►
From YouTube: OpenSSF Vulnerability Disclosures (April 12, 2023)
D
B
C
B
C
Perfect
hi,
Jordan,
I,
hope,
I,
hope
I
haven't
come
across
as
not
liking
you
in
any
way
it's
it's.
C
C
A
C
B
C
C
At
a
high
level,
we
need
to
make
sure
that,
like
sure
we
can
have
policies
and
processes
that
that,
like
open
source
security,
Foundation
or
AO
has
but
like
we
can't
assume
those
same
resources
are
available
to
everybody,
one
more
style,
absolutely
right,
all
right,
so
let
me
send
out
the.
C
You
can
either
gray
or
mark
yourself
as
present
by
ringing
in
your
name
or
you
know,
making
your
name
solid
or
if
you
can
add
your
name,
if
you
don't
have
it
in
there.
That
would
be
great
we
need
to.
In
order
for
this
to
become
an
official
Sig
under
the
open
source
security
Foundation.
We
need
at
least
two
three
weeks
of
tenants
from
organizations
Beyond.
C
C
C
G
A
H
A
C
Copy
and
saved
all
right,
so
let's
go
through
the
agenda
real
fast
new
friends
in
intro
anybody
who's
new
here
who's,
never
attended.
This
sig
meeting
want
to
introduce
himself
and
and
share
who
you
are,
and
maybe
where
you
work,
or
you
know
what
how
what
brought
you
here.
E
E
B
Passionate
yes,
there
you
go
yeah,
perfect
glad
to
be
here.
Yeah.
D
Hello,
my
name
is
Sandra
sorby
I'm.
Currently
a
student
at
njt,
a
senior
and
I,
don't
know.
I
was
just
looking
to
potentially
contribute
into.
You
know:
securing
some
open
source
software
in.
I
D
Capacity
so
just
looking
to
see
how
to
to
see
where
I
can
help.
C
I
My
name
is
Abbas
chitri
and
I'm
a
second
year
undergrad
student
from
Nepal
and
I
was
just
looking
for
fun
stuffs.
You
know
open
source
contribution
and
stuff,
so
I
thought
I
was
interested
in
security.
Also,
so
I
found
open,
SF
and
I
just
joined
it.
Thanks
welcome.
C
Well,
okay,
yes,
do
we
have
anybody
who
wants
to
help
scribe
our
meeting
today.
C
You
Josh
appreciate
it.
Okay,
do
we
have
any
opens
anybody
want
to
talk
about
anything,
that's
not
on
the
schedule.
I
mean
maybe
but
yeah.
Does
anybody
have
any
like
open
topics?
They
want
to
bring
up.
C
Okay,
so
the
people
that
are
new
here
at
a
high
level,
this
working
group,
this
sig.
So
this
is
a
Sig
under
the
so
Sig
stands
for
special
interest
group
under
the
vulnerability
disclosures
working
group-
and
we
are
focused
primarily
on
discussing
the
topic
of
automating
vulnerability,
fixing
at
scale
predominantly
through
both
lower
Quest
generation
or
in
some
form,
trying
to
bulk,
generate
contributions
to
fix
security
vulnerabilities
at
scale
across
all
open
source.
C
This
work
at
a
high
level
is
the
continuation
of
some
of
the
work
that
I've
been
doing
in
for
starting
in
2020
through
last
year,
where
I
was
the
first
Dan
Kaminsky
fellow
and
bulk
generated
several
hundred
pull
requests
to
fix
security.
C
Such
as
zip
slip,
partial
path,
reversal,
temp
directory
hijacking
and
I've
generated
in
my
career
north
of
7
000,
pull
requests
to
fix
various
different
security
vulnerabilities
across
open
source,
and
so
Alpha
Omega
has
hired
myself
and
Yesenia
under
AO
to
try
to
focus
on
fixing
security
vulnerabilities
at
scale
and
instead
of
Alpha
Omega
kind
of
just
going
in
to
this
work.
You
know
not
engaging
with
the
open
SF
and
just
doing
our
own
thing.
C
We
kind
of
want
to
accomplish
a
set
of
standards
and
best
practices
for
doing
this
work
in
a
way
that
is
inclusive
of
both
security,
researchers
and
also
maintainers
and
I'm.
Not
the
only
one.
That's
been
doing
this
work,
trellix
and
Casimir
who's
on
the
call
has
also
engaged
in
this
sort
of
work
to
generate
pull
requests
at
scale
to
fix
security.
