►
A
A
B
I
asked
slack
or
I
asked
chat,
gbt
the
question
because
I'm
working
on
data
flow
and
control
flow
analysis
and
and
I'm
like
can
inter-procedural
control
flow
analysis
and
data
flow
analysis
performed
against
Java
project
by
only
visiting
each
file
once
and
chat.
Gpt
came
back
with
a
very
interesting
answer.
Now.
I'm,
like
you
know,
trying
to
I'm
it's
a
you're
like
I,
have
a
question:
Google's
not
coming
back
with
the
right.
B
B
Yeah
did
it
work?
Yes,
it
came
up
with
something
it
came
out
with
something
that
is
plausible.
Now,
okay,
you
can't
right.
It's
like
great,
like.
C
B
C
It
reminds
me
I
was
using
it
to
generate
some
code
the
other
day
and
it
generated
some
really
nice.
Looking
Ruby
with
libraries
that
didn't
exist.
B
B
All
righty,
then
I'll
go
will
be
joining
us
shortly,
but
their
customer
meeting
is
running
late.
I
am
going
to
slap.
The
oh
I
have
not
yet
created
the
chunk
of
like
the
APAC
Hollows.
This
is
the
27th.
Okay,
that's
the
next
day.
E
B
Hey
it's
okay,
I,
don't
know,
I'll,
take
a
look:
okay,
I'm,
hoping
to
not
butcher
the
notes.
Thank
you
for
being
here.
Bro
I
know,
you've
been
busy
and
stuff
all
right.
Let
me
let
me
make
this
all
all
right,
y'all
could
fill
in
your
names
for
the
autofix
Sig.
B
B
Okay,
let's
start
out
with
Annie
new
friends
we
have
for
today
you
have
any
new
friends.
Anybody
who
hasn't
been
here
before
anybody
want
to
introduce
themselves
anyone
you
want
to
say
hi
for
the
first
time.
B
Okay,
we
might
have
Jonathan
joining
us
shortly,
but
I
don't
know
if
I
either
live
either
or
Jonathan.
So
we'll
see
John
if
Jonathan
joins
it's
Jonathan
schneideries
the
CEO
of
modern,
see
if
I
can
manoir
usually
shows
up
at
these
too
and
well.
He
hasn't
recently
I'm
just
giving
a
ping.
Okay,
all
right.
There
are
two
there
there
are.
There
are
two
people
that
have
added
their
attendance
to
the
meeting
notes
and
there
are
five
people.
There
are
seven
people
in
this
call,
so
I'm
ordering.
B
All
right
all
right,
please
do
Mark
your
attendance
in
here.
It
would
be
greatly
appreciated.
Chrome
I
got
you.
B
Thank
you
all
right
and
then
opens
and
then
meeting
agenda.
B
F
B
Yeah
yeah
you
wanna,
do
you
want
to
do
a
the
disclosure
check?
Is
the
thing
that
you
wrote?
Can
you
do
not
just
talk
about
it,
but
can
you
throw
like
show
a
demo
of
it?
I.
F
Can
do
it
if
we
talk
about
something
else
for
like
two
minutes:
I'll
have
a
demo
ready
like
you
can
talk
about
it,
but
then
I
I
can't
type
and
talk
yeah.
B
I
get
it
I
get
it
so
yeah
that'd
be
awesome
if
you
could
yeah
and
order
your
doordash
already
done
great
okay.
So
we'll
do
that.
Yesterday's
meeting
no
last
two
weeks,
ago's
meeting
oh
before
I,
get
there
I,
guess
another
open.
We
are
currently
close
to
having
the
open
source
security,
Foundation
vulnerability,
disclosure
working
group.
B
What's
it
called
the
vulnerability
disclosure
outgoing
vulnerability
exposure
policy
completed,
it's
been
run
by
legal,
it's
I'm
having
a
meeting
with
lf's
legal,
again
or
I'm.
Meeting
this
Mike
Dolan
tomorrow
to
discuss
that
document
that
is
I
will
send
a
link
to
that
into
the
chat.
B
This
one,
this
is
not
entire
related
to
this
specification
that
we've
been
working
on,
but
it's
slightly
related.
This
is
the
the
higher
level
document
that
describes
how
any
researcher
representing
the
open
source,
security,
Foundation
or
any
working
group
representing
the
open
source
security
Foundation.
Is
it
out
pound?
B
Yes,
how
any
research
or
any
organization
you
know
can
report
things
outbound
from
the
open
source
security
foundation.
So
that's
that
document
it
sets
a
couple
of
guidelines
that
we
were
thinking
about
operating
the
the.
D
B
There's
this
expectation
here
that
if
we
don't
receive
any
engagement
from
the
project,
affirming
their
intention
to
fix
the
vulnerability
within
35
days,
the
open
source
security,
Foundation
reserves
the
right
to
fully
publicly
disclose
that
vulnerability.
At
that
point,
there
was
a
thought
that
that
same
deadline
of
35
days
could
also
be
incorporated
into
the
process
for
autofix.
B
So
if
you
ask
the
maintainer
to
open
or
enable
PVR
on
their
repository
and
they
respond-
or
they
don't
respond
for
35
days
on
that
issue-
that
there
may
be
the
possibility
of
of
going
public
at
that
point
and
then
also,
if
you
do
open
a
PVR
and
the
maintainer
doesn't
respond
or
doesn't
react
within
35
days
after
you've
opened
the
advisory.
