►
From YouTube: OpenSSF Vulnerability Disclosures WG (October 19, 2022)
A
B
B
B
D
B
Yeah
Friday
I
haven't
taken
a
look
at
this,
yet
I,
don't
know
if
other
folks
in
here
have
or
if
anybody
has
any
questions
about
it
but
yeah.
It
seems
like
everything
we
need
here
everything
we
need
to
review.
It
is
here.
So
if
you
have
questions
or
anything
feel
free
to
use,
this
issue
looks
like
it's
already
made
for
this
and
give
any
feedback
by
Friday.
B
So
it
seems
like
we
have
some
activity
at
least
on
this
one
though
I'm
biased,
because
some
of
the
activity
is
my
own
for
handling
incidents,
but
it
doesn't
seem,
like
many
folks
have
weighed
in
elsewhere,
so
it
seems
like
for
now.
This
is
at
least
the
front
rather
front
runner,
for
what
our
next
project
will
be.
So
I
would
encourage
everyone
to
go
on
these
issues.
C
B
D
B
Yeah,
so
that
I
didn't
get
any
negative
feedback
for
doing
it.
This
way,
so
I'd
encourage
everyone
else
to
basically
do
the
same,
so
whichever
whichever
one
you
feel
strongly
about
is
doing,
is
our
next
idea,
whatever
one
we
pick
from.
This
doesn't
immediately
nullify
the
other
two
ideas
I'm
personally
hoping
we
do
all
three,
so
it's
really
just
choosing
whatever
order
we
want
to
do
them
in.
A
D
A
A
My
brain
just
totally
shut
down
and
I.
Don't
remember
what
the
question
that
I
had
about
her
so
yeah
I
guess
is:
is:
is
there
any
progress
on
that
I
guess
to
the
question
like
the
actual
implementation
of
of
that
instant
response
that
the
or
I
guess
it's
not
completely
related
to
what
this
word
group
is
doing
or
am
I
incorrect.
B
A
Context
so
sorry
context
context
would
be
that
there
was
an
idea
to
create
an
incident
response
team
that
the
opennesses
have
had
standing.
Wait,
no
wait.
This
was
about
sorry
I'm,
conflating
two
things
there
was
there
was
there
was
an
idea.
I
could
hear
on
me
osis
about
an
instant
response
team
so
that,
if
you
know
some
maintainer
has
some
chaos
involved,
they
could
reach
out
to
someone
and
get
help.
B
Okay,
so
at
least
the
former
I
think
is
the
work
that
the
OSS
cert
Sig
is
now
doing,
which
is
a
group
that
sort
of
spun
off
of
this
one,
so
I
think
I,
think
they're,
covering
the
former
of
what
you
said.
I,
don't
know
anything
about
office
hours,
though.
If
anybody
else
knows
more
information
about
that.
E
Yeah
there's
a
separate
group,
but
I
thought
it
was
one
of
the
other
working
groups
that
was
trying
to
do
kind
of
a
general
purpose.
Security
office
hours,
but
I
was
having
trouble
finding
a
way
to
there's
kind
of
a
chicken
and
egg
thing
like.
How
do
you
make
it
useful
enough
that
you
attract
people
to
it,
but
then
enough
people
that
you
attract
the
experts
to
it
so
I
think
that's
still
I'm
trying
to
get
off
the
ground.
D
D
A
A
B
F
F
F
So
we're
expecting
you
know
it's
possible
there'll,
be
substantial
feedback
from
someone
and
there
might
be
revisions
to
the
plan,
but
you
know
check
plan
plan
drafted
and
submitted
for
further
review
approval.
Etc
I'll
comment
briefly,
the
more
more
personal
hat
on
as
I
mean
I
think
this
is
appropriate.
The
it's
a
plan.
It's
not
necessarily
the
you
know,
here's
what
the
cert
will
look
like
and
do
that
directly,
which
I
think
is
appropriate
and
fine.
I
personally
had
some
struggled
a
bit
with.
F
Are
we
actually
writing
down
the
whole
thing
or
are
we
writing
down
for
the
plan
part
and
it's
a
little
more
plan
oriented
again
totally
fine,
just
a
comment:
if
you're
expecting
the
circle,
do
the
following
things:
a
through
z,
I
think
we're
not
quite
at
that
step
exactly
yet,
but
yeah,
that's
all
I'll!
Stop
there
I
think
thanks.
F
F
F
D
A
B
A
D
B
Okay,
great
then
yeah
for
those
for
those
that
don't
want
to
stay
no
offense
taken
at
all
feel
free
to
take
your
time
back.
John
and
I
are
going
to
talk
about
possibilities
of
presenting
the
finder
guide
at
conferences,
so
that
was
something
that
probe
has
brought
up
before.
