►
From YouTube: OpenSSF Vulnerability Disclosures (April 12, 2023)
D
B
C
B
C
B
C
C
A
C
B
C
C
You
can
either
gray
or
mark
yourself
as
present
by
ringing
in
your
name
or
you
know,
making
your
name
solid
or
if
you
can
add
your
name,
if
you
don't
have
it
in
there.
That
would
be
great
we
need
to.
In
order
for
this
to
become
an
official
Sig
under
the
open
source
security
Foundation.
We
need
at
least
two
three
weeks
of
tenants
from
organizations
Beyond.
C
C
C
G
A
H
A
C
D
I
C
I
I
C
C
Okay,
so
the
people
that
are
new
here
at
a
high
level,
this
working
group,
this
sig.
So
this
is
a
Sig
under
the
so
Sig
stands
for
special
interest
group
under
the
vulnerability
disclosures
working
group-
and
we
are
focused
primarily
on
discussing
the
topic
of
automating
vulnerability,
fixing
at
scale
predominantly
through
both
lower
Quest
generation
or
in
some
form,
trying
to
bulk,
generate
contributions
to
fix
security
vulnerabilities
at
scale
across
all
open
source.
C
Such
as
zip
slip,
partial
path,
reversal,
temp
directory
hijacking
and
I've
generated
in
my
career
north
of
7
000,
pull
requests
to
fix
various
different
security
vulnerabilities
across
open
source,
and
so
Alpha
Omega
has
hired
myself
and
Yesenia
under
AO
to
try
to
focus
on
fixing
security
vulnerabilities
at
scale
and
instead
of
Alpha
Omega
kind
of
just
going
in
to
this
work.
You
know
not
engaging
with
the
open
SF
and
just
doing
our
own
thing.
C
We
kind
of
want
to
accomplish
a
set
of
standards
and
best
practices
for
doing
this
work
in
a
way
that
is
inclusive
of
both
security,
researchers
and
also
maintainers
and
I'm.
Not
the
only
one.
That's
been
doing
this
work,
trellix
and
Casimir
who's
on
the
call
has
also
engaged
in
this
sort
of
work
to
generate
pull
requests
at
scale
to
fix
security.
Vulnerabilities
GitHub
is
engaging
some
of
this
work
in
the
past.
C
C
Yeah
65
000,
Polar,
Express
and
so
trying
to
keep
in
mind
that
humans
getting
involved
in
that
sort
of
scale,
is
a
very
tedious
process,
especially
when
you
don't
have
a
large
company
or
organization
behind
you.
If
it's
just
you
doing
this
work,
how
can
we
enable
others
to
do
this
kind
of
work
at
massive
scale
and
have
a
positive
impact
on
the
security
of
the
industry,
but
do
so
in
a
way
that's
respectful
of
maintainers?
C
C
So
they're
in
that,
in
to
kind
of
give
an
overview
in
that
endeavor,
we
have
a
specification
dock
which
is
linked
in
the
in
the
meeting
notes
where
we
are
intending
or
attempting
to
Define
what
is
a
what
is
defining
like
what
is
an
open
source
security,
Foundation,
compliant
automated
vulnerability,
fixed
campaign,
so
creating
a
set
of
standards
that
Define
under
a
set
of
constraints.
What
the
open
source
security
Foundation
considers
to
be
compliant
with
what
we,
what
we
want
to
see
others
in
the
industry,
doing.
C
E
E
You
know
you
would
probably
want
to
file
an
issue
and
be
like
hey
there's.
This
thing
called
PVR
and
here's.
Why
it's
great
and
here's
why
you
should
use
it
and
we
have
a
vulnerability
to
report,
but
we
don't
want
to
do
it
publicly
for
reasons.
For
these
reasons
and
like
you
know,
so,
it's
sort
of
more
of
a
like
education
thing
and
it's
very
automatable,
but
you'd
still
want
to
craft
it
in
the
form
of
like.
E
You
know
their
previous
employers
projects,
for
example,
or
somebody
who
maintains
the
project
of
somebody
else.
That's
still
on
their
user
account
and
that
user,
like
doesn't
pay
attention
to
their
computer
anymore,
but
the
project
is
still
maintained
very
well
things
like
that.
So,
but
then
those
users
prior
to
PVR
existing
the
overwhelming
best
practice
and
what
all
of
the
players
in
the
industry
have
been
encouraging
for
a
long
time
is
hey,
go,
please
add
a
security
policy.
