►
From YouTube: OpenSSF Vulnerability Disclosures WG (September 7, 2022)
A
A
Does
the
guide
need
to
be
real
yeah,
it's
very
close
to
real
and
I
was
going
to
enlist
Randall.
He
has
a
tool
that
he
can
convert
a
gdoc
into
markdown
pretty
easily.
C
How
you
doing
well
good
I'm,
not
going
to
be
very
long.
I
actually
have
an
interview
in
15
minutes,
but
I
did
want
to
pop
in
and
say
hello
to
everybody
and
say:
I
haven't
I
have
not
died,
I
have
not
disappeared
from
the
world,
I've
been
in
the
middle
of
moving
between
apartments
and
I
did
black
hat
and
Defcon,
and
so
my
life
has
just
been
chaos,
and
so
I
have
every
intention
of
returning
and
I
miss
you
all.
C
But
my
life
is
still
slightly
in
chaos,
and
so
it
may
be
another
week
before
I
see
you
all
again
for
the
full
meeting
is.
A
C
I'm
speaking
at
I've
been
accepted
to
SEC
team
Stockholm,
Rochester
security,
Summit
no
hat
in
Bergamo
Italy
code,
blue
in
Japan
I
think
I've
been
accepted
to
GitHub
universe,
but
we'll
see
if
that
I'm
not
quite
sure
about
the
the
email
they
sent
me
wasn't
quite
clear
and
then
the
global
appsec
conference
in
San
Francisco.
C
I'm
gonna
get
the
the
the
Japan
train
card
that
lets.
You
go
all
over
the
place
so
yeah.
Where
is
where's
the
Godzilla
Museum
Tokyo
somewhere.
A
Cool
all
right
folks,
it
is
for,
after
the
hour,
welcome
to
the
September
7th
edition
of
the
vulnerability
disclosures
working
group.
It
looks
like
we
are
all
old
acquaintances
here,
so
no
need
for
introductions
today.
Does
anyone
have
any
opens?
They
wanted
to
add
to
the
agenda
before
we
jump
into
reviewing
the
CBD
guide.
C
A
All
right,
any
anyone
have
any
opens
they
wanted
to
discuss.
A
Foreign,
if
not,
let
us
throw
our
attention
at
the
cvd
guide
for
finders,
as
I
mentioned
right
at
the
top
of
the
call
we're
hoping
to
formally
unveil
like
a
DOT
zero
one
release
with
the
open
source
Europe
Summit
next
week.
A
So
I
would
like
to
get
this
as
done
as
we
can
for
this
draft
and
then
I
need
to
write
a
quick
blog
about
it,
so
that
it
would
go
into
a
press
release
and
ideally
get
some
more
folks
looking
at
and
hopefully
using
our
guide
and
then
it'll
be
in
a
git
repo
that
we
can
manage
through
PRS.
From
that
point
forward.
C
Who
is,
is
anybody
speaking
about
it
at
the
your
conference.
A
C
Okay,
if
there's
a
conference,
that's
available
to
talk
about
this
whole
thing
like
in
for
the
Linux
Foundation
upcoming
in
the
next
couple
months,
I'm
happy
to
be
one
of
the
people
that
you
know
makes
the
trip
out
to
wherever
that
is
appropriate
to
do
that.
Even
though
I've
been
gone
for
the
past
four
or
five
weeks,.
A
I
I
know
that
the
LF
is
having
a
user
Summit
of
some
type
in
November.
That
might
be
a
spot.
I
haven't
seen
a
cfp
for
that,
but
yeah
we'll
we'll.
C
A
A
I
I
have
it
for
my
work.
Podcast.
A
So
I
like
to
bring
it
out
every
once
in
a
while
all
right
folks,
let
us
take
a
peek
at
the
cvd
guide.
First
and
foremost,
I
would
like
to
look
at
page
three.
A
We
have
a
section
on
what
our
open
source,
maintainers,
motivations
and
Vicky.
You
had
mentioned
that
Kayla
had
had
some
suggestions.
Do
you
think
this
has
been
resolved
or
not?
Can
I
close
this
out.
D
D
A
All
right
going
further
down
Vicky
had
talked
about
how
OSS
developers
work
how's.
D
That
going
yeah
it
is,
it
hasn't
gone
totally
forgot
that
this
was
a
thing.
I
was
going
to
be
doing
so.
C
A
Okay,
I
haven't
seen
Jennifer
in
a
very
long
time
and
I
don't
see
her
on
today.
Let
us
take
a
look
at
what
is
coordinated
vulnerability
disclosure.
Let's
take
a
few
minutes
to
look
at
that
paragraph.
Do
we
feel
that
that
is
complete
enough
to
move
on
so
take
a
minute
or
two
to
read
through
that.
