disclosing
the
vulnerabilities
found
under
this
audit.
A
The
way
that
that
would
work
is
if
the
if
the
repository
is
run
by
a
community
I.E,
a
non-for-profit,
then
the
the
audit
will
be
performed
for
free
and
the
open,
ssf
or
whoever's
running.
This
project
would
also
pay
for
the
a
contractor
to
come
in,
or
you
know,
some
resource
to
help
fix
these
vulnerabilities
that
are
identified
as
part
of
this
audit.
A
If
the
artifact
server
is
Corporate
run
run
by
company
and
it's
not
open
source,
then
we
give
two
options:
either
you
pay
for
it
right
use
the
corporation
you
pay
for
the
audit.
As
long
as
your
audit
is
within
the
scope
of
what
we
you
know,
it
matches
the
scope
that
we
would
like,
otherwise,
we'll
pay
for
it.
If
you
pay
for
it,
we
want
to
hear
we
just
want
to
see
your
results
and
a
retest
result
within
180
days.
A
If
we
do
it,
our
disclosure
deadline
will
be
the
90-day
disclosure
policy
that
the
open
SF
has
for
this
work,
so
that
you
know,
there's
there's
a
financial
incentive
for
or
there's
there's
a
a
rat
there's
an
incentive
for
these
organizations
to
not
just
you
know,
just
take
our
money
for
it
like.
If
they
want
to
control
the
disclosure
on
it,
they
can
pay
for
it
and
then
the
site.
This
proposal
also
comes
with
a
concept
of
repeat
testing.
A
A
The
funding
for
each
one
of
these
is
that
each
each
we
assume
that
each
artifact
server
would
cost
about
a
hundred
150
000
for
the
the
the
pen
test,
and
you
know,
between
10
and
85,
for
the
red
team
engagement
for
each
each
artifact
server
for
public
disclosure
parts
of
this.
The
the
vulnerabilities
that
are
found
as
a
part
of
the
audit
would
be
publicly
disclosed
the
red
for
the
red
team
engagement.
A
However,
the
because
red
team
engagements
include
an
aspect
of
social
engineering
and
attacking
the
actual
infrastructure,
we
wouldn't
be
disclosing
the
full
report
from
that.
We
would
disclose,
however,
that
that
the
red
team
engagement
incurred
and
the
impact
they
were
able
to
achieve
you
know
and
currently
The
Who
as
to
who
you
would
involve.
A
That
I
don't
want
to
try
to
shuffle
this
email
into
because
I'm
I'm
just
gonna
get.
This
is
not
a
security
report
go
away,
but
all
the
other
part
packaging
ecosystems
have
been
reached
out
to
directly
to
try
to
propose
this
and
say.
Would
you
like
to
be
involved
and
the
meetings
for
this
will
be
happening
both
in
the
securing
software
repositories
working
group
meeting
and
the
the
there's
a
cig?
A
Now
that
is
meeting
in
that
same
time
slot
every
Thursday
where
the
working
group
meeting
is
not
so
the
meetings
are
at
9
00
a.m
on
Thursdays.
So
if
you
are
interested
in
this
topic,
would
love
to
see
you
and
yes,
Madison
I
would
love
the
contact
information
for
the
PM
or
the
security
lead
specifically
directly
to
for
npm,
so
that
I
don't
have
to
go
through
the
security
at
and
also
if
you
have
contacts
with
the
nougat
team.
That
would
also
be
helpful
because
nougat
is
also
Microsoft.
A
A
And
the
only
other
thing
is
I
just
follow
on
work
proposal
of
potentially
at
the
end
of
this
funding
after
the
first
wave
of
audits
is
done,
potentially
funding
a
bug,
value
program
to
encourage
future
Research
into
the
area
of
securing
software
repositories.
It's
not
necessarily
in
the
scope
of
this
immediately
but
yeah.
F
I've
got
a
brief
comment
that
fits
right
in
the
follow-on
work
section.
Yeah
critical
critical
component
may
be
underserved
security,
wise
auditing,
it
funding
an
audit
for
it
great.
Yes,
that's
a
point
in
time
thing
so
bug
Bounty
is
an
option.
Repeat
the
audit,
every
So
yeah.
Thank
you
rolling
basis.
You
don't
have
a
like
a
time
frame.
Yet
I
saw
a
two-year
upfront,
yep,
okay,
foreign.
F
F
A
That's
a
really
good
question.
It
probably
depends
upon
whether
or
not
we
hiring
the
same
firms
yeah
and
yes.
So
this
is
a
proposal
that
is
also
collaboration
with
ostiff
I
just
had
a
chat
with
Amir
and
Amir
was
the
one
that
came
up
with
the
cost
of
he's
like
when
we've
done
audits,
they've
run
about
150,
000
yeah,
so
that's
yeah,
I'm
logged
out,
so
I
can't
even
add
them.
