►
From YouTube: OpenSSF Vulnerability Disclosures (June 14, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA
Repo: https://github.com/ossf/wg-vulnerability-disclosures
B
B
B
D
B
B
A
A
D
E
C
A
Speaking
of
presentations,
welcome
to
the
June
14th
Edition
of
the
vulnerability
disclosure
working
group
do
I
have
someone
that
is
interested
in
helping
us
take
notes
today.
A
Oh,
thank
you
Andres.
Thank
you,
awesome
awesome.
Do
we
have
anyone
any
new
friends
today?
Is
this
your
first
time
visiting
us
and
did
you
want
to
introduce
yourselves.
E
I
keep
crashing
these
open
ssf
meetings
as
I'm
getting
you
know
situated
and
so
I,
don't
even
remember
if
I've
been
to
this
meeting
before
or
not,
but
I
do
see
some
new
faces,
so
hey
I'm,
I'm,
Josh
I
work
in
that
hospital
at
Analog,
Devices
I'm
not
going
to
use
the
same
lame
joke
that
I
have
been
broke
because
I
know
you've
heard
it
a
lot
of
you
Jonathan,
but
yeah
yeah.
So
I
went
to
the
open
ssf
day
at
the
open
source.
E
Summit
recently
in
my
bosses
are
like
hey,
Josh
didn't
I,
keep
doing
it
so
here
I
am
getting
plugged
in
a
couple
weeks
there
now
and
loving
it.
This
is
a
great
community
and
I'm
happy
to
be
here.
B
E
B
G
B
H
Yeah
so
hi
everybody,
I'm
heart
I,
guess
I've
been
floating
around
the
open
ssf
periodically,
but
not
you
know,
I
think
this
is
the
second
time
I've
joined
this
working
group
meeting,
but
but
yeah
so
I
also
work
for
the
Linux
Foundation
I
work,
mostly
on
hyperledger
and
open
wallet,
and
we're
looking
at
rolling
out
a
vulnerability
disclosure
policy
for
those
projects.
D
Hey
I
guess
I
joined
this
meeting
earlier,
and
so
that's
why
I'm
not
new
but
I'm
Arun
I'm
joining
in
to
listen
in
too
hot
today,
excellent.
A
Roger
Dodger,
if
you
have
any
opens
you'd
like
to
talk
about,
add
them
in
the
open
section.
I
only
had
one
item
today,
I
wanted
to
briefly
discuss.
As
Josh
mentioned,
we
just
had
an
amazing
open
ssf
day
in
Vancouver
at
the
North
America
Summit.
Well,
fun
fact:
we
will
be
holding
an
open
ssf
day
in
Europe
in
beautiful
Bilbao
Spain,
and
there
is
currently
a
call
for
papers
open,
So.
A
Not
only
would
I
encourage
the
group
to
consider
submitting
for
talking
there,
but
I
had
an
idea,
potentially
a
slot,
to
talk
about
this
working
group
and
maybe
showcase
two
of
our
little
projects
osv
and
open
Vex,
and
if
anyone
was
interested
patches
are
always
welcome.
I
would
look
for
contributors
and
collaborators
to
assist.
If
somebody
feels
that's
something
interesting
or
if
you
have
other
ideas
feel
free
to
submit
them,
and
we
can
also
help
you
there
too.
A
There
will
also
be
it's
very
late
in
their
day,
but
we
will
also
be
holding
an
open
ssf
day
in
Japan
again
towards
the
end
of
the
year.
So
you'll
hear
more
information
about
that.
If
anyone
is
interested
that
will
be
opened
up,
I
think
they'll
probably
start
announcing
that
later
this
summer
and
I
think
that'll
be
towards
the
end
of
the
year,
like
December
November.
B
But
happy
to
help
in
any
capacity
yeah
well.
A
I
absolutely
can
make
a
love
connection,
introduce
you
to
Oliver
and
team
for
osv,
Oliver
and
Andrew
are
the
primary
folks
behind
the
project
they're
out
of
Australia.