A
Randall
we're
on
page
four
of
the
CBD
guide.
Looking
at
the
what
is
CD
section.
A
A
Vulnerability
identifiers
did
anyone
get
the
upper
medicine.
I
was
just
going
to
talk
to
you.
E
One
thing
for
the
coordinated
vulnerability
disclosure,
so
we're
talking
about
sharing
this
with
people
who
could
fix
or
remediate
the
vulnerability.
I
think
it
might
also
be
worth
adding
the
words
respond
to
because
incident
response
teams
aren't
always
necessarily
the
ones
that
can
fix
it,
but
are
also
a
holic
deeply
invested.
D
A
If
they
could
do
all
of
it
all
right
well,
while
you
have
the
Talking
Stick,
Madison
Vicky
mentioned
that
you
were
going
to
work
on
the
vulnerability
identifier
section.
Oh.
E
I
was
obviously
I
have
not
done
that.
E
A
So
what
I
would
do
is
I
would
suggest
we
don't
copy
this
into
the
initial
draft
of
the
document,
and
we
add
it
in
as
a
supplementary,
a
supplemental
PR
in
the
coming
weeks
after
we
had
a
chance
to
talk
through
it.
Does
that
sound,
fair.
E
A
E
C
A
Any
sending
dissension
any
counter
opinions.
A
All
right,
let's
go
down
to
page
five:
did
we
get
the
opportunity
to
specifically
talk
about
embarments,
yet
I
think
that's
going
to
be
something
we
need
to
have
in
the
document
before
we
go
public.
A
So
can
I
get
a
volunteer
to
hash
out
a
couple
sentences
for
us
before
we
go
live
and
again
we
always
flesh
out
more.
But
it's
something
that
happens.
A
lot
of
Open
Source
projects
aren't
going
to
use
the
Embargo,
but
they,
the
researcher,
might
ask
them
to
I.
Think
it's
something
we
definitely
need
to
talk
about.
At
some
point,
you.
B
A
A
Yeah
I,
don't
even
think
we
mentioned
need
to
know,
that's
something.
Another
concept,
that's
important
all
right.
So
if
we
can
get
that
something
working
at
least
a
stub
or
some
a
couple
statements
that'll
be
useful.
A
B
C
D
A
A
A
B
A
A
D
Maybe
and
I
would
love
to
go
find
that
for
you,
but
this
week
is
a
thing.
C
A
Right,
while
I'm
waiting
for
that
to
go
through,
let's
take
a
look
at
francis's
suggestion
under
disclosure
options.
So
take
a
minute
or
two
to
read
the
paragraph
and
his
additions.
A
A
A
A
So
the
first
suggestion
is
Kayla
wants
to
remove
coordinated.
She
says
so
just
removing
this
as
a
disclosure
option,
with
added
context
that
any
of
the
disclosure
types
within
the
table
are
done
in
a
coordinated
fashion.
C
B
Put
that
in
there
I
put
that
in
there,
because
during
the
last
few
meetings
there
was
a
few
questions
or
a
few
folks
surfaced.
The
fact
that
we
may
want
to
mention
explicitly
the
quality
and
like
to
spend
some
time
on
the
report
quality
so
that
we
avoid
duplication
of
work
on
like
the
security
advisory
and
the
blog
post
and
all
that
jazz.
So
this
is
essentially
to
put
an
emphasis
on
that.
A
C
D
So
to
clarify:
is
this
a
recommendation
by
I
forget
who
we
did
it?
Oh.
C
D
Recommendation
by
Kayla
that
we
removed
this
completely,
because
this
is
essentially
what
the
entire
document
is
talking
about
or
yeah.
Okay,
that.
D
I
would
say
well,
I
I
agree,
perhaps
changing
the
text
to
reinforced
that
there
are
all
these
other
options.
Here's
coordinated.
This
is
what
we
recommend,
but
I
think
keeping
it
in
there.
Amidst
the
other
options
is
certainly
a
good
idea
to
make
sure
that
we're
not
people
can
see
where
it
falls
in
the
Spectrum,
but
I
I
definitely
understand
what
she
means
there.
It's
just
maybe
a
text.
B
Francis
agreed
with
Vicki
here
I
think
we
can
put
a
little
note
that
this
is
somewhat
self-referential,
but
since
we're
not
in
the
business
of
making,
this
document
super
lean,
and
we
just
pointed
out
that
we
have
duplicates
and
redundant
information
all
over
the
place.
I
feel
very
comfortable
having
it
here.
Maybe
the
small
note
again,
just
yes,
we're
aware
that
this
is
about
this
document.