B
B
The
discussion
that
we've
been
having
with
Michael
and
myself
is
there's
been
a
discussion
with
Alpha
Omega
regarding
an
engagement
with
Tide
lift,
potentially,
where
the
work
that
we're
doing
where
we're
bulk,
generating
pull
requests.
There
may
be
cases
in
which
tide
lift
may
stick
pick
up
the
slack
around
manual
disclosure
at
points.
B
The
problem
is
that
that
that
may
be
possible
for
the
open
source
security
Foundation,
but
I
don't
and
Alpha
Omega,
but
I
don't
want
to
put
that
as
a
requirement
for
all
consumers
of
the
specification
right,
because
there
may
be
an
agreement
that
Alpha
Omega
has
with
Tide
lift
that
we're
paying
the
money
for
that
maybe
potentially,
and
that's
not
something
that's
possible
for
all
any.
F
F
Does
it
I
I
think
it's
still
contact
the
maintainer
like
like
do
do
the
normal,
just
look,
the
the
normal
private
disclosure
dance,
the
fact
that
we
might
without
committing
anything
we
might
be
in
a
position
to
pay
a
third
party
to
handle
the
last
mile,
maybe
more
efficient
for
us
to
do
it,
but
the
same
work
gets
done,
regardless
of
of
who
and
I
think
it
from
this
perspective,
keeping
it
at
the
at
the
what
not
the
who
makes
it
applicable
to
both
scenarios.
I
think.
B
B
I
mean
great
aao
has
more
resources
but
scaling
others
as
well
in
the
research
field
to
deploy
their
fixes
at
scale,
and
we
I
don't
want
to
put
something
prohibitive
in
this
specification.
That
makes
that
you
must
have
resources
Beyond,
potentially
what
one
individual
could
do
in
order
to
be
complicit
with
this
back.
F
Individual
do
Okay
so.
F
Okay,
I'm,
assuming
you
can
see
my
see
my
thing
so
disclosure
check
is
just
a
it's
python
script.
What
it
does
is
it
goes
out
so,
given
a
package,
URL
it'll
go
out
to
the
report,
the
in
this
case
Pi,
Pi
or
npm,
or
wherever
else
it
will
look
through
libraries.
I
o
it'll,
if
it's,
if
it's,
if
there's
a
backup
and
GitHub
project
it'll
go
there
and
it
will
essentially
look
for
the
best
place
to
disclose
vulnerabilities
in
this
case
for
Django.
F
Those
are
the
best
ones
that
it
came
up
with
and
it
tries
to
give
a
score
of
how
how
confident
it
is
for
one
like
left
pad
I
think
there
should
be
a
couple
email
addresses
here
found
it
does
look
for
private
vulnerability,
reporting
being
enabled
on
GitHub.
It
looks
for
tidelift,
so
this
so
in
this
case
for
left
pad.
F
F
This
one
electron,
Forge
CLI
happens
to
be
covered
under
a
kite.
Lift
subscription.
F
We
look
for
that
in
a
couple
different
ways:
private
vulnerability,
reporting
is
also
enabled
so
and
that's
the
highest
highest
preference
one.
So
what
I
would
say
is
if
you
are
a
if
you're,
a
researcher
or
organization
or
whatever,
and
this
was
one
of
the
things
that
you
found
something
in
then
you
could
use
this
and
and
know
hey.
I
should
just
go
here
to
report
it
output
is
Json
as
well,
so
you
can.
You
can
script
that
there's
definitely
bugs
not.
F
Every
ecosystem
is
covered
as
well
as
every
other
one.
But
conceptually
does
this
feel
like
it
would
be
helpful.
A
B
I
think
it
would
be
helpful
for
me:
I
mean
I,
like
I'm,
not
I'm.
Looking
at
this,
like
not
as
an
as
an
automator
like
this
is
very
useful.
Just
for
security.
Research,
like
you
know
in
general,
I
think
that
one
of
the
things
that
would
be
more
help
like
one
of
the
things
that
would
be
helpful,
like
I'm,
looking
at
the
preferred
contact
for
the
Django
software
Foundation
right
like
that.
One,
though
that
line
I,
would
appreciate
a
a.
Why
are
you
proposing
this
because,
like,
for
example,
the
Django
software
Foundation?
B
F
F
Think
I
collect
that
so
here,
so
the
email
address
was
found
in
the
Pi
Pi
registry
under
the
author
field
and
the
link
to
the
security
was
found
at
in
in
the
well
in
the
dot
GitHub
security
MD.
So
that's
why
now
we
could
obviously
make
that
better,
but.
B
F
F
So
that's
why
it's
it's
lower
I
figure
that
the
Pi
Pi
registry
is
definitely
going
to
contact
somebody
on
the
project,
but
you're
right.
If
I
could,
if
I
felt
more
confident
with
the
parsing
of
the
markdown,
maybe
if
there's
only
one
email
address
or
only
one
URL,
that's
a
higher
higher
confidence.
Sure.
B
B
I
think
that,
like
this
is
this
is
super
cool
I.
Think
there's
something
that
like
I
bet,
I
bet
you
Snick,
like
the
research
lab
there.
Github
security
lab
like
this
is
totally
something
they
would
have.
They
would
want
to
use.
I
would
I
would
throw
together
I
would
throw
suggest,
throwing
together
a
what's.