E
Please
tell
us
in
an
English
like
a
prose
document
where
to
send
these
private
vulnerability,
vulnerability
reports
and
it
could
be
an
email
address,
it
could
be
go
to
Titleist
or
sneak
or
could
be
go
to
hacker1
or
whatever
right,
and
it
is
certainly
a
failing
in
the
ecosystem
that
that's
the
best
we
had
and
PVR
is
better
but
like.
If
somebody
has
taken
the
time
to
do
that,
especially
bigger
projects
or
busier
maintainers
that
have
built
a
process
around.
H
C
Go
through
a
disclosure
process
following
a
process
that
was
defined
before
PDR
was
even
enabled
and
a
possibility
for
them
to
enable
when
it
could
just
be
as
easy
as
asking
them
hey.
Can
you
enable
PVR?
So
you
can
we
can
report
there
yeah?
That
seems
like
an
additional
lift
that,
especially
when
you're
trying
to
automate.
C
E
Yeah
and
you
may
even
get
more
than
one
if,
if
it's
all
under
an
org
right,
so,
for
example,
the
reason
that
I
started
paying
attention
to
this
is
I,
don't
think
it
was
related
to
this
specific
campaign.
But
somebody
filed
an
issue
on
like
12
different
npm
repos
that
I
watch
because
I
like
suffering-
and
they
basically
say
please,
you
know,
like
I-
have
a
vulnerability
I
like
to
report
it.
E
An
issue
filed
on
one
issue:
one
notification
to
the
npm
people
somewhere.
That
says:
hey
turn
on
a
PVR
for
your
org
and
we
can
report
all
these
vulnerabilities
that
we
have
would
be
valuable,
but
12
is
counterproductive
and
so,
like
I
I,
don't
know
how
to
balance
that,
because,
like
like,
like
my
example,
is
I
have
400
projects
but
they're
spread
across
less
than
10
organizations
and
users,
and
so,
if
I
got
10
notifications,
I'm
going
to
be
a
lot
less
annoyed
than
if
I
get
400.
E
And
so
maybe
that's
a
way
to
balance
a
trade-off,
so
like
I
agree
with
you,
enabling
PBR
is
a
good
thing,
but
like
I
also
would
hope
that
as
GitHub
moves
this
out
of
beta,
that
they
just
enable
it
by
default
for
all
new
repos
and
like
upsell,
pretty
heavily
hey.
Please
click
this
button
and
turn
it
on
or,
alternatively,
that
they
just
turn
it
on
for
everyone,
but,
like
you,
know,
we're
not
in
control
of
what
they
do
with
their
product.
F
E
I'm
yeah
I'm,
talking
about
like
a
like
a
PR
is,
is
I
mean
if
it
needs
to
fix
400
places,
then
I
need
400,
PR's
right,
like
it's
more
of
it
like
if
you're
gonna
be
notifying
me
and
asking
me
to
do
work
without
contributing
anything.
Like
an
issue
saying
hey,
please
turn
on
PBR
like
I'm,
basically
saying
it
would
be
nice
if
the
identity
of
the
humans
receiving
the
request
was
taken
into
account,
meaning
like,
for
example,.
H
E
Have
more
than
one
notification
queued
up
for
this
org?
Let's
only
notify
one
place
and
if
we
have
further
notifications,
let's
edit
that
issue
and
be
like
it
also
applies
to
these
repos
and
bullet
point
lists
and
like
and
in
that
way,
you're
sort
of
you're
not
you're,
still
notifying
the
right
people,
but
you're,
not
overloading
them
with
notifications.
C
That
works.
It
works
really.
Well,
if
it's
an
organ,
if
it's
a
company
but
I
have
worked
inside
I've
been
a
part
of
organizations.
For
example,
the
angular
UI
organization
was
a
mixed
bag
of
a
bunch
of
people
from
a
bunch
of
different
projects
that
didn't
cross
talk
at
all,
and
they
had
just
ended
up
in
the
same
I.
Don't
know
how
they
all
ended
up
in
the
same
organization,
but.
B
C
E
But
the
that's
fair,
I
I
do
think
that's
probably
a
rare
case,
but
also
like,
even
in
those
cases
it's
not
destructive
to
enable.
So
it's
like
all
you
need,
is
one
org
owner
to
see
that
and
be
like
yeah.
That's
a
good
idea
and
then
go
click
a
button
and
like
it's
on
for
everyone
in
the
org,
regardless
of
whether
they're
Central
leadership
and
that's
not
going
to
stop
an
individual
project
from
then
going
and
turning
it
off.
C
Well,
at
least
for,
for
there
are
certain
things
like
you
can
I
think
there
are
certain
things
that
are
universally
applicable.
