►
From YouTube: OpenSSF Vulnerability Disclosures WG (December 14, 2022)
A
A
B
C
A
C
B
B
Years,
yeah,
you
beat
yeah,
you
beat
me
by
a
while
to
to
join
this
whole
party,
yeah
I
heard
about
to
see
where
did
I
so
the
reason
that
I
joined
the
open
SF
was
because
I
heard
about
it
from
security
Now,
it
was
a.
It
was
something
that
Steve
Gibson
talked
about
as
a
project
and
I
was
like.
Oh,
this
sounds
really
interesting
and
so
I
decided
to
to
hop
on
the
bandwagon
on
this.
One
and
and
I
have
been
happily
surprised
by
this
particular
Endeavor
in
its
entirety.
B
Yeah
he
and
I
have
had
an
interesting
set
of
interactions,
mostly
because
all
of
my
just
all
of
my
interactions
with
him
has
been
as
a
security
researcher,
so
it's
naturally
slightly
contentious
but
yeah.
So
that's
in
general
I
think
we
have
I,
don't
know
I'd,
be
fascinated
how
he
what
he
thinks
I
mean
if
we
were
to
meet
in
person.
C
B
I
have
pissed
off
a
bit
of
the
ASF,
with
my
automated
vulnerability,
pull
request
issuance
stuff.
I
ended
up
so
I
have
an
opt-out
mechanism
for
maintainers
to
say
like
okay.
If
you
don't
want
more
of
these
polar
press,
here's
how
to
opt
out
and
the
people
behind
the
Apache
Commons
project
opted
out
across
all
of
their
repositories
and
I'm
I.
Don't
know
it
means
that
I
can't.
You
know
I
I
if
I
want
to
report
to
them.
B
B
B
Yeah,
well
you
mean
you,
I
mean
the
problem
is
right,
there's
only
so
many
people
that
are
committed
to
this
stuff.
So
you
know
it's
hard
to
find
you
gotta,
find
either
gotta
find
or
hire
new
people
to
come
in
to
take
take
on
the
roles
that
are
having
like
traditionally
filled
by
people
for
a
long
time.
C
C
Next
time
we
meet
in
January.
We
will
have
a
different
set
of
meeting
notes.
I
have
a
link
there
and
part
of
my
jobs
before
January
rolls
around
is
changing
links
in
all
the
slack
channels
to
the
appropriate,
a
set
of
meeting
notes,
so
in
January
don't
sign
in
on
this
sheet.
Please
sign
me
on
my
other
sheet.
C
C
The
initial
request
is
for
some
folks
from
Australia,
but
we
want
to
cast
as
widering
that
as
possible.
Aipac
is
a
very
big
region,
so
I
need
to
Circle
back
with
the
with
the
folks
in
Australia
that
I
asked
requested
for
it
and
get
a
list
of
them
and
we'll
probably
get
an
alternate
call.
So
anyone
that's
interested
is
invited
to
participate
in
the
evening.
Call
we'll
probably
do
that,
maybe
once
a
month
or
so
going
forward,
but
please
provide
any
comments
or
suggestions
feedback
into
issue.
118.
B
C
C
There
was
an
interesting
blog
that
came
out
a
week
or
so
back.
Anyone
is
interested.
We
can
discuss
that
here
in
the
call,
or
we
can
even
turn
this
into
a
GitHub
discussion.
If
we
wanted
to
have
kind
of
more
of
an
asynchronous
conversation
around
the
topic,
does
anyone
had
a
chance
to
read
the
crash
override
article,
yet.
C
The
premise
is
how
cve
and
nvd
don't
work
for
the
open
source
supply
chain
very
provocative
title,
so
I
would
request
this
group
and
I'll
send
it
out
to
the
mailing
list.
If
we
have
any
strong
opinions,
if
there's
any
learnings
that
we
might
be
able
to
adopt
and
react
to,
please
provide
us
that
feedback
I'll
shoot
a
note
out
to
the
mailing
list.
After
this
call,
so
we
can
have
a
dialogue
there.
C
B
C
B
A
B
Mouse,
my
mouse
is
not
working
properly:
okay,
schmoo
cfp,
so
the
abstract
that
we
submitted
and
was
accepted,
also
funny
thing:
I
got
accepted
and
rejected
from
shmukh
Khan
in
one,
because
Madison
submitted
our
talk
and
so
I
get
the
email
that
says:
hey
you've
been
rejected
and
then
immediately
Madison
sent
me
a
message
saying:
hey
everybody
and
I'm,
like
wow
I've,
been
accepted
and
rejected
in
in
like
30
seconds.