It
called
the
ASCII
cinema
cinema
demo
and
like
like
it
just
saying:
hey,
there's
this
thing
great,
hey,
there's
this
thing:
here's
a
video
demo
with
ASCII
Cinema
that
would
actually
get
people
using
it.
Okay,.
F
That
I
can
I
can
totally
do
that
and
obviously
getting
it
installable
from
Pi
Pi.
So
you
can
just
you
know:
pip
install
Foo,
it's
slightly
easier
right.
Now,
the
it's
just
on
the
on
the
GitHub
I
do
want
to
get
it
moved
over
to
open
ssf.
That's
a
separate
thing,
but.
F
F
That
makes
sense,
I
think
this
one
is,
and
it's
also
awkward
because,
like
libraries,
I
o
support
some
things.
They
call
it
ruby
gems,
not
gem.
Like
does
you
know
it's
not
perfect
this
one's
interesting,
because
I
do
test
it
on
this
one,
and
this
one
as
far
as
I
know,
there's
I
couldn't
find
a
programmatic
way
of
of
getting
this,
but
I
want
these
as
bugs
so
that
we
can
like
manually,
find
it
find
the
right
author
and
then
like
implement
the
check
to
to
retrieve
that.
C
F
No,
no,
so
this
is
to
GitHub.
You
know
what,
let's,
let's
do
this
as
a
as
a
I
mean
I'm
not
have
to
right
now,
but
so
ruby,
gems.
F
Which
would
be
I
mean
yeah,
okay,
so
sorcery
sorcery
is
the.
Let
me
see
if
we.
F
F
I'm
wondering
if
you
know
there
is
this
okay,
so
there
is
a
security
MD
file
here
there
is
oh
okay,
so
so
this
is
a
good
example.
The
the
security,
the
security
MD
file
for
this
says
email,
the
current
maintainers.
With
the
description
of
the
vulnerability,
you
should
expect
a
response.
In
48
hours,
a
list
of
current
maintainers
can
be
found
on
the
readme
under
the
contacts
section.
So.
F
G
F
To
be
fair,
though,
the
hard
part
so
was
like,
as
if
I
start
parsing
General
readme
files
I'm
going
to
get
a
lot
of
email
addresses
that
have
nothing
to
do
with
the
project
and
being
like
semantically
saying
like
say
current
maintainer.
Or
is
it
a
current
author
or
is
it
currently
maintained
by
and
not
like
lots.
F
I
think
I
mean
all
we
can
do
is
like
we
find
some
stuff
that
it
doesn't
work
well
on.
We
make
it
work
well
on
it
and
we
just
rinse
and
repeat
so
cool
if
you
find
any
other
bugs
just
dump
them
into
the
issues
in
the
in
the
repo
and
I'll
just
kind
of
one
by
one
you
know
make
it
make
it
suck
less.
B
A
B
So
on
the
screen
share
real
fast,
so
there's
now
an
API
down
here
create
a
no
is
it
it's
not
yeah
privately
reported
security
vulnerability
this
one.
So
this
is
an
API
that
GitHub
has
added
that
will
attempt
to
open
a
private
owner
really
report
via
GitHub
I'm
working
on
the
Pod
GitHub
bindings
for
this
they've
actually
been
finished,
but
they're
Pi
GitHub
has
the
maintainers
seem
not
there.
B
Let
me
actually
link
to
the
here,
but
yes,
it
does
work,
I
have
used
it,
and
then
you
can
also
get
security
advisors
that
you've
that
you've
opened.
So
as
a
researcher,
you
can
use
this
get
endpoint
to
view
any
open,
pvrs
that
you've
created,
which
is
also
very
nice
or
well,
that
you
have
access
to
there.
A
B
A
draft
endpoint
that
is
being
created
by
there
Alpha
Omega
we're
currently
in
a
discussion
with
GitHub
regarding
the
features
that
we
need
to
allow
us
to
open
Forks
via
the
API
So.
Currently,
this
only
lets
you
create
a
private
vulnerability
report.
B
It
does
not
let
you
also
open
a
private
fork
and
push
changes
to
it,
and
so,
in
order
to
fully
go
through
the
process
of
of
reporting
the
vulnerability
privately
and
creating
the
fix,
we
also
need
the
ability
to
create
the
private
Fork
too
and
push
the
changes
there.
B
There
is
also
a
discussion
with
GitHub
around
currently
that
fork
name.
So
when
you
go
through
the
process,
let
me
do
this
real
fast.
Let
me
screen
share
again.
B
B
A
F
B
G
B
We
go
okay,
so
for
those
of
you
that
have
not
done
GitHub
security
advisors
or
you
go
to
advisories,
and
this
is
all
me
testing
to
create
advisories.
B
But
if
you,
so,
what
we're
trying
to
do
at
this
point
is
the
API?
Will
let
you,
as
a
researcher,
draft
a
new
advisory
set,
a
title.
G
B
B
B
Our
creates
a
a
a
new
Branch
with
this
custom
name
with
a
unique
uid.
Now
manoir
I
presume
that
you,
when
you
book,
pull
across
generate
to
fix
security
vulnerabilities.
Do
you
rebase
those
changes
on
a
regular
basis,
or
is
it
one
and
done.
G
So
Jonathan
I'm
actually
traveling
by
park
right
now.
It's
really
not
the
right!
So
I'm
just
listening.
Can
you
repeat
the
question
one
more
time.
G
It's
sometimes
like
there's,
so
we
have
only
submitted
what
like
50
something
Security
in
I.