For
example,
if
you
have
the
setting
like
open
Assistant
has
a
setting.
That's
like
require
sign,
commits
right
when
you're
committing
the
web
UI
and
then
all
the
summer
projects.
You
can't
turn
it
off,
but
it
shows
you
that
it's
set
as
an
org
level
permission
or
an
order
level
setting
sorry
the
hiccups
levels,
yeah.
E
And
that
would
make
sense
if
it
was
a
requirement,
but
the
way
that
GitHub
is
currently
implemented
at
the
org
level
is
that
you
can
check
a
box
that
sets
the
defaults
for
new
repos,
but
then
there's
an
enable
all
disable
all
button
that
just
stamps
the
setting
onto
everything.
So
if
you
click
enable
all
and
then
somebody
turns
it
off
like
there's
you'd
have
to
infer
that
you
wouldn't
be
able
to
actually
like
determine
that.
That's
what
had
happened.
E
A
G
G
B
C
E
Just
checking
yeah
I
mean
I
think
any
a
solution
is
always
nice
when
it's
not
tied
to
a
single
provider
or
company
and
there's
lots
of
ways.
I
want
GitHub
to
be
less
like,
like
the
single
source
of
failure
or
whatever
in
open
source
ecosystem,
but
GitHub
like
open
source
is
GitHub
right
now.
So
it's
like
that.
That's
not
a
justification
for
ignoring
gitlab
and
friends,
it's
more
just
like.
If
we
don't
have
GitHub,
we
haven't
achieved
anything
and
if
we
do
have
GitHub
the
rest
are
like
often
a
rounding
error.
C
You
were
I
I
struggle
with
the
single
report,
I
hear
what
you're
saying
where
you're
you
like
you
end
up,
for
example,
right
depend
about
right.
You
have
a
bunch
of
projects
that
I'll
use
the
same
dependency
set,
and
then
you
end
up
with,
like
five
depend
about
pull
requests
across
six
repositories
that,
like
you,
know
across
you
know,
X
number
of
repositories
that
are
all
fixing
the
same
vulnerability
right.
C
E
Well,
depending
box,
a
little
like
please
enable
PBR
is
one
thing,
but
the
the
fixes
right,
like
the
reason
dependabot,
is
annoying
and
people
turn
it
off.
A
lot
is
because
it
affects
every
level
of
the
depth
graph,
because
there's
lock
files
everywhere,
instead
of
just
having
lock
files
at
the
app
level
so
like,
but
the.
E
But
in
this
case
you
no
matter
if
it's
100
Levels
deeper
two,
you
will
still
only
have
one
PR
doing
the
fix,
certainly
releasing
the
fix
would
trigger
dependency,
update
wave
but
like
I
I
think
the
fixed
PRS
or
the
even
the
the
reports
of
the
vulnerability
themselves
are
going
to
be
targeted
and
not
suffer
from
that
problem.
Right.
E
It's
just
the
the
please
enable
PDR
thing
is
the
one
that
I
think
could
be
spammy
and
like,
but
I
I
actually
am
not
even
that
worried
about
that.
If,
if
I
have
a
repo
that
has
no
security
policy
and
I
have
PVR
off,
and
then
someone
says
hey
turn
this
on
so
I
can
report
stuff,
I'm
gonna
be
like
oh
thanks,
like
I
didn't
realize.
I
had
no
way
to
do
that,
and
so,
even
if
it's
annoying,
because
there's
a
lot
I'm
gonna
be
like
all
right.
E
Well,
I
should
have
already
done
this.
You
know,
but
like
the
I'm,
not
gonna,
have
the
same
group
magnanimity.
If
you
know
I
laboriously
put
a
security
policy
into
hundreds
of
repos
and
then
I
still
have
to
go
click
another
thing,
even
though
I
already
told
everyone
how
to
do
it.
You
know
how
to
record
things.
You
know.
That's
the
sort
of
so
like
a
fix
is
fine.
C
C
H
E
E
I
have
security.nds
that
are
in
repos
that
predate
GitHub,
supporting
an
orglevel.github
repo
and
then
I
also
have
a
GitHub
org
level,
dot
GitHub
repo
with
this
security
policy,
so
sometimes
I
have
both
just
for
legacy
reasons.
But
yeah
I
agree
if
there's
no
org
level
policy
and
there
is
a
repo
level
policy
that
suggests
that
I
don't
know
that
that
that
that
that's
worth
considering
differently
I,
don't
know
exactly
what
it
suggests
yet.
E
E
C
Don't
know
yes
because,
like
for
well
take,
for
example
the
Apache
software
Foundation
right
they
have
like.