So
I
would
point
you
to
I'll.
Give
you
some
links
to
the
project,
but
we
technically
will
have
a
call
with
them.
Hopefully
on
June
29th,
we
have
an
APAC
focused
call
version
of
this
meeting.
It's
at
6
PM
Eastern,
so
it's
I
think
about
eight
nine
in
the
morning
for
Australia.
A
So
that's
been
a
fairly
agreeable
time,
so
that
would
be
a
great
place
to
talk
to
osv.
Otherwise
we
can
I
can
make
some
introductions.
They
have
a
slack
Channel
and
whatnot
and
then
open
Vex.
A
You
just
missed
the
call
we
had
one
on
Monday
and
our
next
open
Vex
call
will
be
on
La
La,
the
26th
and
those
are
at
3,
P.M,
Eastern
and
puerco
is
out
of
Mexico,
so
I
believe
he's
like
Western
time
zone.
So
he'll
generally
be
on
the
active
in
the
slack
around
then.
But
we
again
have
a
slack
community
and
I
can
point
you
to
the
the
repositories
for
those
that
project
as
well.
A
All
right,
I,
imagine
Jonathan,
put
the
next
item
in
I
can't
tell,
though,
because
there's
no
one's
name
next
to
it,
but
I
think
Jonathan
put
this
next
item
clarifying
a
line
or
two
in
the
outbound
vulnerability.
The
VDP.
B
B
You
publish
something
you
get
people
coming
back
and
be
like
hey.
This
line
doesn't
make
any
sense,
so
I
know
he
spent
all
this
time
chewing
on
this
document,
I
got
a
bit
of
feedback
from
Tim
McCormick
when
I
posted
this
in
the
Boston
infosec
slack
Channel,
where
this
chunk
this
sentence
he
said
was
unclear.
B
Originally,
it
read.
If
a
project
responds
to
the
private
report
within
21
calendar
days,
the
details
will
be
publicly
disclosed
shared
with
the
defensive
Community
90
days
on
the
public
90
days,
what
something
yeah
after
90
days
on
the
publication
date-
and
he
said
this
is
unclear
because
it's
not
clear
if
it
will
be
90
days
what
he
asked
her
to
find.
The
question
that
he
posed
to
me.
B
D
B
It's
not
the
disclosure
will
occur
90
days
from
the
response
or
it'll
occur,
90
days
from
the
original
disclosure
date,
not
90
days
from
the
day
that
they
respond
to
you
back
on
so
I
think
this
clarification
makes
more
sense.
Just
we
is
there
any
dissenting
opinions
or
otherwise
comments
on
this
about
these.
These
proposed
changes
to
the
policy
Chrome,
you're,
muted,.
A
D
B
In
general
size
the
the
feedback
of
wanting
hash
marks
on
the
street
on
a
straight
line.
Anybody
else
have
any
concerns
about
this
change.
Before
we
commit
it
and
say
Hey,
you
know,
I,
don't
know
this
is
probably
not
a
change
that
needs
the
tax
approval,
correct,
no,
okay,
yeah
anybody
else.
B
Are
we
good
with?
Is
there
thumbs
up
around
for
adding?
This
is
the
change
that
we
make
to
make
it
clear
you
seeing
any
thumbs
down
probe
in
the
call,
because
I'm
not
great
perfect,
can
you
do
a
thumbs
down?
No,
but
I
mean
oh
that'd,
be
awesome,
I
mean
people,
people
couldn't
say
no
we're
gonna
shake.
B
All
right,
their
other
comment
was.
B
All
parties
maintainers
as
well
as
researchers,
must
act
responsibly.
The
comma
was
confusing
here,
making
it
look
like
a
list
of
parties,
maintainers
and
researchers,
which
it
is
I
think
it
is
a
list
right.
All
parties
maintainers
as
well
as
researchers,
must
have
a
responsibility,
or
is
there
no
comma
I,
don't
know
syntactically.
