►
A
A
B
I
asked
slack
or
I
asked
chat,
gbt
the
question
because
I'm
working
on
data
flow
and
control
flow
analysis
and
and
I'm
like
can
inter-procedural
control
flow
analysis
and
data
flow
analysis
performed
against
Java
project
by
only
visiting
each
file
once
and
chat.
Gpt
came
back
with
a
very
interesting
answer.
Now.
I'm,
like
you
know,
trying
to
I'm
it's
a
you're
like
I,
have
a
question:
Google's
not
coming
back
with
the
right.
B
B
C
B
C
B
B
E
B
B
B
Okay,
we
might
have
Jonathan
joining
us
shortly,
but
I
don't
know
if
I
either
live
either
or
Jonathan.
So
we'll
see
John
if
Jonathan
joins
it's
Jonathan
schneideries
the
CEO
of
modern,
see
if
I
can
manoir
usually
shows
up
at
these
too
and
well.
He
hasn't
recently
I'm
just
giving
a
ping.
Okay,
all
right.
There
are
two
there
there
are.
There
are
two
people
that
have
added
their
attendance
to
the
meeting
notes
and
there
are
five
people.
There
are
seven
people
in
this
call,
so
I'm
ordering.
B
B
F
B
B
I
get
it
I
get
it
so
yeah
that'd
be
awesome
if
you
could
yeah
and
order
your
doordash
already
done
great
okay.
So
we'll
do
that.
Yesterday's
meeting
no
last
two
weeks,
ago's
meeting
oh
before
I,
get
there
I,
guess
another
open.
We
are
currently
close
to
having
the
open
source
security,
Foundation
vulnerability,
disclosure
working
group.
B
B
This
one,
this
is
not
entire
related
to
this
specification
that
we've
been
working
on,
but
it's
slightly
related.
This
is
the
the
higher
level
document
that
describes
how
any
researcher
representing
the
open
source,
security,
Foundation
or
any
working
group
representing
the
open
source
security
Foundation.
Is
it
out
pound?
B
D
B
There's
this
expectation
here
that
if
we
don't
receive
any
engagement
from
the
project,
affirming
their
intention
to
fix
the
vulnerability
within
35
days,
the
open
source
security,
Foundation
reserves
the
right
to
fully
publicly
disclose
that
vulnerability.
At
that
point,
there
was
a
thought
that
that
same
deadline
of
35
days
could
also
be
incorporated
into
the
process
for
autofix.
B
The
discussion
that
we've
been
having
with
Michael
and
myself
is
there's
been
a
discussion
with
Alpha
Omega
regarding
an
engagement
with
Tide
lift,
potentially,
where
the
work
that
we're
doing
where
we're
bulk,
generating
pull
requests.
There
may
be
cases
in
which
tide
lift
may
stick
pick
up
the
slack
around
manual
disclosure
at
points.
F
F
Does
it
I
I
think
it's
still
contact
the
maintainer
like
like
do
do
the
normal,
just
look,
the
the
normal
private
disclosure
dance,
the
fact
that
we
might
without
committing
anything
we
might
be
in
a
position
to
pay
a
third
party
to
handle
the
last
mile,
maybe
more
efficient
for
us
to
do
it,
but
the
same
work
gets
done,
regardless
of
of
who
and
I
think
it
from
this
perspective,
keeping
it
at
the
at
the
what
not
the
who
makes
it
applicable
to
both
scenarios.
I
think.
B
I
mean
great
aao
has
more
resources
but
scaling
others
as
well
in
the
research
field
to
deploy
their
fixes
at
scale,
and
we
I
don't
want
to
put
something
prohibitive
in
this
specification.
That
makes
that
you
must
have
resources
Beyond,
potentially
what
one
individual
could
do
in
order
to
be
complicit
with
this
back.
F
Okay,
I'm,
assuming
you
can
see
my
see
my
thing
so
disclosure
check
is
just
a
it's
python
script.