Can
you
still
hear
me?
Okay?
Take,
for
example
the
Apache
soccer
Foundation
there
is.
There
is
like
there's
that,
like
at
least
a
thousand
repositories
right,
yeah
and
they're
all
run
by
different.
E
C
Mean
I
mean
there's
also
the
eclipse
foundation
and
there's
probably
other
ones
that
have
similar
behavior,
that
I
I
don't
know
about
right.
Like
you
want
you,
you
may
want
to
hard
code
special
cases,
but
at
a
certain
point
your
special
cases
don't
work,
because
there
are
things
you
don't
know
about
yet.
E
E
C
E
E
C
Specification
but
I
think
the
problem
with
that
is
that
it
still
has
the
multiplicative,
like
you
also
have
to
Define
adapters
for
every
single
different
disclosure
mechanism,
hacker
one
bug
crowd
but
then,
like
even
taking
into
a
mind,
jira
right.
Every
single,
like
every
single
organization,
is
running
their
own
instance
of
jira.
It's
not
bitbucket's
Central
jira
instance,
so
you
can't
log
in
account
for
jira
and
Report
via
that
channel.
You
have
to
create
an
account
for
every
single
like
Jenkins.
Is
one
and
apache's
one
like
all
that,
and
that's
that's
that
again
scale.
E
Yeah
I
mean
it,
but
you
could
make
the
the
such
a
schema,
just
not
work
for
anything
that
isn't
anonymously,
programmatically,
submittable
or
something
like
like
it
requires
you
to
create
an
account.
You
don't
put
it
in
the
schema,
because
it's
not
good
enough
right,
like
schema,
is
just
for
scalable,
programmatic,
private
vulnerability
reporting.
So
that's
either
like
a
post,
endpoint
or
an
email
address,
or
you
know
some
static
thing
that
says:
use
GitHub,
PVR
I,
don't
know
like
whatever.
E
E
E
Like
advising
of
the
existence
of
yeah
yeah
requesting
yeah
but
like
I,
think
it's
useful
to
point
out
that
the
issue
can
advise
that
there
is
a
vulnerability
without
saying
what
it
is
like.
It's
important
that
it
must
not
disclose
the
vulnerability
and
it
should
imply.
You
know
it
should
say
that
there
is
one
right.
C
F
C
B
C
C
E
So
I
don't
know
something
like
I'm
just
kind
of
spitballing
but
like
like
you
can't
we
can't
proscribe
anything.
You
prescribe
anything
here
because,
like
we
don't
even
know
what
the
objective
create,
Like
rules
would
be
and
we
haven't
even
tried
it
out
so
like,
even
if
we
came
up
with
something
that
might
be
terrible
right,
but
like
it's
useful
to
kind
of
talk
about
here,
as
so
the
spirit,
I
think
and
the
intent
isn't
in
there
and
like
as
Alpha
Omega
gets
better
at
figuring
this
out.
E
E
A
little
bit
here
is
there's
non-normative
notes
in
the
JavaScript
spec
that,
like
engine
implementers,
don't
have
to
follow,
but
they
clue
in
people
to
the
intent
of
something
or
the
possibility
of
optimization
or
of
like
an
edge
case
to
be
aware
of
so
they
don't
optimize
themselves
into
a
bug
and
stuff
like
that,
and
that
sort
of
should
should
and
non-normative
have
the
same
semantic
right
and
so
that's
sort
of
what
I'm
thinking
is
like
so
being
like.
Hey
try
not
to
be
a
dick
here,
and
this
is
something
to
be
aware
of.
E
F
F
Retainer
across
the
projects,
so
I
think
it
adds
a
value
of
like
hey,
think
of
your
use
cases
and
your
edge
cases,
but
also
these
are
other
ways
that
they
have
already
described
how
to
communicate
to
us.
So
the
security.md
file
and
I
think
you
had
mentioned
another
one
earlier
of
what's
to
check,
but
I
think
it
just
helps
folks
point
to
so.
C
C
B
C
C
H
C
E
Yeah
I
mean
I,
think
it
if
that's
a.
If
that's
a
term
that
is
going
to
be
confusing
to
anybody,
then
I
would
say
that
all
of
openss
documents
should
probably
link
to
somewhere.
That
defines
it
in
detail
yeah
just
the
first
time
that
they
use
the
word
organization,
and
then
we
can
kind
of
solve
that
problem
for
everyone.
There.
C
F
C
B
E
E
E
B
J
Yeah
I'm,
sorry,
I,
I'm,
sorry,
I,
joined
late
and
and
pardon
if
this
has
been
asked
already.