It's
like
an
emotional
Whirlwind
from
schmoo.
B
So
all
right,
so
this
is
the
abstract
that
we
submitted
after
hours
of
puzzling
over
your
debugger
like
decompiler
or
pen
testing
toolkit
you,
finally,
cracked
it
the
security
vulnerability.
You
strongly
believed
was
present.
Almost
almost
almost
evaded
you,
but
now
you've
got
proof.
You've
achieved
the
thrill
of
finding
a
vulnerability
that,
hopefully
no
one
else
on
the
planet
knows
exists.
Now
the
process
of
vulnerability
disclosure
began
can
begin
where.
B
Do
you?
How
does
the
process
work?
How
do
you
report
a
vulnerability
to
whom?
How
do
you
actually
get
these
things
called
cve
numbers
you've
heard
so
much
about
what
do
you
do
with
the
process
here?
What,
if
you
do,
if
the
process
falters
in
this
talk,
we'll
demystify
the
vulnerability
disclosure
process
by
presenting
the
really
a
recently
published
open
source
software
security
Foundation?
B
I
I
I
I
had
fun
writing
that
abstract
and
it
seems
that
the
shmu
people
snagged
it
so
Madison
and
I
have
every
intention
of
meming
this
up
as
much
as
we
have
a
20
minute
slot
and
we
will.
We
will
be
telling
the
story
of
this
guide
and
trying
to
tell
a
story
that
keeps
people
engaged
and
and
helps,
makes
them
laugh
and
then
also
keeps
the
you
know
tells
a
compelling
story.
The.
The
idea
at
a
high
level,
I
think
is.
B
We
would
love
the
recording
to
be
a
semi
good
stand-in
for
the
guide
in
terms
of
a
knowledge
dump.
But,
like
you
know,
you
could
read
the
guide
to
get
more
information,
but
we
don't
want
the
it
all
to
be
like
go.
Read
the
guide.
Go,
read
it
go.
Read
the
guide
go,
read
the
guide.
It's
like
you
actually
gain
valuable
knowledge
out
of
just
watching
our
talk,
because
some
people
consume
stuff
visually
more
than
they
would
reading.
B
One
bit
of
feedback
that
I
had
on
the
guide
is
that
the
guide
is
very
forward
dense
and
describes
a
bunch
of
terminology
instead
of
getting
into
the
meat
of
the
thing
first
and
so
Madison
and
I.
Both
regret
it
in
in
the
in
the
process
of
writing
this
up
and
I.
Don't
know,
I,
don't
know
how
we
wanna
well.
I,
don't
know,
I
think
it
might
be
a
different
issue
that
we
want
to
do
deal
with,
but
on
those
notes
that
we
had
from
from
having
read
the
guide
recently.
B
So
if
there's
anybody
that
has
any
interest
in
being
involved
in
the
creation
of
the
slide
deck,
we
will
be
posting
the
link
to
that
in
the
slack
Channel
whenever
we
create
that,
unless
there
is
a
place
that
someone
from
the
ossf
can
create
for
Google
drive
documents
under
the
Linux
Foundation
IP.
Currently
this
this
shmukhan
cfp
is
in
my
drive
because
I
didn't
have
permission
to
create
a
drive
anything
for
the
ossf,
so
my
computer,
my
lap,
my
keyboard,
is
attached
to
the
other.
B
Month
to
get
our
talk
together,
but
knowing
the
Two
of
Us,
Madison
and
I
having
ADHD,
we
will
probably
leave
it
to
last
minute
unless
there
is
some
actually,
it
would
be
good
to
give
us
an
opportunity
to
give
this
talk
as
a
demo
to
you
all
so
that
give
us
an
earlier
deadline
and
also
give
us
an
opportunity
to
run
it
early.
What.
B
B
I've
asked
Katie
I'm
like
I,
talked
to
Katie
my
service
I'm,
like
how
do
you
get
tickets
she's,
like
I,
usually
show
up,
and
then
hopefully
someone
hands
me
a
ticket
at
some
point,
so
I'm
like
so
you
I
mean
Katie
also
knows
a
lot
of
people,
but
if
you,
if
you,
if
you
are
interested
in
coming
I
I
highly
recommend
it.
So
it's
a
good.