What
it
does
is
it
goes
out
so,
given
a
package,
URL
it'll
go
out
to
the
report,
the
in
this
case
Pi,
Pi
or
npm,
or
wherever
else
it
will
look
through
libraries.
I
o
it'll,
if
it's,
if
it's,
if
there's
a
backup
and
GitHub
project
it'll
go
there
and
it
will
essentially
look
for
the
best
place
to
disclose
vulnerabilities
in
this
case
for
Django.
F
Those
are
the
best
ones
that
it
came
up
with
and
it
tries
to
give
a
score
of
how
how
confident
it
is
for
one
like
left
pad
I
think
there
should
be
a
couple
email
addresses
here
found
it
does
look
for
private
vulnerability,
reporting
being
enabled
on
GitHub.
It
looks
for
tidelift,
so
this
so
in
this
case
for
left
pad.
F
F
We
look
for
that
in
a
couple
different
ways:
private
vulnerability,
reporting
is
also
enabled
so
and
that's
the
highest
highest
preference
one.
So
what
I
would
say
is
if
you
are
a
if
you're,
a
researcher
or
organization
or
whatever,
and
this
was
one
of
the
things
that
you
found
something
in
then
you
could
use
this
and
and
know
hey.
I
should
just
go
here
to
report
it
output
is
Json
as
well,
so
you
can.
You
can
script
that
there's
definitely
bugs
not.
F
A
B
I
think
it
would
be
helpful
for
me:
I
mean
I,
like
I'm,
not
I'm.
Looking
at
this,
like
not
as
an
as
an
automator
like
this
is
very
useful.
Just
for
security.
Research,
like
you
know
in
general,
I
think
that
one
of
the
things
that
would
be
more
help
like
one
of
the
things
that
would
be
helpful,
like
I'm,
looking
at
the
preferred
contact
for
the
Django
software
Foundation
right
like
that.
One,
though
that
line
I,
would
appreciate
a
a.
Why
are
you
proposing
this
because,
like,
for
example,
the
Django
software
Foundation?
B
F
F
B
F
F
So
that's
why
it's
it's
lower
I
figure
that
the
Pi
Pi
registry
is
definitely
going
to
contact
somebody
on
the
project,
but
you're
right.
If
I
could,
if
I
felt
more
confident
with
the
parsing
of
the
markdown,
maybe
if
there's
only
one
email
address
or
only
one
URL,
that's
a
higher
higher
confidence.
Sure.
B
B
I
think
that,
like
this
is
this
is
super
cool
I.
Think
there's
something
that
like
I
bet,
I
bet
you
Snick,
like
the
research
lab
there.
Github
security
lab
like
this
is
totally
something
they
would
have.
They
would
want
to
use.
I
would
I
would
throw
together
I
would
throw
suggest,
throwing
together
a
what's.
It
called
the
ASCII
cinema
cinema
demo
and
like
like
it
just
saying:
hey,
there's
this
thing
great,
hey,
there's
this
thing:
here's
a
video
demo
with
ASCII
Cinema
that
would
actually
get
people
using
it.
Okay,.
F
F
F
That
makes
sense,
I
think
this
one
is,
and
it's
also
awkward
because,
like
libraries,
I
o
support
some
things.
They
call
it
ruby
gems,
not
gem.
Like
does
you
know
it's
not
perfect
this
one's
interesting,
because
I
do
test
it
on
this
one,
and
this
one
as
far
as
I
know,
there's
I
couldn't
find
a
programmatic
way
of
of
getting
this,
but
I
want
these
as
bugs
so
that
we
can
like
manually,
find
it
find
the
right
author
and
then
like
implement
the
check
to
to
retrieve
that.
C
F
F
F
I'm
wondering
if
you
know
there
is
this
okay,
so
there
is
a
security
MD
file
here
there
is
oh
okay,
so
so
this
is
a
good
example.
The
the
security,
the
security
MD
file
for
this
says
email,
the
current
maintainers.
With
the
description
of
the
vulnerability,
you
should
expect
a
response.
