►
From YouTube: OpenSSF Vulnerability Disclosures (June 14, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA
Repo: https://github.com/ossf/wg-vulnerability-disclosures
B
B
B
D
B
B
A
A
D
E
C
A
E
I
keep
crashing
these
open
ssf
meetings
as
I'm
getting
you
know
situated
and
so
I,
don't
even
remember
if
I've
been
to
this
meeting
before
or
not,
but
I
do
see
some
new
faces,
so
hey
I'm,
I'm,
Josh
I
work
in
that
hospital
at
Analog,
Devices
I'm
not
going
to
use
the
same
lame
joke
that
I
have
been
broke
because
I
know
you've
heard
it
a
lot
of
you
Jonathan,
but
yeah
yeah.
So
I
went
to
the
open
ssf
day
at
the
open
source.
E
B
E
B
G
B
A
Roger
Dodger,
if
you
have
any
opens
you'd
like
to
talk
about,
add
them
in
the
open
section.
I
only
had
one
item
today,
I
wanted
to
briefly
discuss.
As
Josh
mentioned,
we
just
had
an
amazing
open
ssf
day
in
Vancouver
at
the
North
America
Summit.
Well,
fun
fact:
we
will
be
holding
an
open
ssf
day
in
Europe
in
beautiful
Bilbao
Spain,
and
there
is
currently
a
call
for
papers
open,
So.
A
Not
only
would
I
encourage
the
group
to
consider
submitting
for
talking
there,
but
I
had
an
idea,
potentially
a
slot,
to
talk
about
this
working
group
and
maybe
showcase
two
of
our
little
projects
osv
and
open
Vex,
and
if
anyone
was
interested
patches
are
always
welcome.
I
would
look
for
contributors
and
collaborators
to
assist.
If
somebody
feels
that's
something
interesting
or
if
you
have
other
ideas
feel
free
to
submit
them,
and
we
can
also
help
you
there
too.
A
There
will
also
be
it's
very
late
in
their
day,
but
we
will
also
be
holding
an
open
ssf
day
in
Japan
again
towards
the
end
of
the
year.
So
you'll
hear
more
information
about
that.
If
anyone
is
interested
that
will
be
opened
up,
I
think
they'll
probably
start
announcing
that
later
this
summer
and
I
think
that'll
be
towards
the
end
of
the
year,
like
December
November.
A
I
absolutely
can
make
a
love
connection,
introduce
you
to
Oliver
and
team
for
osv,
Oliver
and
Andrew
are
the
primary
folks
behind
the
project
they're
out
of
Australia.
So
I
would
point
you
to
I'll.
Give
you
some
links
to
the
project,
but
we
technically
will
have
a
call
with
them.
Hopefully
on
June
29th,
we
have
an
APAC
focused
call
version
of
this
meeting.
It's
at
6
PM
Eastern,
so
it's
I
think
about
eight
nine
in
the
morning
for
Australia.
A
A
You
just
missed
the
call
we
had
one
on
Monday
and
our
next
open
Vex
call
will
be
on
La
La,
the
26th
and
those
are
at
3,
P.M,
Eastern
and
puerco
is
out
of
Mexico,
so
I
believe
he's
like
Western
time
zone.
So
he'll
generally
be
on
the
active
in
the
slack
around
then.
But
we
again
have
a
slack
community
and
I
can
point
you
to
the
the
repositories
for
those
that
project
as
well.
A
B
B
You
publish
something
you
get
people
coming
back
and
be
like
hey.
This
line
doesn't
make
any
sense,
so
I
know
he
spent
all
this
time
chewing
on
this
document,
I
got
a
bit
of
feedback
from
Tim
McCormick
when
I
posted
this
in
the
Boston
infosec
slack
Channel,
where
this
chunk
this
sentence
he
said
was
unclear.
B
Originally,
it
read.
If
a
project
responds
to
the
private
report
within
21
calendar
days,
the
details
will
be
publicly
disclosed
shared
with
the
defensive
Community
90
days
on
the
public
90
days,
what
something
yeah
after
90
days
on
the
publication
date-
and
he
said
this
is
unclear
because
it's
not
clear
if
it
will
be
90
days
what
he
asked
her
to
find.
The
question
that
he
posed
to
me.
D
B
It's
not
the
disclosure
will
occur
90
days
from
the
response
or
it'll
occur,
90
days
from
the
original
disclosure
date,
not
90
days
from
the
day
that
they
respond
to
you
back
on
so
I
think
this
clarification
makes
more
sense.
Just
we
is
there
any
dissenting
opinions
or
otherwise
comments
on
this
about
these.
These
proposed
changes
to
the
policy
Chrome,
you're,
muted,.
A
D
B
B
Are
we
good
with?