B
A
A
fan
of
the
Oxford
comma,
you
put
it
at
the
end
of
every
item
in
the
list
right.
A
B
A
B
All
right,
great
final
thing,
conflict.
B
We
kept
it
conflict
intentionally
vague
to
allow
flexibility
for
changes
in
this.
So
I
think
that
there's
not
a
reason
for
us
to
make
this
to
change
this
from
being
vague,
as
it
is
because.
B
A
I
don't
mind.
Conflict
and
Madison
actually
had
a
suggested
edit
for
your
comma
problem.
F
Yeah,
it's
a
little
wordy
like
a
little
policy
feeling,
but
I
think
addresses
the
concern
with
the
comma.
B
All
parties
involved
all
parties
involved.
That's
the
word
I'm
looking
for.
A
I,
don't
have
a
problem
with
conflict,
you
know
it
could
be
a
mild
disagreement,
it
could
be
timing,
you
know
schedule
conflict,
it
could
be
me
I,
like
the
bigger
word,
yeah.
B
That's
that's
it
just
going
through
those
I
will
ask
the
operations
team
to
redeploy
the
changes
to
some
of
these
sentences
into
the
publication
version.
We
did
not.
It
was
on
the
tax
tax
Schedule
to
say,
hey
where'd.
This
document
go
there's
a
an
issue
with
the
attack
that
is
asking
them
where
this
document
should
live.
B
It
seems
like
there's
the
the
foundation
is
the
likely
location
for
it
to
live.
Is
that
Chrome?
Is
that
your
read
of
that
long
thread,
or
is
that
yes,.
A
B
Should
we
just
go
with
that
or
do
I
need
to
get
the
tag
to
like
affirm
that
that
is
the
decision?
Do
it
okay,
great
Perfect,
all
right
I
will
deploy
it.
There,
then
all.
A
Right
thumbs
up
Amanda.
B
B
B
H
Art
well,
I,
don't
want
to
hijack
your
meeting,
but
if
you
all
are
done
with
your
regular
business,
we
are.
We
have
based
on
your
sort
of
template.
We
have
created
a
a
sort
of
guide,
for
you
know
for
vulnerability
disclosures
for
projects
in
hyper
Ledger.
We
found
that
we
have
a
lot
of
projects,
not
all
of
them
have
Security
Experts,
and
so
we
asked
people
to
sort
of
do
something
and
they
were
like
well.
This
is
a
lot
of
work
for
us.
H
Can
you
just
give
us
something
with
like
some
multiple
choice
options?
So
that's
what
we
tried
to
do:
I'm,
gonna,
post,
a
link
in
the
chat.
Please
I
can
also
Post
in
your
slack
I,
think
I
joined.
H
But
we
would
love
your
feedback
and
yeah
that
that's
just
about
it,
if
you
think
there's
some
things,
we
did
wrong,
which
you
probably
are
you
know
we.
We
would
just
just
appreciate
your
thoughts
so
yeah
and
yeah.
You
all
are
well.
You
know
if,
if
you
like
this,
or
this
turns
into
something
like
useful,
you
know
we're
we're
happy
to
you
know.
Let
have
people
reuse
it
as
well.
Awesome.
A
A
All
right
so
does
anyone
have
any
initial
fan?
I
know
it's
it's
hard
to
be
put
on
the
spot.
B
D
H
That
would
be
wonderful.
Thank
you.
So
much
yeah.
We
don't
expect
anyone
to
to
do
this
live
on
the
spot,
but
yeah
we're
just
looking
for
feedback.
You
all
are
the
experts
so.
B
So
heart,
do
you
guys?
Is
it
hyperledger,
so
you're
is
this?
Is
an
open
ssf
project
or
no
sorry,
a
lineage
Foundation
project
or
no
yep,
all
right
so
have
you
spoken
to
David
wheeler.
B
Okay,
David
wheeler
is
working
on
a
proposed
disclosure
policy
for
all
of
the
LF
okay,
it's
high
level.