In
48
hours,
a
list
of
current
maintainers
can
be
found
on
the
readme
under
the
contacts
section.
So.
F
G
F
To
be
fair,
though,
the
hard
part
so
was
like,
as
if
I
start
parsing
General
readme
files
I'm
going
to
get
a
lot
of
email
addresses
that
have
nothing
to
do
with
the
project
and
being
like
semantically
saying
like
say
current
maintainer.
Or
is
it
a
current
author
or
is
it
currently
maintained
by
and
not
like
lots.
F
A
B
So
on
the
screen
share
real
fast,
so
there's
now
an
API
down
here
create
a
no
is
it
it's
not
yeah
privately
reported
security
vulnerability
this
one.
So
this
is
an
API
that
GitHub
has
added
that
will
attempt
to
open
a
private
owner
really
report
via
GitHub
I'm
working
on
the
Pod
GitHub
bindings
for
this
they've
actually
been
finished,
but
they're
Pi
GitHub
has
the
maintainers
seem
not
there.
A
B
Let
me
actually
link
to
the
here,
but
yes,
it
does
work,
I
have
used
it,
and
then
you
can
also
get
security
advisors
that
you've
that
you've
opened.
So
as
a
researcher,
you
can
use
this
get
endpoint
to
view
any
open,
pvrs
that
you've
created,
which
is
also
very
nice
or
well,
that
you
have
access
to
there.
A
B
B
B
A
F
B
G
B
G
B
B
G
G
It's
sometimes
like
there's,
so
we
have
only
submitted
what
like
50
something
Security
in
I.
Think
in
those
cases
there's
only
like
three
of
them,
where
they
asked
for
a
change
in
the
one
that
we
originally
submitted,
suggested
something,
and
then
we
had
to
do
that
again,
but
yeah.
So
that's
like
less
than
10
of
the
cases.
B
The
problem
is
that
this,
because
this
name
is
uniquely
generated
you
there
there's
a
problem:
around
storage
and
and
memorize
like
knowing,
like
this
campaign
maps
to
this
ghs
ID
for
this
repository
and
so
we're
working
with
GitHub
to
hopefully
be
able
to
get
this
name
of
this
private
Fork.
To
be
that's
something
that
you
can
configure
to
be
something
predictable,
so
that
yeah.
B
Automation
against
it
and
like
be
like
run
it
and
like
this
will
be
the
naming
convention
for
all
these
Forks
and,
like
any
tooling,
that's
generating
pull
request
like
the
thing
that
that's
generating
the
pull
requests
can
then
be
separated
from
the
thing
that
is
automating.
The
creation
of
the
GHSA
is
that
making
sense
or
have
I
lost
people.
G
And
there's
just
two
quick
comments.
One
is
that
it
does
take
a
long
time
so
that
the
fixes
will
lead
to
stay
for
a
while
before
it
gets
eventually
emerged.
So
in
the
real
estate
is
like
three
months,
but
the
other
thing
is
the
practicality
of
it,
as
in
in
the
court
case
like
just
that
part
of
the
code
base,
the
change
can
happen,
but
it's
also
unlikely.
G
So
just
maybe
the
Practical
thing
would
be
not
to
worry
too
much
about
it,
but
that's
just
my
two
cents
that
people
just
be
no
problem
in
reducing
it.
It's
just
not
gonna
be
a
big
deal,
because
only
it's
gonna
be
a
problem.
The
margin
issue
is
going
to
only
come
in
if
that
part
of
the
code
somehow
change
and
therefore
suddenly
your
fix
is
not
matching
to
the
original
one
anymore,
but
that's
I
would
say
a
percentage
of
the
case
as
opposed
to
the
material.
Sorry,
that's
yeah.
B
We
also
like
to
keep
it
up
to
date,
so
that
like
if,
for
example,
at
the
time
when
it
was
built
or
re,
that
the
contribution
was
made
like
the
main
branch
was
failing
right,
they
can,
if
we
keep
it
rebased,
then
they
can
always
run
the
latest
changes
and
hopefully
it
at
a
future
point.