Vulnerabilities
GitHub
is
engaging
some
of
this
work
in
the
past.
C
To
do
this,
when
there
was
a
cve
in
a
popular
C
library
that
got
re-ventored
in
a
lot
of
libraries,
and
so
they
used
a
bot
that
I
wrote,
but
we
want
to
come
with
a
set
of
policies
and
and
processes
to
establish
Norms
around
how
we
can
do
this
work
in
a
way
that
minimizes
harm
to
maintainers,
but
still
actually
gets
the
vulnerabilities
fixed
and
still,
but
but
at
the
same
time,
also
keeping
in
mind
that,
like
we
are
dealing
with
vulnerabilities
at
scale,
for
example,
Casimir
you
generated
what
60
something
thousand
pull
requests.
C
C
Yeah
65
000,
Polar,
Express
and
so
trying
to
keep
in
mind
that
humans
getting
involved
in
that
sort
of
scale,
is
a
very
tedious
process,
especially
when
you
don't
have
a
large
company
or
organization
behind
you.
If
it's
just
you
doing
this
work,
how
can
we
enable
others
to
do
this
kind
of
work
at
massive
scale
and
have
a
positive
impact
on
the
security
of
the
industry,
but
do
so
in
a
way
that's
respectful
of
maintainers?
C
C
So
they're
in
that,
in
to
kind
of
give
an
overview
in
that
endeavor,
we
have
a
specification
dock
which
is
linked
in
the
in
the
meeting
notes
where
we
are
intending
or
attempting
to
Define
what
is
a
what
is
defining
like
what
is
an
open
source
security,
Foundation,
compliant
automated
vulnerability,
fixed
campaign,
so
creating
a
set
of
standards
that
Define
under
a
set
of
constraints.
What
the
open
source
security
Foundation
considers
to
be
compliant
with
what
we,
what
we
want
to
see
others
in
the
industry,
doing.
C
Thank
you.
So
in
that
context,
Jordan
you
have
some
opinions
and
perspectives
and
I.
You
know
I
want
to
open
the
floor
up
to
anybody
who
has
or
has
not
read
this
document
to
to
make
comments,
points,
questions
anything
before
it.
E
Where
I
think
a
motivated
by
perhaps
some
philosophical
differences
or
priority
different
priorities,
right
I,
think
that
the
way
that
y'all
may
be
approaching,
it
is
slightly
different
than
the
way
I
would
approach
it
and
that
what
I
would
probably
think
to
do
is
say:
okay,
how
can
I
divide,
there's
tons
of
projects
and
tons
of
maintainers?
E
How
can
I
first
like
divide
those
up
into
chunks
and
be
like
which
chunk
is
going
to
be
the
most
effective
in
in
terms
of
getting
the
fix
landed,
but
also
like
leaving
the
maintainer
with
a
good
taste
in
their
mouth
so
that
they
want
like,
like
not
just
so
that
they
like
openssf
or
whoever's
doing
the
campaign,
not
just
so
that
they
want
to
fix
vulnerabilities,
but
so
that,
when
they
think
of
security,
they
have
a
positive
connotation
and
it's
very
easy
for
maintainers
to
get
a
negative
connotation
about
security
right
now
and
that
mental
like
that
attitude
shift
is
what
I
think
I
think
that
that's
one
of
the
things
that
makes
that
causes
the
most
insecurity
in
the
ecosystem
is
when
people
don't
have
positive,
like
warm
fuzzies
about
security
and
so
I
prioritize
that
rather
highly
as
a
result.
E
So,
for
example,
to
the
stuff
some
of
the
stuff,
Jonathan
and
I
were
talking
about
today,
and
yesterday
is
for
a
maintainer
who
has
enabled
PBR
on
their
repo.
It's
sort
of
a
no-brainer
right
like
they
have
explicitly
turned
on
a
programmatic
mechanism
to
receive
vulnerability.
E
Reports
privately
like
great
you're
good,
like
report
them
and
anyone
who's
turned
that
on,
like
you
should
just
like
those
are
all
repos
that
are
no-brainers,
because
somebody
has
yeah
I
think
he
sent
me
for
clarifying
the
acronym,
but
but
like
that's
somebody
who
knows
enough
about
security
to
have
turned
it
on
and
who,
like
is
prepared
to
receive
the
reports
theoretically
and
we'll
probably
fix
it,
and
there
is
then
a
separate
group
of
folks
that
doesn't
have
it
turned
on
and
also
doesn't
have
a
security
policy
declared,
and
this
is
the
group
that
doesn't
know
probably
about
security
as
opposed
to
having
opinions
or
thoughts
or
whatever,
and
this
is
the
group
where
you'd
want
to
like
with
the
PVR
group.