Is
there
thumbs
up
around
for
adding?
This
is
the
change
that
we
make
to
make
it
clear
you
seeing
any
thumbs
down
probe
in
the
call,
because
I'm
not
great
perfect,
can
you
do
a
thumbs
down?
No,
but
I
mean
oh
that'd,
be
awesome,
I
mean
people,
people
couldn't
say
no
we're
gonna
shake.
B
All
parties
maintainers
as
well
as
researchers,
must
act
responsibly.
The
comma
was
confusing
here,
making
it
look
like
a
list
of
parties,
maintainers
and
researchers,
which
it
is
I
think
it
is
a
list
right.
All
parties
maintainers
as
well
as
researchers,
must
have
a
responsibility,
or
is
there
no
comma
I,
don't
know
syntactically.
B
A
B
A
B
B
B
That's
that's
it
just
going
through
those
I
will
ask
the
operations
team
to
redeploy
the
changes
to
some
of
these
sentences
into
the
publication
version.
We
did
not.
It
was
on
the
tax
tax
Schedule
to
say,
hey
where'd.
This
document
go
there's
a
an
issue
with
the
attack
that
is
asking
them
where
this
document
should
live.
B
A
B
B
B
H
Art
well,
I,
don't
want
to
hijack
your
meeting,
but
if
you
all
are
done
with
your
regular
business,
we
are.
We
have
based
on
your
sort
of
template.
We
have
created
a
a
sort
of
guide,
for
you
know
for
vulnerability
disclosures
for
projects
in
hyper
Ledger.
We
found
that
we
have
a
lot
of
projects,
not
all
of
them
have
Security
Experts,
and
so
we
asked
people
to
sort
of
do
something
and
they
were
like
well.
This
is
a
lot
of
work
for
us.
H
H
But
we
would
love
your
feedback
and
yeah
that
that's
just
about
it,
if
you
think
there's
some
things,
we
did
wrong,
which
you
probably
are
you
know
we.
We
would
just
just
appreciate
your
thoughts
so
yeah
and
yeah.
You
all
are
well.
You
know
if,
if
you
like
this,
or
this
turns
into
something
like
useful,
you
know
we're
we're
happy
to
you
know.
Let
have
people
reuse
it
as
well.
Awesome.
A
B
D
H
B
B
H
B
H
B
Okay,
if
you
do
find
that
you're
running
Services,
one
of
the
things
that's
important
to
to
handle
in
disclosure
in
in
policies
also
is
if
it's
just
software,
but
just
so
open
source.
If
it's
just
code,
then
then
that's
fine.
If
you're
dealing
with
like
services
and
potentially
like
misconfigure
DNS
infrastructure
stuff,
like
that,
a
safe
harbor
policy
is
also
important
to
include
to
say,
like
hey,
you
can
find
vulnerabilities
in
our
infrastructure,
our
website,
our
stuff
like
that,
and
that
is
we
waive
cfaa
and
stuff
like
that.
B
H
We
do
have
a
website,
but
it
falls
under
the
LF.
This
is
for
the
individual
projects
to
do
like
they
don't
have
a
lot
of
independent
stuff.
So
this
is
just
for
like
on
Project
X,
and
this
is
going
to
be
our
disclosure
policy
for
our
code
and
we
have
it
a
little
bit
flexible,
because
all
of
these
projects
do
sort
of
different.
They
have
different
choices.
They
do
different
things
like
some
are,
you
know
extremely
secure
applications,
and
some
are
like
things
that
you
know:
don't
really
touch
security,
all
that
much
so.
A
I
posted
a
link,
we
actually
do
have
an
issue
about
the
open,
ssf,
foundation-wide
kind
of
pushing
out
a
security
MD,
that's
issue:
128.
Luigi
is
currently
shepherding
that
and
I'll
I'll.
Re-Read
that
and
then
I'll
reflect
upon
your
document
heart
and
see.
If
there's
opportunities
to
provide
you
some
good
feedback
there,
and
then
the
idea
was
that's.
Where
wheeler
is,
you
know
if
we're
going
to
do
it
for
the
open,
ssf,
Why,
Don't,
We,
Up
level,
that
to
the
whole
LF
potentially,
is
having
this
template
that
people
can
use
as
a
resource.
A
H
A
H
F
H
Awesome
yeah.
Well,
the
feedback
we
got
was
just
that
people
wanted
a
template
that
they
wanted.
Like
you
know,
they
didn't
want
to
have
to
write
it.
They
wanted,
like
you
know
they
want
a
multiple
choice,
sort
of
cut
and
paste
and
we
wanted
something
that
was.
You
know
flexible
enough
that
people
that
knew
what
they
were
doing
could
you
know,
could
write
their
own
stuff.