When
we
rebase
it,
it
will
be
at
a
point
where
the
branch
is
safe
or
clean
or
whatever,
and
so
they
can
run
the
checks
that
they
may
not.
B
B
Mueller
all
right
cool,
so
Mike
Dolan
has
been
through
this
document
once
I
think
that
there's
some
misunderstanding
from
I
read
through
some
of
Mike's
comments
and
I
think
there's
some
misunderstanding
about
the
intention
of
this
document,
so
I'm
going
to
work
through
that
with
him
on
on
tomorrow.
But
let's
just
go
through
what
he's
requested
here
quickly
and
just
through
the
comments
that
are
open
on
this
document.
B
In
these
cases,
the
scope
of
the
private
vulnerability
is
often
beyond
what
can
be
recently
reported
to
each
maintainer
privately
in
a
one-on-one
exchange
manually,
oh
yeah,
okay,
that
makes
sense
simply
automating
the
creation
of
thousands
of
bug
reports.
It
also
isn't
useful.
Okay,
then
Xavier
said
I
suggest
to
add
this
doc.
B
All
right,
Josh,
you
came
back
reading
this.
There
are
two
ways
to
interpret
what
the
issue
is.
There
are
a
wide
variety
of
reporting
mechanisms
are
inconsistent
and
difficult
to
automate.
Do
the
variety
of
methods
and
being
uncertain,
which
a
particular
project
uses
aim
Michael
scalvetta,
be
the
mechanisms
currently
exist
are
limited
when
it
comes
to
private
disclosure,
automating
private
exposure.
B
C
B
Right
but
yes,
it's
like,
and
one
of
those
episodes
like
hacker
one
and
Bug
crowd.
Well,
the
other
thing
with
the
Packer
one
and
Bug
crowd,
for
example.
Right
is
that
they
may
have
policies
that
are
inconsistent
with
a
vulnerability
like
open
source
security,
research,
disclosure
right
because
a
lot,
a
lot
of
vendors
will
have
their
bug
betting
program
on
hacker,
one
and
bug
and
and
Bug
crowd.
But
then
they'll
just
say:
oh
and
now
our
open
sources
in
scope,
but
they'll
have
a
policy
that
explicitly
states
that
hey.
A
C
A
C
B
D
B
C
F
A
B
F
Just
off
the
top
of
my
head
here,
I
think
we
should
take
a
principled
stance
that
because
open
source,
because
the
Project's
intended
to
be
used
by
others
that
open
source
maintainers,
if
they
are
pressured
into
essentially
accepting
a
gag
order
in
order
to
disclose
through
hacker
one
that
the
maintainer
should
politely
say
no,
either
give
me
another
mechanism.
It
will
give
me
another.
Please
give
me
another
mechanism.
You
now
have
89
days.
F
For
example,
if
my,
if
my
policy
was
I
will
accept
you
know,
reports
from
security,
researchers,
just
mailed
me
a
check
for
a
thousand
dollars
with
the
report
and
I'll
take
a
look
at
it
like
that's,
not
a
reasonable
policy
for
me,
as
a
maintainer
to
have
I
also
think
that
for
an
open
source
project,
any
kind
of
you
know
signing
and
assigning
the
way.
Your
rights
as
a
researcher
as
part
of
the
disclosure
process
is
not
is
not
reasonable.
F
D
F
B
C
B
D
B
B
Correct
because
and
the
risk
there
is,
if
you
violate
the
terms
of
that
disclosure,
you
can
receive
a
ban
from
hacker
one
or
bug
crowd,
which
means
that
you're
no
longer
able
to
receive
any
sort
of
financial
gains
from
the
platform
at
all.
So
like
okay,
you
know
this
is
a
problem
with
the
single
platform,
but
you're,
actually
exposing
yourself
to,
for
future
risk
of
not
being
able
to
achieve
any
sort
of
financial
gains
from
any
of
your
research
in
the
future.