E
You
can
just
kind
of
be
like
you
have
this
turned
on
here's
a
report
like
how
can
we
help
with
the
group
that
that
is
completely
like
unaware?
E
You
know
you
would
probably
want
to
file
an
issue
and
be
like
hey
there's.
This
thing
called
PVR
and
here's.
Why
it's
great
and
here's
why
you
should
use
it
and
we
have
a
vulnerability
to
report,
but
we
don't
want
to
do
it
publicly
for
reasons.
For
these
reasons
and
like
you
know,
so,
it's
sort
of
more
of
a
like
education
thing
and
it's
very
automatable,
but
you'd
still
want
to
craft
it
in
the
form
of
like.
E
E
You
know
their
previous
employers
projects,
for
example,
or
somebody
who
maintains
the
project
of
somebody
else.
That's
still
on
their
user
account
and
that
user,
like
doesn't
pay
attention
to
their
computer
anymore,
but
the
project
is
still
maintained
very
well
things
like
that.
So,
but
then
those
users
prior
to
PVR
existing
the
overwhelming
best
practice
and
what
all
of
the
players
in
the
industry
have
been
encouraging
for
a
long
time
is
hey,
go,
please
add
a
security
policy.
E
Please
tell
us
in
an
English
like
a
prose
document
where
to
send
these
private
vulnerability,
vulnerability
reports
and
it
could
be
an
email
address,
it
could
be
go
to
Titleist
or
sneak
or
could
be
go
to
hacker1
or
whatever
right,
and
it
is
certainly
a
failing
in
the
ecosystem
that
that's
the
best
we
had
and
PVR
is
better
but
like.
If
somebody
has
taken
the
time
to
do
that,
especially
bigger
projects
or
busier
maintainers
that
have
built
a
process
around.
E
That
I
think
it's
important
to
try
to
respect
that,
even
if
it
incurs
the
cost,
like
the
trade-off
of
being
less
automatable.
C
Anybody
else
have
any
perspectives
they
want
to
share
on
this.
This
topic.
C
I
think
that
the
one
thing
that
I
think
that
we're
generally
in
agreement
I
think
the
one
thing
that
the
one
thing
that
I
struggle
with
is
that,
given
that
PBR
is
such
a
recently
added
feature-
and
it's
actually
only
coming
out
of
beta
this
month,
like
within
the
next
couple
of
like
the
next
week
or
two,
it's
still
been
a
beta.
H
C
Right,
the
security.md
format
has
been
a
has
been
a
feature
of
GitHub
for
several
years
now,
so
there
may
be
a
lot
of
projects
that
establish
the
security
of
that
NB
file
prior
to
this
feature
being
available,
and
so
they
may
not
at
that
point,
consider
turning
on
PVR
and
so
trying
to.
C
Go
through
a
disclosure
process
following
a
process
that
was
defined
before
PDR
was
even
enabled
and
a
possibility
for
them
to
enable
when
it
could
just
be
as
easy
as
asking
them
hey.
Can
you
enable
PVR?
So
you
can
we
can
report
there
yeah?
That
seems
like
an
additional
lift
that,
especially
when
you're
trying
to
automate.
C
E
Yeah
and
you
may
even
get
more
than
one
if,
if
it's
all
under
an
org
right,
so,
for
example,
the
reason
that
I
started
paying
attention
to
this
is
I,
don't
think
it
was
related
to
this
specific
campaign.
But
somebody
filed
an
issue
on
like
12
different
npm
repos
that
I
watch
because
I
like
suffering-
and
they
basically
say
please,
you
know,
like
I-
have
a
vulnerability
I
like
to
report
it.
E
Where
do
I
do
it
and
the
they
were
all
closed
with
a
link
to
the
security
policy
by
annoyed,
overworked
maintainers
and
certainly.
E
An
issue
filed
on
one
issue:
one
notification
to
the
npm
people
somewhere.
That
says:
hey
turn
on
a
PVR
for
your
org
and
we
can
report
all
these
vulnerabilities
that
we
have
would
be
valuable,
but
12
is
counterproductive
and
so,
like
I
I,
don't
know
how
to
balance
that,
because,
like
like,
like
my
example,
is
I
have
400
projects
but
they're
spread
across
less
than
10
organizations
and
users,
and
so,
if
I
got
10
notifications,
I'm
going
to
be
a
lot
less
annoyed
than
if
I
get
400.