Think
in
those
cases
there's
only
like
three
of
them,
where
they
asked
for
a
change
in
the
one
that
we
originally
submitted,
suggested
something,
and
then
we
had
to
do
that
again,
but
yeah.
So
that's
like
less
than
10
of
the
cases.
B
The
goal
with
our
work
is
to
not
just
generate
the
pull
request
ones,
but
also
rebates
the
change
regularly,
so
that
if
the
maintainer
is,
if
the
maintainer
is
like
non-responsive
or
like
they
take
a
little
while
like
we
can
keep
it
up
to
date
with
mate,
whatever
the
main
branches
and
regenerate
the
fix
right.
B
The
problem
is
that
this,
because
this
name
is
uniquely
generated
you
there
there's
a
problem:
around
storage
and
and
memorize
like
knowing,
like
this
campaign
maps
to
this
ghs
ID
for
this
repository
and
so
we're
working
with
GitHub
to
hopefully
be
able
to
get
this
name
of
this
private
Fork.
To
be
that's
something
that
you
can
configure
to
be
something
predictable,
so
that
yeah.
B
Automation
against
it
and
like
be
like
run
it
and
like
this
will
be
the
naming
convention
for
all
these
Forks
and,
like
any
tooling,
that's
generating
pull
request
like
the
thing
that
that's
generating
the
pull
requests
can
then
be
separated
from
the
thing
that
is
automating.
The
creation
of
the
GHSA
is
that
making
sense
or
have
I
lost
people.
G
And
there's
just
two
quick
comments.
One
is
that
it
does
take
a
long
time
so
that
the
fixes
will
lead
to
stay
for
a
while
before
it
gets
eventually
emerged.
So
in
the
real
estate
is
like
three
months,
but
the
other
thing
is
the
practicality
of
it,
as
in
in
the
court
case
like
just
that
part
of
the
code
base,
the
change
can
happen,
but
it's
also
unlikely.
G
So
just
maybe
the
Practical
thing
would
be
not
to
worry
too
much
about
it,
but
that's
just
my
two
cents
that
people
just
be
no
problem
in
reducing
it.
It's
just
not
gonna
be
a
big
deal,
because
only
it's
gonna
be
a
problem.
The
margin
issue
is
going
to
only
come
in
if
that
part
of
the
code
somehow
change
and
therefore
suddenly
your
fix
is
not
matching
to
the
original
one
anymore,
but
that's
I
would
say
a
percentage
of
the
case
as
opposed
to
the
material.
Sorry,
that's
yeah.
B
We
also
like
to
keep
it
up
to
date,
so
that
like
if,
for
example,
at
the
time
when
it
was
built
or
re,
that
the
contribution
was
made
like
the
main
branch
was
failing
right,
they
can,
if
we
keep
it
rebased,
then
they
can
always
run
the
latest
changes
and
hopefully
it
at
a
future
point.
When
we
rebase
it,
it
will
be
at
a
point
where
the
branch
is
safe
or
clean
or
whatever,
and
so
they
can
run
the
checks
that
they
may
not.
B
Okay,
so
we
were
thanks.
Josh
we
were
going
through.
Is
there
any
other
opens
or
points
that
anybody
else
wants
to
make
before
we
dive
back
into
the
this
document
that
we
were
working
through.
B
Mueller
all
right
cool,
so
Mike
Dolan
has
been
through
this
document
once
I
think
that
there's
some
misunderstanding
from
I
read
through
some
of
Mike's
comments
and
I
think
there's
some
misunderstanding
about
the
intention
of
this
document,
so
I'm
going
to
work
through
that
with
him
on
on
tomorrow.
But
let's
just
go
through
what
he's
requested
here
quickly
and
just
through
the
comments
that
are
open
on
this
document.
B
In
these
cases,
the
scope
of
the
private
vulnerability
is
often
beyond
what
can
be
recently
reported
to
each
maintainer
privately
in
a
one-on-one
exchange
manually,
oh
yeah,
okay,
that
makes
sense
simply
automating
the
creation
of
thousands
of
bug
reports.
It
also
isn't
useful.
Okay,
then
Xavier
said
I
suggest
to
add
this
doc.
B
I
suggest
to
add
this
doc
Preamble
saying
what
to
attempt
before
doing
public
disclosure
via
Mass
PR,
for
example,
private
disclosure,
when
the
API
is
available
a
PR
that
adds
a
detection
to
the
project
CI,
for
example,
adding
a
detection
for
Via
code,
12
or
stem
grab
or
GitHub
code
scanning
that
will
alert
the
maintainers
privately
about
the
issue.
B
So
this
document
is
intended
to
so
private
vulnerability
just
below
here
via
the
API
is
within
the
scope
of
this
document.
B
All
right,
Josh,
you
came
back
reading
this.
There
are
two
ways
to
interpret
what
the
issue
is.
There
are
a
wide
variety
of
reporting
mechanisms
are
inconsistent
and
difficult
to
automate.
Do
the
variety
of
methods
and
being
uncertain,
which
a
particular
project
uses
aim
Michael
scalvetta,
be
the
mechanisms
currently
exist
are
limited
when
it
comes
to
private
disclosure,
automating
private
exposure.
B
C
Yeah
I
think
you
kind
of
hit
the
nail
on
the
head.
There
they're
both
considerations
and
it
might
be
worth
making
that
a
little
bit
more
direct.