F
B
C
B
I
have
gotten
very
pedantic
about
this,
not
because
I'm
pedantic,
but
because
I've
have
real
world
experience
with
these
problems
like
hacker
one
and
black
crowd's
triagers
will
get
pissed
at
you.
If
you
say,
hey
I'm,
going
to
disclose
this
because
it
needs
to
be
disclosed,
they
will
throw
the
you
agree
to
this
when
you,
when
you
submitted
this
at
you
like
they.
B
F
I
mean
we
could
simply,
you
know,
warning
warning
to
security
researchers.
If
a
Project's
disclosure
mechanism
is
hacker
one
or
we
don't
even
need
to
call
it
hacker
one.
If,
if
it
is
a
be
careful
of
the
terms
that
you
would
agree
to
when
submitting
through
a
formal
program,
if
that's
the
case,
you
may
want
to
consider
alternative
disclosure
mechanisms
to
get
the
message
to
the
team
without
agreeing
to
such
things,
and
that
way,
it's
it's
on
the
researcher
to
decide
and
from
an
AO
perspective.
F
B
B
Correct,
but
we
have
our,
you
can
have
your
own
disclosure
policy
and
you're,
not
agreeing
to
some
terms
of
agreement
and
micro
and
and
GitHub
doesn't
operate
as
I
mean.
You
know
has
made
a
very
strong
point
in
the
sand
that
they
are
not
going
to
operate
as
an
Arbiter
between
researchers
and
maintainers
right
and
with
GitHub
and
hacker
one.
You
have
a
lot
of
Arbiters
that
exist
between
researchers
and
hackers,
or
sorry,
researchers
and
maintainers.
F
One
is
but,
but
if
they
had
a
structured
data,
they
had
a
field
that
you
could
query
reliably
to
say.
Disclosure
policy
is,
like
you
know,
90
days,
public
gag
forever
or
something
like
some
something
so
that
you're
not
actually
parsing
the
text
that
might
it
may
be
easier
to
then
say
you
know,
don't
report
to
projects
that
have
through
hacker
one
to
projects
that
have
this
type
of
disclosure
policy.
B
F
You
know
how
about
this,
since
a
lot
of
this
is
hacker
one.
Let's
looping
Kayla,
look
how
the
conversation
there,
because
there's
something
we
can
do.
We
should
try.
It
I
think.
The
general
warning,
though
here,
which
would
apply
to
any
reporting
platform,
is
that
you,
as
a
security
researcher,
may
be
asked
to
give
up
some
of
your
your
rights
when
submitting
a
vulnerability
through
a
platform.
Beware
of
what
you're
giving
up
and
if
you
don't
feel
comfortable,
feel
free
to
you.
F
B
B
Okay,
I
was
considering
putting
this
information
like
okay,
so
we
have
this
down
here.
That's
like
kind
of
starting
to
replace
this
power
disclosure.
The
open
source
software
hosting
provider,
supports
the
pragmatic
means
of
private
reporting,
for
example,
get
a
private
reporting.
Then
this
must
be
used
to
report
the
vulnerability
if
the
pragmatic
means
of
private
reporting
is
not
enabled
on
the
vulnerability
and
a
public
issue
requesting
the
private
reporting
feature
be
enabled
on
the
repository
organization
or
organization,
are
they
or
on
the
organization
must
be
requested?
B
The
vulnerability
itself
must
not
be
disclosed,
but
the
existence
of
vulnerability
should
be
disclosed.
You
can't
your
campaign
should
consider
how
to
minimize
the
notification
load
on
maintainers
across
the
projects
and
should
consider
non-promatic
security
policies
secured
it
on
me,
for
example,
as
a
means
of
preferred
manual,
private
reporting,
for
example,
as
instead
of
opening
many
issues
across
multiple
repositories,
then
the
same
user
organization
that
may
be
appropriate
for
a
single
issue
to
be
opened,
requesting
a
private.