E
And
so
maybe
that's
a
way
to
balance
a
trade-off,
so
like
I
agree
with
you,
enabling
PBR
is
a
good
thing,
but
like
I
also
would
hope
that
as
GitHub
moves
this
out
of
beta,
that
they
just
enable
it
by
default
for
all
new
repos
and
like
upsell,
pretty
heavily
hey.
Please
click
this
button
and
turn
it
on
or,
alternatively,
that
they
just
turn
it
on
for
everyone,
but,
like
you,
know,
we're
not
in
control
of
what
they
do
with
their
product.
F
E
I'm
yeah
I'm,
talking
about
like
a
like
a
PR
is,
is
I
mean
if
it
needs
to
fix
400
places,
then
I
need
400,
PR's
right,
like
it's
more
of
it
like
if
you're
gonna
be
notifying
me
and
asking
me
to
do
work
without
contributing
anything.
Like
an
issue
saying
hey,
please
turn
on
PBR
like
I'm,
basically
saying
it
would
be
nice
if
the
identity
of
the
humans
receiving
the
request
was
taken
into
account,
meaning
like,
for
example,.
H
E
Have
more
than
one
notification
queued
up
for
this
org?
Let's
only
notify
one
place
and
if
we
have
further
notifications,
let's
edit
that
issue
and
be
like
it
also
applies
to
these
repos
and
bullet
point
lists
and
like
and
in
that
way,
you're
sort
of
you're
not
you're,
still
notifying
the
right
people,
but
you're,
not
overloading
them
with
notifications.
E
Something
to
that
effect.
You
know
that
might
be
a
compromise
right.
C
That
works.
It
works
really.
Well,
if
it's
an
organ,
if
it's
a
company
but
I
have
worked
inside
I've
been
a
part
of
organizations.
For
example,
the
angular
UI
organization
was
a
mixed
bag
of
a
bunch
of
people
from
a
bunch
of
different
projects
that
didn't
cross
talk
at
all,
and
they
had
just
ended
up
in
the
same
I.
Don't
know
how
they
all
ended
up
in
the
same
organization,
but.
B
C
E
But
the
that's
fair,
I
I
do
think
that's
probably
a
rare
case,
but
also
like,
even
in
those
cases
it's
not
destructive
to
enable.
So
it's
like
all
you
need,
is
one
org
owner
to
see
that
and
be
like
yeah.
That's
a
good
idea
and
then
go
click
a
button
and
like
it's
on
for
everyone
in
the
org,
regardless
of
whether
they're
Central
leadership
and
that's
not
going
to
stop
an
individual
project
from
then
going
and
turning
it
off.
C
Well,
at
least
for,
for
there
are
certain
things
like
you
can
I
think
there
are
certain
things
that
are
universally
applicable.
For
example,
if
you
have
the
setting
like
open
Assistant
has
a
setting.
That's
like
require
sign,
commits
right
when
you're
committing
the
web
UI
and
then
all
the
summer
projects.
You
can't
turn
it
off,
but
it
shows
you
that
it's
set
as
an
org
level
permission
or
an
order
level
setting
sorry
the
hiccups
levels,
yeah.
E
And
that
would
make
sense
if
it
was
a
requirement,
but
the
way
that
GitHub
is
currently
implemented
at
the
org
level
is
that
you
can
check
a
box
that
sets
the
defaults
for
new
repos,
but
then
there's
an
enable
all
disable
all
button
that
just
stamps
the
setting
onto
everything.
So
if
you
click
enable
all
and
then
somebody
turns
it
off
like
there's
you'd
have
to
infer
that
you
wouldn't
be
able
to
actually
like
determine
that.
That's
what
had
happened.
E
E
How
would
I
put
it
maintainer
burnout
is
a
very
big
topic
in
open
source
and
like
so
is
a
security
and
I
I
think
that
we
we
can't
have
one
without
addressing
the
we
can't
address
one
without
addressing
the
other
in
both
cases
and
like
in
both
directions,
and
so,
like
I,
think
it's
it's
worth
delaying
a
tranche
of
projects
in
getting
fixes
or
reports
if
it
avoids
adding
to
the
burden
on
maintainers.
E
That's
a
judgment
calling
on
off
degree
on
right,
but
that's
my
my
intuition
here.
A
C
Else
have
any
opinions
on
this
from
their
own
experience,
maintaining
large
organization
projects
or
been
being
part
of
organizations.