It's
a
good
conference,
a
lot
of
fun,
a
lot
of
religious
people,
a
lot
of
government
types
if
you
want
to.
C
C
C
Think
it's
a
great
idea
and
it's
something
I
would
like
to
next
year,
maybe
be
a
little
bit
more
strategic
and
thinking
through
conferences
like
shmukh
Khan,
where
it
would
be
vital
for
us
to
go,
engage
with
the
community
and
present
things
like
this.
Maybe
we
can
actually
put
out
a
little
schedule
and
be
kind
of
focused
in
our
efforts
to
try
to
hit
some
of
these
major
constituencies
and
get
this
message
out.
D
B
Scary
lab
has
a
like
Master
list
of
like
security
conferences
that
they
keep
track
of
and
and
submit
cfps
to.
So,
if
I
can
track
that
down
and
be
have
him
willing
to
share
that
widely?
That
would
help
that'd
be
great.
That
would
yeah.
That
would
be
really
nice.
Also,
one
of
the
things
that
I
want
to
try
to
do
is
if
there
are
any
good
candidates
for
developer
conferences,
that
would
be
good
to
get
it
into
the
hands
of
people
that.
D
A
A
C
A
C
B
See
the
recording-
usually
yes
but
I,
don't
know
if
the
a
it's
art
art
are
you
making
additional
I?
Think
for
you
said
last
week
whether
or
not
you
were
making
it
I
didn't
forget:
oh
hey,
most
likely,
no
yeah
I,
don't
know
if
you
saw
this,
but
we
got
accepted
to
shmoo
with
the
the
the
top
the
oh,
the
the
title
of
the
talk
is
congratulations.
You
found
a
security
vulnerability
in
an
open
source
project.
Now
what.
B
C
B
C
B
B
Attackers
can
load
arbitrary
class
files
and
then
lead
to
rce
the
one
of
the
projects.
Snake
yaml
had
this
vulnerability,
re-reported
to
them
by
Google
maintainer
like
earlier
this
month
with
a
payload,
the
snake
animal
team
said
we're
not
going
to
fix
it.
It's
a
feature,
not
a
bug.
A
cve
was
issued
by
Google
Now,
there's
a
discussion
in
their
issue
tracker
about
it.
The
primer
maintainer
is
very
it's
stubborn.
B
About
stating
that
this
is
a
feature
not
a
bug,
I've
been
trying
to
do
my
own
part
to
communicate
hey
you're,
exposing
a
bunch
of
your
users
to
risk
here,
hear
a
bunch
of
cves
that
have
been
issued
for
Downstream
customer
consumers
of
your
library
because
of
this
vulnerable
Behavior.
Like
you
know,
this
should
be
secure
by
default.
Yada
yada
I
am
having
limited
success
in
terms
of
convincing
this
maintainer
to
actually
change
the
default
Behavior
to
be
secure,
and
this
is
all
happening
out
in
public.
B
He
is
a
good
question:
I've
posted
a
link
to
the
chat
or
to
the
to
the
thread
and
my
attempts
to
convince
the
maintainer,
but
it
see
it
seems
it
seems
like
it's
he's
an
Eastern
European,
maybe
Russian
maintainer
yeah.
So
it
seems
like
it's
kind
of
owned
by
a
single
maintainer
or
there
is
a
primary
maintainer.
That
makes
a
lot
of
the
decisions
and
he's
very
unwilling
to
make
a
change
here
to
secure
his
Downstream
custom
users
and
so
I.
Don't
know
like
my.
B
My
long-term
plan
is
if
he
continues
to
refuse
to
make
changes.
I
will
go
out
and
do
my
thing,
which
is
there's
a
way
to
fix
it.
There's
a
the
way
to
fix
it
is
to
use
there's
a
parameter
called
safe
Constructor
that
you
can
pass
when
you're,
creating
the
yaml
parser
and
it
basically
forbids
arbitrary
class
loading
and
I
can
go
generate
a
few
hundred
or
a
few
thousand
pull
requests
to
go
fix
that
across
the
open
source
ecosystem,
but
I'd
rather
fix
it
at
the
source
than
try
to
do
that
right.
B
So
that's
that's
a
bit
of
vulnerability,
disclosure
drama
and
a
use
case,
and
it's
like
even
now
that
it's
because
it's
in
the
public,
the
maintainer,
is
adamant
that
this
remote
code
of
fusion
vulnerability
is
a
feature
not
a
bug.