C
C
B
Right
but
yes,
it's
like,
and
one
of
those
episodes
like
hacker
one
and
Bug
crowd.
Well,
the
other
thing
with
the
Packer
one
and
Bug
crowd,
for
example.
Right
is
that
they
may
have
policies
that
are
inconsistent
with
a
vulnerability
like
open
source
security,
research,
disclosure
right
because
a
lot,
a
lot
of
vendors
will
have
their
bug
betting
program
on
hacker,
one
and
bug
and
and
Bug
crowd.
But
then
they'll
just
say:
oh
and
now
our
open
sources
in
scope,
but
they'll
have
a
policy
that
explicitly
states
that
hey.
A
C
C
Some
of
the
discussions
previously
when
it
comes
to
the
automations
is
basically,
if
it's
available
use
it.
If
it's
not
it's
kind
of
up
to
the
campaign
developer,
to
figure
out
what
they
want
to
do.
There
am
I
remembering
that
accurately.
B
D
B
Process
to
the
to
the
campaign
operator
is
the
right
way.
Yes,
I
think
I
agree
with
your
assessment.
There.
C
F
A
B
F
Just
off
the
top
of
my
head
here,
I
think
we
should
take
a
principled
stance
that
because
open
source,
because
the
Project's
intended
to
be
used
by
others
that
open
source
maintainers,
if
they
are
pressured
into
essentially
accepting
a
gag
order
in
order
to
disclose
through
hacker
one
that
the
maintainer
should
politely
say
no,
either
give
me
another
mechanism.
It
will
give
me
another.
Please
give
me
another
mechanism.
You
now
have
89
days.
F
You
know
that
kind
of
thing
where
it
could
eventually
lead
to
full
disclosure
after
90
days,
because
the
maintainer
is
only
willing
to
accept
things
with
onerous
conditions
on
the
on
the
researcher.
F
For
example,
if
my,
if
my
policy
was
I
will
accept
you
know,
reports
from
security,
researchers,
just
mailed
me
a
check
for
a
thousand
dollars
with
the
report
and
I'll
take
a
look
at
it
like
that's,
not
a
reasonable
policy
for
me,
as
a
maintainer
to
have
I
also
think
that
for
an
open
source
project,
any
kind
of
you
know
signing
and
assigning
the
way.
Your
rights
as
a
researcher
as
part
of
the
disclosure
process
is
not
is
not
reasonable.
F
D
F
It
why
why
like,
when
there's
a
bug
Bounty
attached
to
it,
that
part
of
what
you
know
that
there
is
kind
of
an
exchange
of
of
things.
But
if
it's
just
purely
a
disclosure
thing
I,
don't
think
there's
any
like
good
rationale
for
why
your
researchers
should
feel
bound
to
that.
B
C
B
C
Yeah,
so
something
similar
where,
if
a
maintainer
only
provides
hacker
one
or
bug
crowd
or
some
unreasonable
disclosure
method,
and
they
don't
offer
an
alternative
after
35
days,
I,
don't
know
just
kind
of
spitballing
some
ideas
there.
D
So
the
problem
here
is,
they
won't
enable
a
private
vulnerability
disclosure
and
they
want
us
to
use
as
a
researcher.
They
want
us
to
use
hacker
one
or
one
of
the
other
bug
crowd.
Bug
bounties.
Is
that
what
I'm
understanding.
B
B
Correct
because
and
the
risk
there
is,
if
you
violate
the
terms
of
that
disclosure,
you
can
receive
a
ban
from
hacker
one
or
bug
crowd,
which
means
that
you're
no
longer
able
to
receive
any
sort
of
financial
gains
from
the
platform
at
all.
So
like
okay,
you
know
this
is
a
problem
with
the
single
platform,
but
you're,
actually
exposing
yourself
to,
for
future
risk
of
not
being
able
to
achieve
any
sort
of
financial
gains
from
any
of
your
research
in
the
future.
F
B
C
B
I
have
gotten
very
pedantic
about
this,
not
because
I'm
pedantic,
but
because
I've
have
real
world
experience
with
these
problems
like
hacker
one
and
black
crowd's
triagers
will
get
pissed
at
you.
If
you
say,
hey
I'm,
going
to
disclose
this
because
it
needs
to
be
disclosed,
they
will
throw
the
you
agree
to
this
when
you,
when
you
submitted
this
at
you
like
they.
B
F
I
mean
we
could
simply,
you
know,
warning
warning
to
security
researchers.
If
a
Project's
disclosure
mechanism
is
hacker
one
or
we
don't
even
need
to
call
it
hacker
one.
If,
if
it
is
a
be
careful
of
the
terms
that
you
would
agree
to
when
submitting
through
a
formal
program,
if
that's
the
case,
you
may
want
to
consider
alternative
disclosure
mechanisms
to
get
the
message
to
the
team
without
agreeing
to
such
things,
and
that
way,
it's
it's
on
the
researcher
to
decide
and
from
an
AO
perspective.
F
We
may
just
feel
that
you
know
we
won't
participate
in.
You
know
hacker
one
bug
bounties
as
a
result
or
something
to
to
get
us
out
of
it,
but
maybe
just
the
warning
that
there
are
restrictions
here.
If
you
disclose
in
certain
ways
right.
B
B
Correct,
but
we
have
our,
you
can
have
your
own
disclosure
policy
and
you're,
not
agreeing
to
some
terms
of
agreement
and
micro
and
and
GitHub
doesn't
operate
as
I
mean.