G
I
wouldn't
say
large,
but
it's
a
hard
thing
to
balance.
The
ideal
thing
would
be
if
the
repository
hosts,
like
GitHub
gitlab
Etc,
just
supported
having
this
be
a
more
integrated
feature
and
also
having
it
be
enabled,
by
default,
the
future
being
the
private
vulnerability,
reporting.
G
I
feel
like
from
the
maintainer
perspective.
If
you
have
it
be,
opt
out
and
it's
a
one-click
opt
out.
That's
a
reasonable
balance,
but
I
would
say
that
requires
support
from
whoever
the
host
is
so.
C
Do
you
Jordan,
do
you
have
any
opinions,
as
this
relates
to
other
other
than
GitHub,
or
is
this
all
GitHub
Central
I.
B
C
E
Just
checking
yeah
I
mean
I
think
any
a
solution
is
always
nice
when
it's
not
tied
to
a
single
provider
or
company
and
there's
lots
of
ways.
I
want
GitHub
to
be
less
like,
like
the
single
source
of
failure
or
whatever
in
open
source
ecosystem,
but
GitHub
like
open
source
is
GitHub
right
now.
So
it's
like
that.
That's
not
a
justification
for
ignoring
gitlab
and
friends,
it's
more
just
like.
If
we
don't
have
GitHub,
we
haven't
achieved
anything
and
if
we
do
have
GitHub
the
rest
are
like
often
a
rounding
error.
C
Okay,
so
the
ask
here
is
that,
let
me
just
read
it
repeat
it
back
to
you.
The
ask
here
is
that.
C
You
were
I
I
struggle
with
the
single
report,
I
hear
what
you're
saying
where
you're
you
like
you
end
up,
for
example,
right
depend
about
right.
You
have
a
bunch
of
projects
that
I'll
use
the
same
dependency
set,
and
then
you
end
up
with,
like
five
depend
about
pull
requests
across
six
repositories
that,
like
you,
know
across
you
know,
X
number
of
repositories
that
are
all
fixing
the
same
vulnerability
right.
C
E
Well,
depending
box,
a
little
like
please
enable
PBR
is
one
thing,
but
the
the
fixes
right,
like
the
reason
dependabot,
is
annoying
and
people
turn
it
off.
A
lot
is
because
it
affects
every
level
of
the
depth
graph,
because
there's
lock
files
everywhere,
instead
of
just
having
lock
files
at
the
app
level
so
like,
but
the.
E
But
in
this
case
you
no
matter
if
it's
100
Levels
deeper
two,
you
will
still
only
have
one
PR
doing
the
fix,
certainly
releasing
the
fix
would
trigger
dependency,
update
wave
but
like
I
I
think
the
fixed
PRS
or
the
even
the
the
reports
of
the
vulnerability
themselves
are
going
to
be
targeted
and
not
suffer
from
that
problem.
Right.
E
It's
just
the
the
please
enable
PDR
thing
is
the
one
that
I
think
could
be
spammy
and
like,
but
I
I
actually
am
not
even
that
worried
about
that.
If,
if
I
have
a
repo
that
has
no
security
policy
and
I
have
PVR
off,
and
then
someone
says
hey
turn
this
on
so
I
can
report
stuff,
I'm
gonna
be
like
oh
thanks,
like
I
didn't
realize.
I
had
no
way
to
do
that,
and
so,
even
if
it's
annoying,
because
there's
a
lot
I'm
gonna
be
like
all
right.
E
Well,
I
should
have
already
done
this.
You
know,
but
like
the
I'm,
not
gonna,
have
the
same
group
magnanimity.
If
you
know
I
laboriously
put
a
security
policy
into
hundreds
of
repos
and
then
I
still
have
to
go
click
another
thing,
even
though
I
already
told
everyone
how
to
do
it.
You
know
how
to
record
things.
You
know.
That's
the
sort
of
so
like
a
fix
is
fine.
C
C
H
E
E
I
have
security.nds
that
are
in
repos
that
predate
GitHub,
supporting
an
orglevel.github
repo
and
then
I
also
have
a
GitHub
org
level,
dot
GitHub
repo
with
this
security
policy,
so
sometimes
I
have
both
just
for
legacy
reasons.
But
yeah
I
agree
if
there's
no
org
level
policy
and
there
is
a
repo
level
policy
that
suggests
that
I
don't
know
that
that
that
that
that's
worth
considering
differently
I,
don't
know
exactly
what
it
suggests
yet.