You
know
and,
and
people
that
you
know
didn't,
could
just
follow
the
policy
I
mean
we
have
one
project
that
has
something
like
seven
or
eight
intakes,
I.
A
Any
other
feedback
or
comments
for
heart
again
I'm,
going
to
take
a
look
at
both
our
issue
and
then
your
document
provide
you.
Some
feedback
and
I
would
encourage
everyone
on
the
call
to
do
the
same.
I'll
send
a
note
actually
to
our
mailing
list,
encouraging
folks
that
are
on
the
call
to
potentially
also
take
a
peek
and
give
feedback
awesome.
G
I
was
just
sharing
a
link
of
the
software
requirements
document
that
the
Omega
tool
chain-
mentee
engineering
mentees,
are
doing
for
the
summer,
so
essentially
we're
just
trying
to
connect
the
the
Omega
analyzer,
using
also
the
assertion
framework
into
one
serif
report
and
then
uploading
that
to
our
triage
portal,
the
mentees
are
currently
working
through
the
document
finalizing
the
requirements,
the
security
requirements,
testing
and
so
forth.
So
if
you
are
interested
in
providing
any
feedback
for
the
mentees,
we're
welcoming
comments
in
the
document.
A
D
A
B
A
B
B
B
B
A
B
A
B
E
B
B
A
A
spiel
well,
all
of
our
calls,
are
recorded
and
available
on
the
openssf
YouTube
channel.
Just
this
week
we
talked
about
making
adjustments
to
align
the
openvex
spec
with
the
officially
released
sisa
Vex
minimum
requirements,
so
that
I
don't
know
if
that
PR
was
merged
yet
or
not,
but
that
is
in
flight.
So
we
will
have
complete
agreement
with
the
mothership
so
to
speak,
and
the
crew
is
looking
at
a
way
to
unify.
A
There
are
more
people
interested
in
participating
with
open
Vex
than
join
the
phone
call,
so
we
are
looking
to
try
to
find
a
way
to
unify
all
those
folks
and
try
to
give
them
a
forum
to
collaborate.
It's
like,
for
example,
so
I
think
somebody
wrote
a.net
version
of
openvx
implementation
of
openvix.net.
A
We
had
somebody
that
I
don't
and
go
or
whatever,
but
so
we
have
a
couple
different
people
working
on
different
ideas,
so
that
is
in
Flight
how
to
unify
that
development
community
and
then
next
week.
Next
time
will
be
our
evangelism
call
where
we
will
talk
about
strategies
on
how
we
will
evangelize
the
use
of
Vex
throughout
the
ecosystem
and
engage
with
tool.
A
B
Openvx
handle,
is
it
just
cve
numbers,
or
is
it
also
like
scanner
results
like
if
you
have
a?
If
you
have
a
static
code,
analysis
tool
that
spits
out
a
result
about
an
open
source
project,
do
they
does
openvx
also
handle
I
was
having
a
conversation
with
somebody
who's
doing
some
contract
work
for
dlf,
on
building
a
dashboard
for
vulnerability,
information
for
open
source,
and
he
was
like
oh
yeah,
open
Vex
I'm,
like
I,
did
I
thought
open.
Vex
was
only
for
like
declared
vulnerabilities
in
like
from
cves
or
stuff,
like
that.
I.
H
B
D
A
B
So
there's
this
whole
assignment
process
of
code.
That's
under
a
working
group
for
new
code
coming
in
that's
being
ipassed.
What
about
code?
That's
like
fresh
code
coming
in
being
developed
as
a
Sig.
Is
there
like
requirements
around
needing
multiple
organizations
involved
in
those
code
bases
as
well?
Or
is
it
just
code
coming
in
that's
being
donated.
B
So
it's
like
fresh
and
exist
fresh
new
code.
That's
coming
from
an
open,
ssf
staff!
Member,
that's
probably
I,
don't
know
who
I
guess.
The
question
is
this:
is
a
code
base
I'm
developing
it
I
have
a
repository
under
open,
SF
I,
don't
know
if
it's
Alpha,
Omega
owned,
probably
is
right
now
versus?
Is
it
owned
by
the
Segway,
because
it's
kind
of
related
to
the
deliverable
of
the
Sig.
A
B
Anybody
wants
to
write
code
and
I'm
Looking
For
assistance
with
writing
a
client
for
Gmail
to
tie
in
for
disclosure
like
automating
disclosures
via
email
and
sending
emails
to
people
in
an
automated
way
and
I'm.
Also
looking
for
I've
got,
a
I
could
probably
do
the
GitHub
side,
but
if
anybody
like
really
knows
githubs
or
if
anybody
really
knows
Google's
Gmail
API
and
wants
to
help
help
me
out
with
automating
emailing
infrastructure,
your
your
support
would
be
greatly
appreciated.