That's
first
first
comment:.
B
H
B
H
I,
don't
think
any
of
our
critical
infrastructure
is
hosted
by
the
LF.
Now
we
have
a
bunch
of
different
projects
and
they
a
bunch
of
them.
Do
it
differently,
like
you
know,
some
people
use
Circle
CI,
not
GitHub
actions,
but
you
know
that
that
sort
of
thing.
B
Okay,
if
you
do
find
that
you're
running
Services,
one
of
the
things
that's
important
to
to
handle
in
disclosure
in
in
policies
also
is
if
it's
just
software,
but
just
so
open
source.
If
it's
just
code,
then
then
that's
fine.
If
you're
dealing
with
like
services
and
potentially
like
misconfigure
DNS
infrastructure
stuff,
like
that,
a
safe
harbor
policy
is
also
important
to
include
to
say,
like
hey,
you
can
find
vulnerabilities
in
our
infrastructure,
our
website,
our
stuff
like
that,
and
that
is
we
waive
cfaa
and
stuff
like
that.
B
But
if
you're,
just
if
it's,
if
you're,
if
you
don't
have
a
website,
you
don't
have
a
code.
You
know
it's
all
just
the
code,
then
you
that's
probably
not
as
relevant.
Well.
H
We
do
have
a
website,
but
it
falls
under
the
LF.
This
is
for
the
individual
projects
to
do
like
they
don't
have
a
lot
of
independent
stuff.
So
this
is
just
for
like
on
Project
X,
and
this
is
going
to
be
our
disclosure
policy
for
our
code
and
we
have
it
a
little
bit
flexible,
because
all
of
these
projects
do
sort
of
different.
They
have
different
choices.
They
do
different
things
like
some
are,
you
know
extremely
secure
applications,
and
some
are
like
things
that
you
know:
don't
really
touch
security,
all
that
much
so.
A
I
posted
a
link,
we
actually
do
have
an
issue
about
the
open,
ssf,
foundation-wide
kind
of
pushing
out
a
security
MD,
that's
issue:
128.
Luigi
is
currently
shepherding
that
and
I'll
I'll.
Re-Read
that
and
then
I'll
reflect
upon
your
document
heart
and
see.
If
there's
opportunities
to
provide
you
some
good
feedback
there,
and
then
the
idea
was
that's.
Where
wheeler
is,
you
know
if
we're
going
to
do
it
for
the
open,
ssf,
Why,
Don't,
We,
Up
level,
that
to
the
whole
LF
potentially,
is
having
this
template
that
people
can
use
as
a
resource.
A
H
A
H
A
Much
easier
to
start
with
some
nonsense
on
the
Whiteboard
than
a
blank
sheet
of
paper.
F
H
Awesome
yeah.
Well,
the
feedback
we
got
was
just
that
people
wanted
a
template
that
they
wanted.
Like
you
know,
they
didn't
want
to
have
to
write
it.
They
wanted,
like
you
know
they
want
a
multiple
choice,
sort
of
cut
and
paste
and
we
wanted
something
that
was.
You
know
flexible
enough
that
people
that
knew
what
they
were
doing
could
you
know,
could
write
their
own
stuff.
You
know
and,
and
people
that
you
know
didn't,
could
just
follow
the
policy
I
mean
we
have
one
project
that
has
something
like
seven
or
eight
intakes,
I.
A
Any
other
feedback
or
comments
for
heart
again
I'm,
going
to
take
a
look
at
both
our
issue
and
then
your
document
provide
you.
Some
feedback
and
I
would
encourage
everyone
on
the
call
to
do
the
same.
I'll
send
a
note
actually
to
our
mailing
list,
encouraging
folks
that
are
on
the
call
to
potentially
also
take
a
peek
and
give
feedback
awesome.
A
Are
there
any
other
topics
we
would
like
to
discuss
today.