E
E
C
Don't
know
yes
because,
like
for
well
take,
for
example
the
Apache
software
Foundation
right
they
have
like.
Can
you
still
hear
me?
Okay?
Take,
for
example
the
Apache
soccer
Foundation
there
is.
There
is
like
there's
that,
like
at
least
a
thousand
repositories
right,
yeah
and
they're
all
run
by
different.
E
C
Mean
I
mean
there's
also
the
eclipse
foundation
and
there's
probably
other
ones
that
have
similar
behavior,
that
I
I
don't
know
about
right.
Like
you
want
you,
you
may
want
to
hard
code
special
cases,
but
at
a
certain
point
your
special
cases
don't
work,
because
there
are
things
you
don't
know
about
yet.
E
Right
I
mean
I,
think
I.
Think
the
number
of
Foundations
or
organizations
that
have
truly
in
like
a
lot
of
truly
autonomous
projects
is
like
I.
Think
that's
not
going
to
be
that
many
I
mean
maybe
double
digits,
but
like
not
triple.
C
Yeah,
probably
but
I
mean
that
includes
large
organizations
like
Google
and
like
am
like
those,
because
those
projects
are
probably
run
under
a
single
organization,
but
each
of
those
teams
could
be
very
wildly
disparate
from
foreign.
E
C
C
This
document
recently
had
legal
come
through
it,
which
means.
C
Of
the
stuff
got
munged
interesting
ways:
okay,
vulnerability,
messaging
disclosure
systems.
E
E
C
It
doesn't,
there
is
a
Paul
there's
something
that
Luigi's
working
on
in.
H
That
department,
Json.
C
Specification
but
I
think
the
problem
with
that
is
that
it
still
has
the
multiplicative,
like
you
also
have
to
Define
adapters
for
every
single
different
disclosure
mechanism,
hacker
one
bug
crowd
but
then,
like
even
taking
into
a
mind,
jira
right.
Every
single,
like
every
single
organization,
is
running
their
own
instance
of
jira.
It's
not
bitbucket's
Central
jira
instance,
so
you
can't
log
in
account
for
jira
and
Report
via
that
channel.
You
have
to
create
an
account
for
every
single
like
Jenkins.
Is
one
and
apache's
one
like
all
that,
and
that's
that's
that
again
scale.
E
Yeah
I
mean
it,
but
you
could
make
the
the
such
a
schema,
just
not
work
for
anything
that
isn't
anonymously,
programmatically,
submittable
or
something
like
like
it
requires
you
to
create
an
account.
You
don't
put
it
in
the
schema,
because
it's
not
good
enough
right,
like
schema,
is
just
for
scalable,
programmatic,
private
vulnerability
reporting.
So
that's
either
like
a
post,
endpoint
or
an
email
address,
or
you
know
some
static
thing
that
says:
use
GitHub,
PVR
I,
don't
know
like
whatever.
E
Maybe
GitHub
has
a
thing
yeah,
because
yeah
I
mean
I
think
the
reality
is
that
if
a
project
requires
somebody
to
sign
up
for
jira
to
get
to
get
a
report,
they're
just
not
going
to
get
reports
anyway.
So
yeah.
E
E
Like
advising
of
the
existence
of
yeah
yeah
requesting
yeah
but
like
I,
think
it's
useful
to
point
out
that
the
issue
can
advise
that
there
is
a
vulnerability
without
saying
what
it
is
like.
It's
important
that
it
must
not
disclose
the
vulnerability
and
it
should
imply.
You
know
it
should
say
that
there
is
one
right.
C
You
know
the
programming
means
of
reporting
is
not
enabled
in
the
vulnerability
your
product
of
a
programmatic
means
of
private
reporting.
Okay,
the
program
means
of
private
private
reporting.
F
B
C
C
E
So
I
don't
know
something
like
I'm
just
kind
of
spitballing
but
like
like
you
can't
we
can't
proscribe
anything.
You
prescribe
anything
here
because,
like
we
don't
even
know
what
the
objective
create,
Like
rules
would
be
and
we
haven't
even
tried
it
out
so
like,
even
if
we
came
up
with
something
that
might
be
terrible
right,
but
like
it's
useful
to
kind
of
talk
about
here,
as
so
the
spirit,
I
think
and
the
intent
isn't
in
there
and
like
as
Alpha
Omega
gets
better
at
figuring
this
out.