But
you
know
I
know
that
there's
a
lot
of
talk
about
the
Sterling
tool
chain
and
I
know
that
workflows
are
assumed
to
be
part
of
it
in
you
know,
despite
talking
about
GitHub,
and
you
know,
GitHub
actions
are
going
to
be
preeminent
play
part
of
it
as
well.
J
C
J
Well,
I
think
that
that's
part
of
this
customer
on
a
sterling
tool
chain
is
that
the
assumption
is
we're
going
to
take
tools
that
we're
using
like
Alpha
and
Omega
and
or
and
things
to
prove,
salsa
compliance
and
they'll
include
good
of
actions
that
are
there
for
approving
salsa
prominence
Etc.
That
is
something
that
the
direction
is
is
going
to
be
a
workflow
that
runs
one
or
more
actions
to
prove
different
compliance
or
different
aspects
around
different
things.
J
So
maybe
Auto
Effects
can
be
part
of
that
Sterling
tool
chain
you
opt
in
by
you,
know,
adding
you
know,
actions
or
whatever
they
can
take.
The
form
of
you
know
if
you
use
subversion
or
some
proprietary
thing
or
a
different
runner
for
your
CI
process.
That's
fine,
but
there
could
be
a
you
know,
still
a
signal
file
that
runs
your
workload
and
even
if
you
choose
for
your
workload
to
be
run
by
an
external
Runner,
that
file
still
could
be
put
picked
up
as
part
of
a
workflow.
So.
E
J
Hi
Jordan,
so
you
know
that's
what
we're
working
towards
in
the
openjs
foundation
right,
so
we'll
have
prescriptive.
So
it
would
be
great
if
that
overlap
were
developed
like
if
we
develop.
You
know
tool
chains
that
those
include
you
know
profile
tool,
chains
for
different
languages
or
ecosystems.
Absolutely,
but
it's
not,
it
would
declare
you
know
that
would
be
programmatic,
it
would
be
declared
and
it
could
be
automated
through
through
a
tool
chain.
So
yeah
the.
C
Idea
behind
this
standard
right,
these
the
specifications
we're
defining
an
open
source
security,
Foundation,
compliant
automated
vulnerability,
fixed
campaign.
These
campaigns
are
designed
to
be
targeted
and
Beyond
the
scope
of
the
projects
that
are
aware
of
the
open
SF
to
include
all
open
source
projects
across
all
open
source.
Right
like
this,
is
not
just
products
they're
aware
of
of
the
Sterling
tool
chain.
This
is
any
project
that
is
open.
J
C
A
C
This
but
they're
opting
out
of
receiving
reports
or
automated
fix
like
this,
will
still
result
in
them,
will
still
result
in
the
vulnerability
becoming
public
right.
They're
opting
out
doesn't
mean
they
won't
receive
it
or
they're
opting
out
only
and
they
will
will
not
receive
it,
but
it
will
mean
that
their
vulnerability
immediately
becomes
public.
J
C
J
C
C
Yeah,
yes,
oh
yes,
no!
No,
we
are
in
complete
agreement
on
that
and
I
have
art
I've
been
I'm,
so
something
that
I
mentioned
earlier
in
the
talk.
I'm
7
000,
pull
requests,
automated
security
fix,
pull
request
into
this,
and
it
crossed
my
career
so
very
familiar
with
that,
and
that's
part
of
the
reason
we
want
to
include
maintainers
in
this
discussion
is
to
make
sure
that
we're
doing
this
in
such
a
way
that
is
respectful
of
the
maintainer
and
doesn't
you
know
like
it,
won't
be?
J
C
Yeah
yeah
the
biggest
bit
of
the
biggest
pushback
I've
gotten
from
any
organization.
I've
I've
been
targeting
mostly
the
Java
ecosystem.
With
my
work
and
the
Apache
software
Foundation,
those
maintainers
have
not
been,
everybody
else
has
been
very
receptive
and
positive,
and
just
you
know
thank
you
for
the
polar
pressed
and
moved
on
the
the
most
negative
reactions.
I've
gotten
is
from
the
ASF
Main
maintainers.
C
So
there's
this
pull
request.
The
security
Insight
spec,
which
is
adding
Luigi,
is
proposing
to
add
some
of
these
fields
like
except
spot
pull
requests
I'm
going
to
try
to
move
away
from
the
term
bot,
because
bot
has
a
negative
connotation
in
the
industry
and
we
want
to
go
towards
automated
pull
requests
because
I'm,
not
a
bot,
I
use
my
real
account
to
generate
these
pull
requests.