I
can't
even
approve
my
own.
My
own
proposed.
F
Change
I
can
here
yeah,
okay,
no
got
it.
Yeah
you've
already
thought
of
this.
The
last
I
looked
at
this
like
for
real,
then
that
I
might
have
spent
money
on
it.
I
came
across
at
least
one
firm
with
a
paradigm
of
more
of
a
continuous
thing.
As
opposed
and
it's
you
know,
it's
a
reasonable
response
to
We
did
an
audit
great
okay.
Now
what
time
went
by
right?
F
A
A
The
just
in
terms
of
managing
this
continuously
occurring
right,
I
believe
that
I
I
I
work
for
the
open,
SF
I
work
for
the
Linux
Foundation,
but
I
don't
think
that
I'm
the
right
resource
to
run
this
long
term,
The
Proposal,
does
call
for
at
least
one
staff
member
to
be
assigned
from
the
open
SF
to
manage
this
on
a
continuous
basis.
It's
probably
not
a
full-time
resource
right.
A
This
is
not
something
they
need
to
be
doing
full-time,
but
it
is
going
to
be
some
chunk
of
time
that
will
require
a
full-time
person
managing
and
making
sure
it's
occurring.
So
yes,
that
that
that's
another,
that's
another
aspect
of
this
that,
because
I
don't
think
that
a
working
group
of
a
bunch
of
volunteers
is
the
necessarily
the
right
way
to
night
right
place
to
make
sure
that
something
like
this
reoccurs
on
a
regular
basis.
A
A
I
A
Just
read
through
it
I
mean
at
a
high
level,
and
then,
if
you'd
like
to
excuse
me
if
you'd
like
to
participate,
we
are
again
we're
meeting
every
Thursday
at
9am.
So
that's
the
place
to
have
this
conversation.
I
think
that
the
Eastern
yes
9am,
Eastern,
the
biggest
I,
think
the
biggest
thing
that
we're
going
to
run
into
is.
A
This
hasn't
been
an
issue
so
far,
that's
been
raised
by
the
majority
of
the
organizations
we
reach
out
to,
but
we
would
I
think
that
the
the
carrot
stick
model
of
this
is
like
you
know.
We
love
to
do
the
audit
they're
willing
to
collaborate,
but
if
we're
paying
for
it
at
least
against
the
corporate
artifact
servers
trying,
including
in
that
that
we're
going
to
be
leveraging
the
90-day
disclosure
deadline,
the
one
caveat
that
I
pull
out
in
the
in
the
technology
audit.
A
I
A
I
Anyone
that's
interested
in
helping
is
welcome,
but
I
have
been
handling
it
myself.
So
far,
we
had
an
interview
with
the
new
executive
director
of
the
foundation,
omkar
kind
of
explaining
what
that
and
the
education
Sig
were
about,
and
we
are
planning
on
how
we
want
to
move
forward
as
we
both
update
and
rewrite
the
mobilization
plan,
but
also
Circle
back
to
the
people
that
had
put
funding
pledges
together
to
see
if
those
were
topics
that
inspired
them
to
throw
money
at
us.
B
I
A
A
A
Okay,
all
right,
that's
good
to
know!
Do
you
I
I,
don't
think
I
can
allocate
any
of
my
time
but
yeah.
If
anybody
else
is
interested
in
making
this
a
reality,
you
know
art.
You
seem
like
one
of
the
few
people.
That's
like
you
know,
really
got
you.
You
and
Madison
both
seem
pretty
well.
Pretty
would
like
to
see
this
occur
yeah.
I
That's
interested
is
welcome
to
read
the
plan.
There
are
many
items
there
that
don't
require
funding
that
could
be
worked
on
by
volunteers
and
just
people
talking
and
working
out
process,
and
we
would
like
to
go
interview
like
upstream
maintainers
and
security
teams.
So
we
have
a.
We
had
an
idea
of
assert
putting
together
a
survey,
so
there's
a
lot
of
things
that
could
be
done
and
if
anyone's
welcome,
I
can
get
operations
to
turn
the
meeting
back
on.
I
A
A
Going
once
going
twice
sold
to
the
silence
the
Doctor
Who
Silence,
all
right,
he
goes
yay
there
we
go.
Thank
you
for
whoever's
writing
on
my
screen.
I
appreciate
it
all
right.
I
want
to
thank
you
guys,
all
for
coming
or
you
all
for
coming
and
I
hope
to
see
some
of
you
at
two
o'clock
at
the
vulnerable
disclosure
autofix
working
group,
Sig,
meeting
yeah
catch
you
real
soon
and
keep
keep
the
internet
secure.