C
A
A
A
Let's
move
down
to
page
nine
Nathan
had
put
a
comment:
I
provided
a
suggestion
on
the
language
for
cve.
So
how
do
we
like
the
second
paragraph
there
so
give
it
give
you
a
couple
minutes
to
read
through
that.
D
D
I
like
the
language,
but
it
would
be
helpful
somewhere
to,
but
it
kind
of
does
a
bit
of
a
hand
wavy
on
go
to
a
CNA.
C
D
Really
giving
a
lot
of
Direction
on
and
here's
how
you
find
a
CNA
for
this
scope,
and
that
might
be
something
to
open
an
issue
to
take
care
of
in
the
next
iteration.
Once
it
was
to
GitHub.
A
All
right,
Francis.
B
Before
moving
on
from
the
table,
I
just
wanted
to
point
out
that
we
don't
mention
ndas
anywhere
in
that
document.
It's
fine
I,
think
all
of
us
hate
it,
but,
generally
speaking,
it
is
indeed
linked
to
the
non-disclosure
stuff.
So
is
that,
okay,
if
we
add
it
as
an
example
scenario
for
no
disclosures.
A
Is
it
a
no
disclosure
or
is
it
a
constrained?
Disclosure
like
you
haven't
you
don't
talk
about
it
for
a
period
of
time.
A
B
B
B
A
So
Francis
is
adding
about
a
note
about
non-disclosure
agreements
under
limited
I.
Think
that
is
very
much
appropriate.
Thank
you
for
highlighting
that
man.
A
D
A
A
Yes,
if
you
scroll
up
to
page
five,
it's
currently
highlighted
in
pink
for
me
two
paragraphs
above
additional
sources
for
finding
CBD
Channel.
E
B
B
A
Any
more
feedback
under
getting
a
cve
number.
The
second
paragraph
We
have
highlighted
where
Nathan
had
comments.
Any
additional
commentary.
Are
we
okay
with
it
directionally
being
correct
and
we
need
to
go
back
and
add
in
more
CNA
information
in
the
next
draft.
A
Excellent
yo
Tam,
that's
a
that's
spot
on
I
was
that
stuck
in
my
head
when
I
read
it.
Thank
you.
A
And
I
think
we
also
need
to
find
link
more
aggressively
over
to
minors,
training,
material
but
I
think
that'll
be
a
future
add
to
the
document
because
they.
C
A
B
E
Yeah
they
use
CV
identifier,
I,
just
added
a
link
to
their
glossary
where
we
added
cve
identifier.
So
we
should
match
what
they
say.
Great
panoramic.
D
A
Then
we
changed
cve
doesn't
is
no
longer
a
vulnerability.
Enumeration
cve
means
cve.
A
They
changed
some
of
the
rules
out
from
under
us,
so
yes,
let
us.
A
Do
we
want
to
go
back
and
scrub?
The
document
changing
my
number
to
identifier.
C
C
A
It
thank
you.
Thank
you
all
right.
The
when
all
else
fails,
Kayla
was
going
to
reword
that
she's,
not
here
I,
will
follow
up
with
her
to
see
if
she
was
able
to
phrase
that
in
a
more
positive
light,
you
don't
pull
it
on
failures,
opportunities.
A
So
let
us
ignore
the
section
that
struck
out
I
will
follow
up
with
Kayla
and
report
back
to
everybody
on
that.
Our
next
item
is
Kayla.
Has
she
did
there?
You
go
troubleshooting
common
challenges,
so
she
did
take
that
and
try
to
rephrase
down
here.
A
Yeah
before
we
do
there,
somebody's
highlighted
I,
remember,
hearing
the
ensuring
everyone
understands:
peace,
okay,
yeah.
E
D
A
It
never
existed
all
right,
so
the
troubleshooting
section.
A
It
is
within
the
realm
of
possibility
that
maintainers
don't
consider
the
report
a
security
issue.
So
how
do
we
feel
about
the
guidance
there.
D
A
A
C
D
E
A
D
A
So
you
got
lost,
I
will
go
back
to
the
track,
changes
and
grab
that.
A
Oh
okay,
like
make,
if
you
could
grab
just
highlight
like
the
word
zero
day
and
put
your
definition
there.
I
will
yeah
are.
D
Totally-
and
you
know
again
with
the
markdown
Hammer,
we
can
just
link
directly
to
the
citation.
A
All
right,
four
acknowledgments
do
we
do
we
have
any
additional
suggestions
or
changes
to
the
list
of
good
people
we've
when
they
officially
cite.
A
Some
fell
in
a
cunning
haircut
noticed.
One
thing
was
missed.
A
B
D
It's
true:
if
you
look
at
the
bibliography,
we
cite
miter
a
lot
so
maybe
giving
them
a
little
extra
props.