You
know
has
made
a
very
strong
point
in
the
sand
that
they
are
not
going
to
operate
as
an
Arbiter
between
researchers
and
maintainers
right
and
with
GitHub
and
hacker
one.
You
have
a
lot
of
Arbiters
that
exist
between
researchers
and
hackers,
or
sorry,
researchers
and
maintainers.
F
I
mean
it
would
be
nice,
so
since
hacker
one's
a
open,
a
staff
member,
it
would
be
nice
to
like,
because
I
think
this
is
indicative
of
a.
F
One
is
but,
but
if
they
had
a
structured
data,
they
had
a
field
that
you
could
query
reliably
to
say.
Disclosure
policy
is,
like
you
know,
90
days,
public
gag
forever
or
something
like
some
something
so
that
you're
not
actually
parsing
the
text
that
might
it
may
be
easier
to
then
say
you
know,
don't
report
to
projects
that
have
through
hacker
one
to
projects
that
have
this
type
of
disclosure
policy.
B
But
also
I,
don't
think
that
they
have
an
automated
way
of
actually
reporting
these
things.
I,
don't
think,
there's
an
API
for
hackers,
there's
an
API
for
receivers
like
that.
You
know
if
you're
a
manager
but
I,
don't
believe
that
hacker
one
has
an
API
for
reporting
vulnerabilities.
F
Yeah,
no,
no
sorry
and
I
I
missed
this
email,
but
last
week,
Caleb
reached
out
to
me
that
they
do
have
API
capabilities
for
submitting
vulnerability
reports
to
the
hacker
one
platform.
F
You
know
how
about
this,
since
a
lot
of
this
is
hacker
one.
Let's
looping
Kayla,
look
how
the
conversation
there,
because
there's
something
we
can
do.
We
should
try.
It
I
think.
The
general
warning,
though
here,
which
would
apply
to
any
reporting
platform,
is
that
you,
as
a
security
researcher,
may
be
asked
to
give
up
some
of
your
your
rights
when
submitting
a
vulnerability
through
a
platform.
Beware
of
what
you're
giving
up
and
if
you
don't
feel
comfortable,
feel
free
to
you.
F
You
should
think
about
submitting
a
different
way,
even
if
that
means
not
being
able
to
partake
in
a
bug,
Bounty
or
or
whatever,
and
that
way
it's
it's
for
the
the
researcher
to
decide
where
they
want
to
go.
You
know,
rather
than
us
like
trying
to
account
for
all
these
variations.
C
Maybe
we
one
way
to
fit
that
in
and
I'm
not
sold
on
the
wording,
but
a
section
on
Gag
orders
or
requests
to
not
disclose,
because
that
seems
to
be
the
general
gist
of
the
problem
is
hey
for
whatever
reason,
if
you
can't
disclose
this,
how
do
you
get
around
that
issue?.
B
B
Okay,
I
was
considering
putting
this
information
like
okay,
so
we
have
this
down
here.
That's
like
kind
of
starting
to
replace
this
power
disclosure.
The
open
source
software
hosting
provider,
supports
the
pragmatic
means
of
private
reporting,
for
example,
get
a
private
reporting.
Then
this
must
be
used
to
report
the
vulnerability
if
the
pragmatic
means
of
private
reporting
is
not
enabled
on
the
vulnerability
and
a
public
issue
requesting
the
private
reporting
feature
be
enabled
on
the
repository
organization
or
organization,
are
they
or
on
the
organization
must
be
requested?
B
The
vulnerability
itself
must
not
be
disclosed,
but
the
existence
of
vulnerability
should
be
disclosed.
You
can't
your
campaign
should
consider
how
to
minimize
the
notification
load
on
maintainers
across
the
projects
and
should
consider
non-promatic
security
policies
secured
it
on
me,
for
example,
as
a
means
of
preferred
manual,
private
reporting,
for
example,
as
instead
of
opening
many
issues
across
multiple
repositories,
then
the
same
user
organization
that
may
be
appropriate
for
a
single
issue
to
be
opened,
requesting
a
private.
A
B
A
F
Sorry,
the
previous
paragraph
must
be
requested.
Do
we
feel
that.
B
Should
be
a
should,
no
it's
on
mask
you
must
you
must
request
them
to
enable
PVR.
F
I
can
live
with
that
if
we
just
add
GitHub
in
earlier
in
that
sentence.
So
so
it's
clear
that
because
I'm
on
gitlab,
like
asking
it's.
B
B
F
B
B
B
Fpmpr
is
not
enable
on
the
Repository,
then
a
public
issue
requesting
prior
increasing
the.
B
A
B
F
B
F
Well,
so
so
I
I
I
think
that
one's
too
too
far
up
in
the
in
the
workflow.
So
second
paragraph
agree
okay,
so
so
that
your
campaign
should
consider
how
to
minimize
that
whole
paragraph.
G
F
F
That
second
should
so
so
your
campaign
should
consider
how
and
must
consider
non-programmatic
security
policy,
security
MD,
for
example,
and
I-
think,
if
all
other,
so
if
so.