G
I
was
just
sharing
a
link
of
the
software
requirements
document
that
the
Omega
tool
chain-
mentee
engineering
mentees,
are
doing
for
the
summer,
so
essentially
we're
just
trying
to
connect
the
the
Omega
analyzer,
using
also
the
assertion
framework
into
one
serif
report
and
then
uploading
that
to
our
triage
portal,
the
mentees
are
currently
working
through
the
document
finalizing
the
requirements,
the
security
requirements,
testing
and
so
forth.
So
if
you
are
interested
in
providing
any
feedback
for
the
mentees,
we're
welcoming
comments
in
the
document.
G
Three,
oh
big
picture
and
then
I
took
into
an
individual
components,
so
cool
any
feedback
or
input
for
the
mentees
to
help
them
with
is
would
be
greatly
appreciated.
A
Awesome.
Thank
you
for
sharing
yesi
any
questions
about
the
Omega
engineering,
mentorship
security
requirements
document.
D
A
Folks
last
call
any
other
topics
we
would
like
to
discuss
today.
Otherwise
we
will
adjourn
a
little
early.
C
C
B
B
A
No
I
thought
the
the
group
was
agreeable
to
it,
but
we
just
don't
have
a
ton
of
developers
here
that
we're
interested
in
taking
on
the
maintenance
but
I
I
have
no
idea.
No
problems.
Housing
I
think
it's
a
useful
tool
adds
a
lot
of
value.
You
don't
want
me
developing
anything
yeah.
B
I
I
had
to
I
basically
told
skovata
that
sure
I'll
own
it,
but
he
needs
to
commit
to
code
reviews
within
24-hour
business
hours
of
my
go
changes
going
in
and
he
was
has
he's
like
can.
Can
you
get
you
send
me
to
do
that?
I'm,
like
no,
you
wrote
the
code
base.
You've
got
to
do
the
code
review.
B
B
G
Have
my
own
review
policy
yeah.
B
A
Again,
I
don't
think
we
we're
opposed
to
it
and
I
would
suggest.
Let's
send
a
note
to
our
mailing
list
again
because
there's
like
50
to
enter.
B
A
You
have
to
have
at
least
two
organizations
there's
a
whole
like
code
donation
process.
Oh.
A
B
E
A
I
appreciate
that
feedback
I
have
minimal
ability
to
adjust
that.
B
I
know
expire.
Okay.
That
was
topic
number
one
topic
number
two:
are
you
doing?
Do
you
want
to
do
work
our
subworking
groups,
Sig
updates?
If.
B
A
A
spiel
well,
all
of
our
calls,
are
recorded
and
available
on
the
openssf
YouTube
channel.
Just
this
week
we
talked
about
making
adjustments
to
align
the
openvex
spec
with
the
officially
released
sisa
Vex
minimum
requirements,
so
that
I
don't
know
if
that
PR
was
merged
yet
or
not,
but
that
is
in
flight.
So
we
will
have
complete
agreement
with
the
mothership
so
to
speak,
and
the
crew
is
looking
at
a
way
to
unify.
A
There
are
more
people
interested
in
participating
with
open
Vex
than
join
the
phone
call,
so
we
are
looking
to
try
to
find
a
way
to
unify
all
those
folks
and
try
to
give
them
a
forum
to
collaborate.
It's
like,
for
example,
so
I
think
somebody
wrote
a.net
version
of
openvx
implementation
of
openvix.net.
A
We
had
somebody
that
I
don't
and
go
or
whatever,
but
so
we
have
a
couple
different
people
working
on
different
ideas,
so
that
is
in
Flight
how
to
unify
that
development
community
and
then
next
week.
Next
time
will
be
our
evangelism
call
where
we
will
talk
about
strategies
on
how
we
will
evangelize
the
use
of
Vex
throughout
the
ecosystem
and
engage
with
tool.
A
B
Openvx
handle,
is
it
just
cve
numbers,
or
is
it
also
like
scanner
results
like
if
you
have
a?