C
A
A
There's
a
problem:
okay,.
A
A
All
right
for
the
glossary
I
would
suggest
we
put
a
link.
We
change
this
to
a
link
to
our
terminology
and
I.
We
ran
out
of
time
in
the
TAC
call.
I
didn't
get
to
bring
it
up,
but
I
will
try
to
get
it
added
as
a
formal
item
to
get
additional
assistance
in
working
on
the
glossary.
The
education
Sig
agreed
that
they
would
take
on.
They
would
own
that
document
and
help
facilitate
it.
But
I
need
to
talk
to
the
tech
to
get
just
to
get
more
more
contributions.
A
So
we
would,
they
would
State
something
like
for
a
for
definitions
of
terms
used
here.
Please
refer
to
the
openssf
glossary
aim.
We
need
to
decide
on
a
name,
there's
a
whole
bunch
of
stuff
that
needs
done
there.
But
basically
just
are
we
okay
with
a
reference
to
that
repo.
B
A
Just
I'm
asking
the
tech:
are
you,
okay
with
the
education
group
owning
this,
and
would
you
like
to
help
advertise
and
get
more
contributions?
The
repo
exists
today,
so
people
can
start
typing
definitions,
meow
again,
I
don't
have
time
this
week
to
do
that.
But
that
is
something
I
can
con.
I
can
start
pecking
away
on
everyone.
Is
it's
an
open
repo
that
anyone
can
add
stuff
if
they
desire.
A
Do
we
have
any
additional
templates
or
examples
we
want
to
add?
We
should
ask
Jonathan
about
his
policy,
so
we
could
have
a
link
to
something
like
that.
Do
we
have
any
other
examples?
We
would
like
to
add.
D
D
Get
Jonathan
also
to
give
a
vulnerability
report
submission
example,
because
that's
kind
of
his
right,
so
he
should
probably
have
one
of
those
handy.
That
would
be
really
great
I.
Think.
A
Well,
we
haven't
had
a
chance
to
do
like
I
want
to
get
this
group
into
more
of
a
rigor
of
periodically
reviewing
our
backlog
and
scrubbing
issues
and
PRS.
So
I
don't
know
the
name.
Let's
have
the
time
to
see
it.
Another
proposal
I
have
is
a
future
piece
of
work.
We
potentially
might
want
to
make
a
cvd
template
repository
that
spans
all
the
guides,
so
we
might
be
able
to
invest
a
little
more
focus
on
that
as
a
future.
Workout
on
this
group.
D
Hey
yes
on
that
and
B
I
have
a
comment
about
the
bibliography
which
right
now,
it's
linked
to
a
zotero
group,
to
which
only
I
have
right
access
right,
exactly
that
doesn't
scale.
So
if
anyone
else
would
like
write
access
to
that,
I
believe
you
can
just
go
and
request,
and
you
get
added
to
the
group.
D
A
All
right,
if
folks,
are
interested
in
taking
around
the
burden
of
being
a
bibliographer
master
or
mistress.
Please
click
the
link,
that's
what
I'm
doing
right
now
and
again
any
other
thoughts
around
are.
We
is
the
group
okay
with
this,
as
an
initial
draft
to
upload
into
git,
so
that
we
can
start
the
review,
the
public
review
and
the
advertising
process.
A
D
Or
sorry,
0.1
no
I'd
say
once
it's
in
actually
in
GitHub,
then
we
can
make
all
the
changes
we
want,
but
I
would
hate
to
have
it
delay
the
process
of
getting
it
moved
to
to
mark
down.
A
Does
anyone
have
time
or
interest
in
participating
in
a
call
later
this
week,
which
is
rapidly
running
out
to
sit
down
for
a
half
hour?
45
minutes
to
go
through
a
grammar
check?
I
would
be
glad
to
do
that.
I
have
some
limited
availability.
I
can
do
that
tomorrow.
Friday.
A
So
maybe
tomorrow
afternoon.
C
A
Right,
those
interested
in
doing
the
grammar
check
we
will
meet
at
1
pm.
Eastern
I'll,
probably
set
up
like
a
Microsoft
teams.
Call
for
that,
because
I
don't
have
a
zoom
myself,
so
I
will
send
the
invite
to
the
mailing
list.
Anyone
who's
interested
May
attend
we'll
just
quickly
run
through
that
prior
to
uploading
into
the
githubs.
A
Thank
you.
Everybody
I
really
appreciate
your
time
and
efforts
on
this.
This
is
a
pretty
monumentous
day,
we'll
get
this
out
the
dough,
and
we
will
start
thinking
about
next
projects
for
us
to
tackle,
like
maybe
a
cvd
guide
for
consumers.