►
From YouTube: OpenSSF Vulnerability Disclosures WG (September 7, 2022)
A
A
C
How
you
doing
well
good
I'm,
not
going
to
be
very
long.
I
actually
have
an
interview
in
15
minutes,
but
I
did
want
to
pop
in
and
say
hello
to
everybody
and
say:
I
haven't
I
have
not
died,
I
have
not
disappeared
from
the
world,
I've
been
in
the
middle
of
moving
between
apartments
and
I
did
black
hat
and
Defcon,
and
so
my
life
has
just
been
chaos,
and
so
I
have
every
intention
of
returning
and
I
miss
you
all.
A
C
A
Cool
all
right
folks,
it
is
for,
after
the
hour,
welcome
to
the
September
7th
edition
of
the
vulnerability
disclosures
working
group.
It
looks
like
we
are
all
old
acquaintances
here,
so
no
need
for
introductions
today.
Does
anyone
have
any
opens?
They
wanted
to
add
to
the
agenda
before
we
jump
into
reviewing
the
CBD
guide.
C
A
So
I
would
like
to
get
this
as
done
as
we
can
for
this
draft
and
then
I
need
to
write
a
quick
blog
about
it,
so
that
it
would
go
into
a
press
release
and
ideally
get
some
more
folks
looking
at
and
hopefully
using
our
guide
and
then
it'll
be
in
a
git
repo
that
we
can
manage
through
PRS.
From
that
point
forward.
C
Okay,
if
there's
a
conference,
that's
available
to
talk
about
this
whole
thing
like
in
for
the
Linux
Foundation
upcoming
in
the
next
couple
months,
I'm
happy
to
be
one
of
the
people
that
you
know
makes
the
trip
out
to
wherever
that
is
appropriate
to
do
that.
Even
though
I've
been
gone
for
the
past
four
or
five
weeks,.
A
C
A
A
A
D
D
C
A
A
E
One
thing
for
the
coordinated
vulnerability
disclosure,
so
we're
talking
about
sharing
this
with
people
who
could
fix
or
remediate
the
vulnerability.
I
think
it
might
also
be
worth
adding
the
words
respond
to
because
incident
response
teams
aren't
always
necessarily
the
ones
that
can
fix
it,
but
are
also
a
holic
deeply
invested.
D
A
E
A
E
E
C
A
So
can
I
get
a
volunteer
to
hash
out
a
couple
sentences
for
us
before
we
go
live
and
again
we
always
flesh
out
more.
But
it's
something
that
happens.
A
lot
of
Open
Source
projects
aren't
going
to
use
the
Embargo,
but
they,
the
researcher,
might
ask
them
to
I.
Think
it's
something
we
definitely
need
to
talk
about.
At
some
point,
you.
B
A
A
A
B
C
D
A
A
A
B
A
C
A
A
A
A
A
C
B
Put
that
in
there
I
put
that
in
there,
because
during
the
last
few
meetings
there
was
a
few
questions
or
a
few
folks
surfaced.
The
fact
that
we
may
want
to
mention
explicitly
the
quality
and
like
to
spend
some
time
on
the
report
quality
so
that
we
avoid
duplication
of
work
on
like
the
security
advisory
and
the
blog
post
and
all
that
jazz.
So
this
is
essentially
to
put
an
emphasis
on
that.
A
C
C
D
D
I
would
say
well,
I
I
agree,
perhaps
changing
the
text
to
reinforced
that
there
are
all
these
other
options.
Here's
coordinated.
This
is
what
we
recommend,
but
I
think
keeping
it
in
there.
Amidst
the
other
options
is
certainly
a
good
idea
to
make
sure
that
we're
not
people
can
see
where
it
falls
in
the
Spectrum,
but
I
I
definitely
understand
what
she
means
there.
It's
just
maybe
a
text.
B
Francis
agreed
with
Vicki
here
I
think
we
can
put
a
little
note
that
this
is
somewhat
self-referential,
but
since
we're
not
in
the
business
of
making,
this
document
super
lean,
and
we
just
pointed
out
that
we
have
duplicates
and
redundant
information
all
over
the
place.
I
feel
very
comfortable
having
it
here.
Maybe
the
small
note
again,
just
yes,
we're
aware
that
this
is
about
this
document.
C
A
A
A
D
C
D
B
A
A
B
B
B
B
A
D
A
E
B
B
A
C
A
B
E
D
C
C
A
A
E
D
A
D
A
A
C
E
D
A
A
B
C
A
A
A
All
right
for
the
glossary
I
would
suggest
we
put
a
link.
We
change
this
to
a
link
to
our
terminology
and
I.
We
ran
out
of
time
in
the
TAC
call.
I
didn't
get
to
bring
it
up,
but
I
will
try
to
get
it
added
as
a
formal
item
to
get
additional
assistance
in
working
on
the
glossary.
The
education
Sig
agreed
that
they
would
take
on.
They
would
own
that
document
and
help
facilitate
it.
But
I
need
to
talk
to
the
tech
to
get
just
to
get
more
more
contributions.
A
B
A
Just
I'm
asking
the
tech:
are
you,
okay
with
the
education
group
owning
this,
and
would
you
like
to
help
advertise
and
get
more
contributions?
The
repo
exists
today,
so
people
can
start
typing
definitions,
meow
again,
I
don't
have
time
this
week
to
do
that.
But
that
is
something
I
can
con.
I
can
start
pecking
away
on
everyone.
Is
it's
an
open
repo
that
anyone
can
add
stuff
if
they
desire.
A
D
D
A
Well,
we
haven't
had
a
chance
to
do
like
I
want
to
get
this
group
into
more
of
a
rigor
of
periodically
reviewing
our
backlog
and
scrubbing
issues
and
PRS.
So
I
don't
know
the
name.
Let's
have
the
time
to
see
it.
Another
proposal
I
have
is
a
future
piece
of
work.
We
potentially
might
want
to
make
a
cvd
template
repository
that
spans
all
the
guides,
so
we
might
be
able
to
invest
a
little
more
focus
on
that
as
a
future.
Workout
on
this
group.
D
Hey
yes
on
that
and
B
I
have
a
comment
about
the
bibliography
which
right
now,
it's
linked
to
a
zotero
group,
to
which
only
I
have
right
access
right,
exactly
that
doesn't
scale.
So
if
anyone
else
would
like
write
access
to
that,
I
believe
you
can
just
go
and
request,
and
you
get
added
to
the
group.
D
A
All
right,
if
folks,
are
interested
in
taking
around
the
burden
of
being
a
bibliographer
master
or
mistress.
Please
click
the
link,
that's
what
I'm
doing
right
now
and
again
any
other
thoughts
around
are.
We
is
the
group
okay
with
this,
as
an
initial
draft
to
upload
into
git,
so
that
we
can
start
the
review,
the
public
review
and
the
advertising
process.
A
A
C
A
Right,
those
interested
in
doing
the
grammar
check
we
will
meet
at
1
pm.
Eastern
I'll,
probably
set
up
like
a
Microsoft
teams.
Call
for
that,
because
I
don't
have
a
zoom
myself,
so
I
will
send
the
invite
to
the
mailing
list.
Anyone
who's
interested
May
attend
we'll
just
quickly
run
through
that
prior
to
uploading
into
the
githubs.