B
At
eye
level,
this
isn't
from
a
conversation
that
we
had
last
week,
which
detailed
basically
that,
instead
of
so
let's
say
that
you
have
one
organization
with
a
bunch
of
repositories
and
you're
going
to
fix
them
all
at
the
same
time,
instead
of
asking
each
one
of
those
individual
repositories
across
github.com
Google
for
each
one
of
them
to
enable
p
private
vulnerability
reporting,
you
ask
you
open
one
issue
in
the
dot
GitHub
repository,
which
has
the
organization
level
security.md
file
and
ask
there
please
open,
please
enable
Pi
or
PVR
for
the
entire
organization.
F
All
the
stories
yeah
no
I'm,
I'm,
just
imagine
so
so
I'm
so
I
guess
we're.
My.
My
fear
is
still
in
the
objection
that,
like
you
know
as
a
researcher
you
you
find
vulnerability
in
a
thousand
projects.
You
open
up
a
thousand.
You
realize
that
none
of
the
Thousand
have
PVR
enabled.
So
you
open
up
public
issues
in
each
of
them.
Saying
please
enable
35
days
later
you
check
you
see
that
only
50
of
them
have
enabled
it
so
they
so
you
submit
50,
pvrs
and
950
zero
days.
F
I
think
I
think
we
need
to
do
more.
I
think
we
need
to
try
the
so
first
I
I
would
be
okay
with
and
obviously
I'm
biased
here
but
like.
If
the
disclosure
check
tool
is
useful
and
and
does
this,
then
perhaps
the
answer
is
try
PVR
if
PVR
doesn't
work,
run
the
disclosure
tool.
If
you
try
all
of
those
places,
none
of
them
respond
and
the
you.
A
B
B
Do
you
do
you
go
through
all
ten
thousand
and
go
through
and
follow
each
one
of
their
processes?
That
haven't,
let's
say
and
let's
say,
9
000
of
those
have.
G
G
F
That
is
just
slightly
better
than
never
disclosing
it,
and
even
if
it
means
that
we
have
to
spend
a
ton
of
money
doing
manual
disclosure
times,
ten
thousand
I
think
that's
that's
better,
I!
Think
and
now,
if.
B
C
B
It
yeah
that's
like
having
an
open
pull
request
with
a
security
fix
in
it
is
valuable,
is
a
valuable
flag
to
a
credential
user
of
that
Library,
but
you'd
get
a
CV
out
of
it
anyway,
I
don't
no,
no
I,
don't
I,
don't
try
to
get
CV
numbers
unless
the
maintainer
actually
says.
Yes,
this
is
a
valid
security
vulnerability,
because
again
the
cve
system
doesn't
want
to
handle
it
at
this
scale.
B
So
that's
why
we
will
try
to
get
a
GHSA
or
a
GitHub
or
what's
Josh's
thing,
the
the
Global.
B
F
I
realize
that
the
hard
part
is
differentiating
the
two,
but
for
things
that
are
obviously
security,
hardening
I
would
count
that
as
a
bug
like
that,
it
was
not
even
in
scope
for
this
it.
You
know
and
I
think
we
could
argue
about
whether
like
socket
timeouts.
Is
that
like
denial
of
service,
or
is
that
a
but
like,
but
some
things
will
obviously
fall
below
the
line
or
on
this
side
or
whatever
and
public
pull
requests
that
all
day
long
that
that's
that's
what
it's
there
for.
B
You
make
a
trade-off
between
so
any
stat
any
tool.
That's
going
to
be
automatic.
Facing
vulnerabilities
like
this
is
going
to
be
doing
static
code
analysis
and
there's
a
trade-off
that
you're
making
with
static
code
analysis
between
fixing
the
vulnerability,
because
it
looks
vulnerable
and
missing
false
positives,
because
you're
making
your
static
code
analysis
tool,
look
for
more
things
and
narrowing
it
down
to
be
more
exact
right
now.
What
I
did
for
zip
slip
was
I
said:
okay,
this
is
a
code
pattern
that
appears
this
is
vulnerable
and
I.
B
Didn't
look
for
data
flow
globally,
I,
looked
at
local
local
code
bases
and
said
this
is
unzipping
a
file
and
it's
not
sanitizing
it.
Okay,
that
could
be
a
jar
file.
That's
local
right
that,
like
the
project
built
itself
right,
like
I,
can't
make
those
assertions
because
data
flow
and
control
flow
across
a
large
code
base
is.
Is
it
is
a
turing?
B
It's
it's
a
it's
a
you
know,
it's
a
it's
a
hard
problem
and
you
can't
guarantee
correctness,
but
you
can
say
that
looks
like
a
pattern
of
a
common
security
vulnerability
and
even
if
it's
not
it's
still
a
valid
security
hardening.
So
let's,
let's
try
to
fix
this
at
scale
like
I,
also
want
to
be
clear
that
most
of
this
will
be
thrown
at
vulnerabilities
that
are
not
our
CES,
probably
I
mean
at
least
in
the
beginning.
B
B
D
A
F
B
B
B
The
norm
for
the
industry,
be
just
because
of
history-
is
that
the
receiver
of
the
report
dictates
how
the
report
comes
in
right.
They
publish
the
security
of
that
MV
file.
They
publish
the
security
on
txt
file
right
and
because
of
that,
the
researcher
has
to
go
through
the
effort
of
trying
to
find
where
that
vulnerability
needs
to
get
recorded
in
order
to
follow
their
policy
or
they
have
to
go
like
you
know,
Twitter
DMS
right
like
this,
is
an
opportunity
that
we
have
as
researchers
to
flip
that
script.
B
There
is
a
norm,
but
that
Norm
has
only
existed
because
trying
to
track
down
who
to
report
to
is
a
hard
problem
right.