A
B
A
F
B
B
F
B
B
B
A
B
F
B
F
G
F
F
All
the
stories
yeah
no
I'm,
I'm,
just
imagine
so
so
I'm
so
I
guess
we're.
My.
My
fear
is
still
in
the
objection
that,
like
you
know
as
a
researcher
you
you
find
vulnerability
in
a
thousand
projects.
You
open
up
a
thousand.
You
realize
that
none
of
the
Thousand
have
PVR
enabled.
So
you
open
up
public
issues
in
each
of
them.
Saying
please
enable
35
days
later
you
check
you
see
that
only
50
of
them
have
enabled
it
so
they
so
you
submit
50,
pvrs
and
950
zero
days.
F
I
think
I
think
we
need
to
do
more.
I
think
we
need
to
try
the
so
first
I
I
would
be
okay
with
and
obviously
I'm
biased
here
but
like.
If
the
disclosure
check
tool
is
useful
and
and
does
this,
then
perhaps
the
answer
is
try
PVR
if
PVR
doesn't
work,
run
the
disclosure
tool.
If
you
try
all
of
those
places,
none
of
them
respond
and
the
you.
A
B
B
G
G
F
B
C
B
It
yeah
that's
like
having
an
open
pull
request
with
a
security
fix
in
it
is
valuable,
is
a
valuable
flag
to
a
credential
user
of
that
Library,
but
you'd
get
a
CV
out
of
it
anyway,
I
don't
no,
no
I,
don't
I,
don't
try
to
get
CV
numbers
unless
the
maintainer
actually
says.
Yes,
this
is
a
valid
security
vulnerability,
because
again
the
cve
system
doesn't
want
to
handle
it
at
this
scale.
B
F
I
realize
that
the
hard
part
is
differentiating
the
two,
but
for
things
that
are
obviously
security,
hardening
I
would
count
that
as
a
bug
like
that,
it
was
not
even
in
scope
for
this
it.
You
know
and
I
think
we
could
argue
about
whether
like
socket
timeouts.
Is
that
like
denial
of
service,
or
is
that
a
but
like,
but
some
things
will
obviously
fall
below
the
line
or
on
this
side
or
whatever
and
public
pull
requests
that
all
day
long
that
that's
that's
what
it's
there
for.
B
You
make
a
trade-off
between
so
any
stat
any
tool.
That's
going
to
be
automatic.
Facing
vulnerabilities
like
this
is
going
to
be
doing
static
code
analysis
and
there's
a
trade-off
that
you're
making
with
static
code
analysis
between
fixing
the
vulnerability,
because
it
looks
vulnerable
and
missing
false
positives,
because
you're
making
your
static
code
analysis
tool,
look
for
more
things
and
narrowing
it
down
to
be
more
exact
right
now.
What
I
did
for
zip
slip
was
I
said:
okay,
this
is
a
code
pattern
that
appears
this
is
vulnerable
and
I.
B
Didn't
look
for
data
flow
globally,
I,
looked
at
local
local
code
bases
and
said
this
is
unzipping
a
file
and
it's
not
sanitizing
it.
Okay,
that
could
be
a
jar
file.
That's
local
right
that,
like
the
project
built
itself
right,
like
I,
can't
make
those
assertions
because
data
flow
and
control
flow
across
a
large
code
base
is.
Is
it
is
a
turing?
B
It's
it's
a
it's
a
you
know,
it's
a
it's
a
hard
problem
and
you
can't
guarantee
correctness,
but
you
can
say
that
looks
like
a
pattern
of
a
common
security
vulnerability
and
even
if
it's
not
it's
still
a
valid
security
hardening.
So
let's,
let's
try
to
fix
this
at
scale
like
I,
also
want
to
be
clear
that
most
of
this
will
be
thrown
at
vulnerabilities
that
are
not
our
CES,
probably
I
mean
at
least
in
the
beginning.
B
B
D
A
F
B
B
B
The
norm
for
the
industry,
be
just
because
of
history-
is
that
the
receiver
of
the
report
dictates
how
the
report
comes
in
right.