E
E
I
guess
I
mean
that's
fine
and
if
you
want
to
delete
it,
go
ahead,
my
thought
is
of
what
it
adds
is
that
it
like
okay,
so
I'm
coming
at
this
from
a
JavaScript
spec
angle.
E
A
little
bit
here
is
there's
non-normative
notes
in
the
JavaScript
spec
that,
like
engine
implementers,
don't
have
to
follow,
but
they
clue
in
people
to
the
intent
of
something
or
the
possibility
of
optimization
or
of
like
an
edge
case
to
be
aware
of
so
they
don't
optimize
themselves
into
a
bug
and
stuff
like
that,
and
that
sort
of
should
should
and
non-normative
have
the
same
semantic
right
and
so
that's
sort
of
what
I'm
thinking
is
like
so
being
like.
Hey
try
not
to
be
a
dick
here,
and
this
is
something
to
be
aware
of.
E
F
F
Retainer
across
the
projects,
so
I
think
it
adds
a
value
of
like
hey,
think
of
your
use
cases
and
your
edge
cases,
but
also
these
are
other
ways
that
they
have
already
described
how
to
communicate
to
us.
So
the
security.md
file
and
I
think
you
had
mentioned
another
one
earlier
of
what's
to
check,
but
I
think
it
just
helps
folks
point
to
so.
C
C
C
For
example,
all
right
sure,
for
example,
instead
many
issues
across
multiple.
B
C
C
Do
or.
C
All
right,
multiple
roles
is,
in
the
same
within
the
same
user
organization,
I,
think
appropriate
for
a
single
issue.
F
For
a
little
bit,
more
clarity,
I
just
I,
think
it
could
be
at
the
top
or
something
but
defining
what
an
organization
is,
because
my
folks,
most
most
folks
might
think
of
it
as
a
company
and
not
think
of
a
foundation
as
an
organization
or
not
realize
that
some
source
code
management
tools
have
separate
organizations
just.
H
C
E
Yeah
I
mean
I,
think
it
if
that's
a.
If
that's
a
term
that
is
going
to
be
confusing
to
anybody,
then
I
would
say
that
all
of
openss
documents
should
probably
link
to
somewhere.
That
defines
it
in
detail
yeah
just
the
first
time
that
they
use
the
word
organization,
and
then
we
can
kind
of
solve
that
problem
for
everyone.
There.
C
Is
a
discussion
yeah
there
is
a
discussion
within
the
open,
S
stuff
of
creating
a
like
a
glossary
or
something
glossary.
Yeah.
F
I
think
it's
just
because
you
I
keep
hearing
and
during
the
conversation
organization,
I
keep
thinking
company.
That's
the
first
thing
that
comes
to
my
mind
and
I
was
like.
Maybe
we
should,
but
a
glossary
is
10
times
better
because
we
don't
have
to
maintain
it.
C
B
E
E
E
E
C
All
right,
we
are
currently
eight.
B
J
Yeah
I'm,
sorry,
I,
I'm,
sorry,
I,
joined
late
and
and
pardon
if
this
has
been
asked
already.
But
you
know
I
know
that
there's
a
lot
of
talk
about
the
Sterling
tool
chain
and
I
know
that
workflows
are
assumed
to
be
part
of
it
in
you
know,
despite
talking
about
GitHub,
and
you
know,
GitHub
actions
are
going
to
be
preeminent
play
part
of
it
as
well.
J
C
J
Well,
I
think
that
that's
part
of
this
customer
on
a
sterling
tool
chain
is
that
the
assumption
is
we're
going
to
take
tools
that
we're
using
like
Alpha
and
Omega
and
or
and
things
to
prove,
salsa
compliance
and
they'll
include
good
of
actions
that
are
there
for
approving
salsa
prominence
Etc.
That
is
something
that
the
direction
is
is
going
to
be
a
workflow
that
runs
one
or
more
actions
to
prove
different
compliance
or
different
aspects
around
different
things.
J
So
maybe
Auto
Effects
can
be
part
of
that
Sterling
tool
chain
you
opt
in
by
you,
know,
adding
you
know,
actions
or
whatever
they
can
take.
The
form
of
you
know
if
you
use
subversion
or
some
proprietary
thing
or
a
different
runner
for
your
CI
process.
That's
fine,
but
there
could
be
a
you
know,
still
a
signal
file
that
runs
your
workload
and
even
if
you
choose
for
your
workload
to
be
run
by
an
external
Runner,
that
file
still
could
be
put
picked
up
as
part
of
a
workflow.
So.