If
you
have
a
static
code,
analysis
tool
that
spits
out
a
result
about
an
open
source
project,
do
they
does
openvx
also
handle
I
was
having
a
conversation
with
somebody
who's
doing
some
contract
work
for
dlf,
on
building
a
dashboard
for
vulnerability,
information
for
open
source,
and
he
was
like
oh
yeah,
open
Vex
I'm,
like
I,
did
I
thought
open.
Vex
was
only
for
like
declared
vulnerabilities
in
like
from
cves
or
stuff,
like
that.
I.
H
B
D
A
Would
encourage
you
to
ask
that
in
the
open,
Vex,
slack,
Channel
and
maybe
puerco
or
Rose,
the
developers
might
be
able
to
answer
more
quickly
for
you
all
right.
That
was
good.
A
But
yeah
so
open
Vex
is
continuing
to
meet
and
we're
kind
of
for
bifurcating
the
call
focusing
on
Technical
and
then
also
focusing
on
evangelism,
so
we'll
be
alternating
between
those
two
topics
in
assorted
meetings,
cool.
B
All
right,
I
can
I
can
go
for
the
auto
fix
this
or
Sig
I
have
been
actively
working
on
this
code
base
for
the
open,
auto
volume
disclose
State
machine
which
is
handling
taking
that
flow
diagram
that
I've
presented
a
couple
of
times
and
turning
it
into
an
actual
disclosure
flow
for
how
we
handle
things
Chrome
code.
B
So
there's
this
whole
assignment
process
of
code.
That's
under
a
working
group
for
new
code
coming
in
that's
being
ipassed.
What
about
code?
That's
like
fresh
code
coming
in
being
developed
as
a
Sig.
Is
there
like
requirements
around
needing
multiple
organizations
involved
in
those
code
bases
as
well?
Or
is
it
just
code
coming
in
that's
being
donated.
B
So
it's
like
fresh
and
exist
fresh
new
code.
That's
coming
from
an
open,
ssf
staff!
Member,
that's
probably
I,
don't
know
who
I
guess.
The
question
is
this:
is
a
code
base
I'm
developing
it
I
have
a
repository
under
open,
SF
I,
don't
know
if
it's
Alpha,
Omega
owned,
probably
is
right
now
versus?
Is
it
owned
by
the
Segway,
because
it's
kind
of
related
to
the
deliverable
of
the
Sig.
B
Right
well,
there's
code
being
worked
on
I,
don't
know
who
owns
it,
but
currently
me
so
to
the
extent
of
whoever
I
represent
in
the
in
in
the
hat
that
I'm
wearing
in
the
moment,
which
maybe
that
Sig
and
maybe
the
alpha
Mega
team,
yay
ambiguity,
ambiguity
well,.
A
And
we
have
an
assortment
of
tools
already
in
place,
so
I
would
encourage
you
to
look
at
some
of
the
working
groups
that
do
tools
like
scorecard
OSS
fuzz.
You
know
those
are
existing
projects,
so
you
could
see
what
they
are
doing
and
it's
not
something
you
want
to
open
source
or
not.
B
Anybody
wants
to
write
code
and
I'm
Looking
For
assistance
with
writing
a
client
for
Gmail
to
tie
in
for
disclosure
like
automating
disclosures
via
email
and
sending
emails
to
people
in
an
automated
way
and
I'm.
Also
looking
for
I've
got,
a
I
could
probably
do
the
GitHub
side,
but
if
anybody
like
really
knows
githubs
or
if
anybody
really
knows
Google's
Gmail
API
and
wants
to
help
help
me
out
with
automating
emailing
infrastructure,
your
your
support
would
be
greatly
appreciated.
B
A
B
A
All
right
folks,
thank
you
for
your
time
and
attention
today,
hopefully
join
us
this
afternoon
with
autofix.
Otherwise
we
will
talk
to
you
in
a
future
meeting.
Time
enjoy
the
day
and
please
give
Hearts
document
a
little
review
if
you
can.
Thank
you.
Thank.