They
publish
the
security
of
that
MV
file.
They
publish
the
security
on
txt
file
right
and
because
of
that,
the
researcher
has
to
go
through
the
effort
of
trying
to
find
where
that
vulnerability
needs
to
get
recorded
in
order
to
follow
their
policy
or
they
have
to
go
like
you
know,
Twitter
DMS
right
like
this,
is
an
opportunity
that
we
have
as
researchers
to
flip
that
script.
B
There
is
a
norm,
but
that
Norm
has
only
existed
because
trying
to
track
down
who
to
report
to
is
a
hard
problem
right.
In
this
case,
we
have
a
universally
usable
way
that
we
can
all
disclose
vial
and
it
is
PVR,
and
so
when
we
are
in
the
state
we
can
dictate.
Because
of
that,
this
is
the
way
we
would
like
to
report
to
you.
We
are
doing
this
at
scale.
If
you
don't
want
to
follow
that,
it's
fine
you're
going
to
get
a
public
pull
request.
G
F
F
Here's
my
markdown,
here's,
my
whatever
send
that
to
you
know
all
the
contacts
listed
in
the
output
of
this.
This
essentially
smush
the
two
together
and
that
way,
it'll
either
send
an
email
most
places,
don't
have
like
a
website
and
a
form,
but
you
know
we
could
we
could
we
could
deal
with
that?
If
it's
PVR,
then
it'll
do
the
API
and
do
the
PBR
thing.
If
it's.
F
It'll,
send
it
to
security
at
time,
left
where
they'll
get
it
and
do
the
thing
you
know
if
you
know-
and
this
is
getting
back
to
like
future
talk
but
like
if
we
have
a
separate
relationship
with
tiger,
we
could
just
send
them
all
to
time,
lift
and
make
it
really
easy
for
ourselves.
I
get
that
this
policy
is
not
about
just.
G
B
B
Of
that,
but,
like
I,
think
the
scale
of
the
problem,
you
see
there
versus
spamming
a
bunch
of
people
with
a
bunch
of
fixes
that
are
most
often
or
not
off,
not
most
often
sometimes,
security,
hardenings,
and
if
you
send
them
a
patch
file,
they
then
have
to
go
through
the
full
process
of
downloading
that
patch
file,
applying
it
to
their
repository
Yeti
like
they
have
to
go
through
manual.
Steps
versus
just
hit
a
merge
button
right.
C
F
About
this
step,
one
check
if
PVR
is
enabled,
if
it's
not
enabled
open
up
an
issue
say
please
enable
PVR
if
you
enable
PPR
I
will
submit
it.
You
know
next
week
or
in
in
20
days
or
whatever
I
will
submit
a
report
of
a
vulnerability
to
you
through
PBR.
If
you
don't
I'm,
gonna,
look
for
you
in
other
ways
and
I
will
send
you
a
patch
file
or
markdown
or
whatever,
and
I
will
do
my
best.
B
F
No,
you
just
have
to
reply
all
be
to
I
I
mean
the
question
is:
do
we
want
that
to
be
a
no
reply?
Email
where,
like
we're
not
looking
for
a
back
and
forth
engagement,
we
are
we're
doing
a
a
one-time
blast
out
disclosure,
it's
so
great.
If
not,
then,
yes,
there
needs
to
be
a
reply.
Email
address,
but
that's
kind
of
what
we
would
be
doing
with
the
private
vulnerability
report.
F
B
F
B
A
B
F
Know
what
I'm
gonna
do
I'm
gonna
run
disclosure
check
on
the
top
10
000
projects.
It'll.
Take
me
a
couple
days
to
run
them
all
to
see,
statistically
how
many
of
them
have
at
least
one
email
address
from
the
from
early
testing.
Practically
all
they
either
have
nothing,
because
it's
debugging
the
tool,
or
they
have
at
least
one
email
address,
so
I
think
with
that
it
it
should
be
okay,.