E
J
Hi
Jordan,
so
you
know
that's
what
we're
working
towards
in
the
openjs
foundation
right,
so
we'll
have
prescriptive.
So
it
would
be
great
if
that
overlap
were
developed
like
if
we
develop.
You
know
tool
chains
that
those
include
you
know
profile
tool,
chains
for
different
languages
or
ecosystems.
Absolutely,
but
it's
not,
it
would
declare
you
know
that
would
be
programmatic,
it
would
be
declared
and
it
could
be
automated
through
through
a
tool
chain.
So
yeah
the.
C
Idea
behind
this
standard
right,
these
the
specifications
we're
defining
an
open
source
security,
Foundation,
compliant
automated
vulnerability,
fixed
campaign.
These
campaigns
are
designed
to
be
targeted
and
Beyond
the
scope
of
the
projects
that
are
aware
of
the
open
SF
to
include
all
open
source
projects
across
all
open
source.
Right
like
this,
is
not
just
products
they're
aware
of
of
the
Sterling
tool
chain.
This
is
any
project
that
is
open.
J
C
So
yeah,
so
we're
we're
the
design
behind.
This
is
an
opt-out
mechanism
where
maintainers
can
choose
to
opt
out
of
receiving
these
reports
and
receiving
automated
fixes.
A
C
This
but
they're
opting
out
of
receiving
reports
or
automated
fix
like
this,
will
still
result
in
them,
will
still
result
in
the
vulnerability
becoming
public
right.
They're
opting
out
doesn't
mean
they
won't
receive
it
or
they're
opting
out
only
and
they
will
will
not
receive
it,
but
it
will
mean
that
their
vulnerability
immediately
becomes
public.
J
Yeah,
well
that
eliminates
me
on
what
what
your,
what
the
positioning
is,
but
I,
also
I
I,
if
you
opt
out,
is
the
mechanism
and
github's
gonna
back
it.
Then
that's.
C
C
Sorry
inside
of
their
dock
GitHub
directory
in
their
repository,
they
added
a
file
called
bro
gh-robots.txt
and
it
lists
which
which
robots
they
want
to
not
allow
to
interact
with
their
repository,
I'm,
leaning
towards
moving
away
from
that
standard
and
then
there's
a
new
standard,
that's
being
developed
by
Luigi
path,
security,
email
signs,
I
think.
J
C
C
Yeah,
yes,
oh
yes,
no!
No,
we
are
in
complete
agreement
on
that
and
I
have
art
I've
been
I'm,
so
something
that
I
mentioned
earlier
in
the
talk.
I'm
7
000,
pull
requests,
automated
security
fix,
pull
request
into
this,
and
it
crossed
my
career
so
very
familiar
with
that,
and
that's
part
of
the
reason
we
want
to
include
maintainers
in
this
discussion
is
to
make
sure
that
we're
doing
this
in
such
a
way
that
is
respectful
of
the
maintainer
and
doesn't
you
know
like
it,
won't
be?
J
C
Yeah
yeah
the
biggest
bit
of
the
biggest
pushback
I've
gotten
from
any
organization.
I've
I've
been
targeting
mostly
the
Java
ecosystem.
With
my
work
and
the
Apache
software
Foundation,
those
maintainers
have
not
been,
everybody
else
has
been
very
receptive
and
positive,
and
just
you
know
thank
you
for
the
polar
pressed
and
moved
on
the
the
most
negative
reactions.
I've
gotten
is
from
the
ASF
Main
maintainers.
C
So
there's
this
pull
request.
The
security
Insight
spec,
which
is
adding
Luigi,
is
proposing
to
add
some
of
these
fields
like
except
spot
pull
requests
I'm
going
to
try
to
move
away
from
the
term
bot,
because
bot
has
a
negative
connotation
in
the
industry
and
we
want
to
go
towards
automated
pull
requests
because
I'm,
not
a
bot,
I
use
my
real
account
to
generate
these
pull
requests.
C
J
C
Let
me
put
this
in
the
here
Josh:
can
you
put
this
I
lost
track
of
the
the
notes?
Can
you
put
this
in
the
meeting
notes
where's
the
chat
there.
It
is.
This
is
the
there
we
go
found
it.
That's
the
link
to.
C
Everyone
I'll
see
you
next
time
all
right
see
you
guys
in
two
weeks.
Thank
you
all
for
coming
soon,
bye
and
Matt.
If
you
wouldn't
add
your
name
to
the
I,
did
attendees.
Thank
you
all.