In
this
case,
we
have
a
universally
usable
way
that
we
can
all
disclose
vial
and
it
is
PVR,
and
so
when
we
are
in
the
state
we
can
dictate.
Because
of
that,
this
is
the
way
we
would
like
to
report
to
you.
We
are
doing
this
at
scale.
If
you
don't
want
to
follow
that,
it's
fine
you're
going
to
get
a
public
pull
request.
G
F
F
Here's
my
markdown,
here's,
my
whatever
send
that
to
you
know
all
the
contacts
listed
in
the
output
of
this.
This
essentially
smush
the
two
together
and
that
way,
it'll
either
send
an
email
most
places,
don't
have
like
a
website
and
a
form,
but
you
know
we
could
we
could
we
could
deal
with
that?
If
it's
PVR,
then
it'll
do
the
API
and
do
the
PBR
thing.
If
it's.
F
It'll,
send
it
to
security
at
time,
left
where
they'll
get
it
and
do
the
thing
you
know
if
you
know-
and
this
is
getting
back
to
like
future
talk
but
like
if
we
have
a
separate
relationship
with
tiger,
we
could
just
send
them
all
to
time,
lift
and
make
it
really
easy
for
ourselves.
I
get
that
this
policy
is
not
about
just.
G
F
That
last
I
think
it's
just
it's
gonna.
B
B
Of
that,
but,
like
I,
think
the
scale
of
the
problem,
you
see
there
versus
spamming
a
bunch
of
people
with
a
bunch
of
fixes
that
are
most
often
or
not
off,
not
most
often
sometimes,
security,
hardenings,
and
if
you
send
them
a
patch
file,
they
then
have
to
go
through
the
full
process
of
downloading
that
patch
file,
applying
it
to
their
repository
Yeti
like
they
have
to
go
through
manual.
Steps
versus
just
hit
a
merge
button
right.
C
F
About
this
step,
one
check
if
PVR
is
enabled,
if
it's
not
enabled
open
up
an
issue
say
please
enable
PVR
if
you
enable
PPR
I
will
submit
it.
You
know
next
week
or
in
in
20
days
or
whatever
I
will
submit
a
report
of
a
vulnerability
to
you
through
PBR.
If
you
don't
I'm,
gonna,
look
for
you
in
other
ways
and
I
will
send
you
a
patch
file
or
markdown
or
whatever,
and
I
will
do
my
best.
B
B
Spam,
the
emails-
if
that
doesn't
work
yeah,
then
you
okay,
but
then
you
have
to
run
an
email
server
or
be
connected
to
an
email,
server
and
monitoring
responses.
F
No,
you
just
have
to
reply
all
be
to
I
I
mean
the
question
is:
do
we
want
that
to
be
a
no
reply?
Email
where,
like
we're
not
looking
for
a
back
and
forth
engagement,
we
are
we're
doing
a
a
one-time
blast
out
disclosure,
it's
so
great.
If
not,
then,
yes,
there
needs
to
be
a
reply.
Email
address,
but
that's
kind
of
what
we
would
be
doing
with
the
private
vulnerability
report.
F
B
F
F
We
are,
we
are
way
over
time,
but.
B
F
I
I
think
I
need
to
think
about
edge
cases
there,
but
that
that
sounds
right
where
we
can
defensively
say
that
we've
tried
everything
that
we
could
short
of,
like
human
manually,
like
looking
through
every
place
for
an
indeterminate
amount
of
time,
which
I
don't
think
we
should
do,
but
so
we've
done
commercially
reasonable
efforts
to
to
find
and
disclose
privately
and
either
and
if
they
aren't
unresponsive,
maybe
if
they're
unresponsive
completely
35
days
after
last
contact
if
they
are
responsive,
but
they
just
they
disagree
they,
whatever
90
days,
we
disclose
I,
think
that's
I,
think
that's
at
least
I
mean
other
folks
like.
A
B
F
Know
what
I'm
gonna
do
I'm
gonna
run
disclosure
check
on
the
top
10
000
projects.
It'll.
Take
me
a
couple
days
to
run
them
all
to
see,
statistically
how
many
of
them
have
at
least
one
email
address
from
the
from
early
testing.
Practically
all
they
either
have
nothing,
because
it's
debugging
the
tool,
or
they
have
at
least
one
email
address,
so
I
think
with
that
it
it
should
be
okay,.
B
If,
after
35
days
of
opening
an
issue
requesting
who
you
are,
should
be
enabled
impact
on
the
maintainer,
if
the
maintainer
has
been
completely
responsive
at
this
point,
an
email
should
be
generated
to
the
contacts
returned
by
the
latest
version
of
the
open,
SF
disclosure
tool.
G
B
Who
will
be
emailed
must
be
included
in
the
issue
requesting
the
on.
B
F
A
yeah
right,
if
you
want
to
change
this
report,
you
know
copy
and
update
this,
and,
and
that
way
it's
that
I
would
be
okay
with
that
I
mean
it
makes
it
a
little
bit
more
complicated
in
our
end,
but
I.
G
B
I
know,
but
like
we
will
be
I
mean
like
every
time
we
run
this
thing.
We
run
it
with
the
latest
version
of
your
tool
right,
and
so
they
just
need
to
create
a
pull
request
within
that
35
days.
G
B
Fix
where
it's
going
or
fix
their
fix,
their
infrastructure.