And
that's
it's
it's
a
it's
a
his
argument
is
nobody
parses
untrusted
yaml
as
an
API
or
they
shouldn't
be
parsing,
untrusted
yaml,
and
if
they
are,
they
should
be
odd.
A
B
That
is
a
good
question
if
you
can
determine
that
from
reading
through
the
thread,
I've
had
a
hard
time,
Discerning
that
and
I,
don't
know
how
to
speak
to
that.
I've
had
to
be
very
gentle
in
in
this
and
it's
hard
because
you
get
frustrated
and
you're
like
okay,
I
can't
be
frustrated,
I
need
to
be
calm
and
collected,
and
also
you
know,
fact-based
or
well.
Yeah
also
I
know
that
I'm
a
little
blunt,
even
when
I'm
fact-based
so.
B
B
You
know
push
for
initiative
that
just
decommissioned
the
support
of
HTTP
across
the
geology,
ecosystem
in
favor
of
https
only
and
broke
25
of
the
build
infrastructure
in
the
job
ecosystem
in
one
day,
so
I'm
I'm
I'm,
not
necessarily
the
right
person
to
you,
know
I
I
I
see
security.
Is
you
know
we
should
break
things
in
order
to
fix
security,
even
if
it's
a
little
painful.
D
B
The
other,
the
other
issue
that
I'm
running
into
in
the
same
vein,
is
I,
found
a
project
that
is
using
snake
yaml
in
its
endpoint
in
one
of
its
endpoints
and
is
vulnerable
and
the
GitHub
security
Advice
security
lab
has
reported
a
vulnerability
to
them.
They
didn't
handle
it,
so
they
ended
up,
dropping
an
ode
on
them
and
I
found
a
similar
vulnerability
that
is
also
rce
in
that
project.
The
project
has
5
000
stars
on
GitHub,
5000
plus
stars
on
GitHub.
It's
a
chinese-based
project
and
the
maintainers
seem
completely
unresponsive
to
vulnerability
reports.
B
C
C
B
A
C
C
Ressors
and
Kurt's
project
was
a
GSD,
but
there
are
other
mechanisms
to
get
the
information
out
there
so
that
consumers
can
get
that
information
and
make
choices,
be
aware
of
that
and
if
there
are
alternate
mitigations
that
they
might
be
able
to
deploy
as
a
configuration
option
after
the
fact
sharing
that
with
them.
So
if
they
continue
to
choose
to
use
the
vulnerable
software
that
isn't
going
to
be
fixed,
maybe
they
should
move
off
or
giving
them
an
opportunity
to
have
a
alternate
mitigation
to
provide
that
pass.
That
parameter
themselves
right.
B
Right,
one
of
the
things
that
I'm
useful
for
the
snake,
the
snake
ammo
case
right
this.
This
vulnerability
has
been
widely.
You
know
known,
there's
a
couple
of
CVS
for
snake
yaml,
and
then
you
still
see
a
bunch
of
projects
that
are
still
using
it
in
a
way,
that's
vulnerable
in
a
way
that
leaves
them
vulnerable,
so
that
information
doesn't
make
the
full
like
loop
back
to
the
maintainer.
C
Yeah
and
most
open
source
is
made
to
be
used
under
a
multitude
of
different
scenarios,
so
you
will
see
the
trend
that
a
lot
of
times
things
go
out
insecure
by
default
because
they
don't
know
how
their
end
consumer
is
going
to
deploy
it
and
they
provide
instructions
or
guidance.
Saying
you
know
don't
do
this,
but
they
don't
necessarily
lock
that
off
by
default.
C
That's
again
a
very
common
pattern,
just
because
it
developers
don't
know
how
that
software
is
going
to
be
used,
and
there
are
scenarios
that,
if
you're
a
researcher
or
you're
like
an
academic
education
scenario,
you
might
not
want
to
be
as
restrictive
versus
if
you're
a
bank
or
a
government.
You
want
to
have
that
secure
by
default.
It's.
A
C
It's
a
it's
a
it's
about,
I,
see
both
sides
I
wish
it
was
or
I
wish.
The
developer
was
more
receptive,
but
I
I
am
also
sensitive
to
they
might
not
have
the
resources
or
interest
to
continue
to
change
this.
It
sounds
like
they
have
a.
They
very
clearly
have
stated
we
like
this
and
it's
unfortunate
that
consumers
aren't
going
to
be
able
to.