Basically,
if
anybody
wants
to
you
know,
evangelize
the
guide
or
the
good
work
that
this
working
group
is
doing.
Please
feel
free
to
do
that.
So
that's
something
that
at
least
John
and
I
have
been
talking
about
doing
ourselves.
D
A
D
A
Yeah,
so
all
right,
schmooz
cfp.
Let
me
double
check
and
make
sure
that
I've
sandedly,
like
we
I,
haven't
already
missed
it.
I
think
the
it's
still
open,
sorry,
I'm
gonna
transition
to
getting
on
my
computer.
Give
me
a
second
but
yeah.
It
closes
today,
yeah,
okay,
perfect,
and
they
have
a
couple
of
tracks.
I
remember
that
there
was
a
track
that
s-bomb
was
originally
like.
A
I
remember
like
one
of
the
early
talks
on
F-bomb
was
done
at
schmoo,
and
so
there's
probably
a
track
where
this
would
be
very
relevant
in
I
gotta
use
my
smart
home
automation
to
turn
on
all
my
monitors.
If
I
turned
them
off
last
night,
right,
yeah
I
have
I'm
gonna,
be
completely
honest,
not
read.
The
guide.
I
should
probably
do
that.
A
B
Lord,
you
know
what
that
is
actually
a
good
point,
so
I
read
through
the
god
the
other
day
and
found
a
couple
of
oops.
Let's
see,
I
found
a
couple
of
issues
in
it,
just
the
typos
and
other
things,
just
from
like
formatting
issues,
from
moving
it
around
as
much
as
we
did
so
I
made
a
PR
fixing
a
bunch.
B
A
D
A
D
A
A
F
A
D
F
Yeah
so
yeah
again,
I'm
I'm
unlikely
I'm
happy
to
hang
out
and
hear
what's
going
on,
I,
I'm,
probably
unlikely
and
I.
You
know
probably
don't
need
to
count
me
in
as
involved
in
any
cfps
or
presenting
I
mean
if
you
desperately
want
me
for
a
panelist
or
something
you
know,
I
can
handle
that.
But
that's
fair,
that's
fair,
but
yeah,
just
to
be
clear.
Yeah
yeah,
I'm
interested
but
not
gonna,
yeah.
A
So
this
build
it
50-minute
presentations
about
creating
inventive
software
and
Hardware
Solutions
belay.
It
50-minute
presentation
about
Cutting,
Edge,
defensive
solutions
to
current
problems.
I
mean
it
could
also
be
blade
or
bring
it
on
and
then
bring
it
on
is
50
minute
prison
20
to
50,
minute
20
or
15
minute
presentation
with
an
open
mind.
Technology
and
security
related
topics.
B
B
Yeah
I
I
recorded
something
for
the
CBE
podcast
yesterday,
actually
about
the
finder
guide,
which
I
was
gonna,
wait
to
share
once
it
was
actually
public,
but
I
presented
the
whole
guide
to
them
and
probably
took
me,
maybe
about
a
half
an
hour.
I
could
probably
do
it
in
about
20
minutes,
but
yeah
I
think
I
agree
that
10
is
maybe
not
enough.
D
A
A
Let's
I
mean
you
just
started
with
a
story,
though
right
like
hey
like
like:
let's
start
with
the
story
or
the
press,
the
premise
of
I
have
found
vulnerability.
It's
really
bad
right,
like
and
I
need
to
make
sure
the
maintainers
are
aware
of
it
right
like
because
the
most
compelling
talks
are
gonna
have
to
tell
a
story
right,
yeah,
so.
A
B
A
Right,
I
think
that
that's
like
you
know
that
seems
like
a
very
relevant
location
to
toss
it
to
first
or
not
first
but
like
in
a
general
sense
like
also
throwing
it
at
those
talks
Brian.
What's
the
I'm
hoping
Brian
you're
the
right
person
to
ask
what
is
the
relationship
with
the
open
SF
working
groups
and
getting
talked
accepted
to
the
Linux
Foundation
Advantage
conferences.
E
No
Formal,
Connection
being
a
contributing
working
group
member
doesn't
guarantee
you
any
position.
It
still
has
to
go
through
the
cfp,
but
we
have,
at
a
couple
of
events,
put
together
an
open
ssf
day,
which
is
a
more
hand,
curated
collection
of
content,
and
for
that
we
tend
to
be
more
proactive
in
going
out
to
the
community
and
asking
who
wants
to
talk
and
like
trying
to
program
it
a
little
bit
more
top
down
rather
than
through
a
Bottoms
Up
cfp
So.
E
A
B
Oh,
so
is
there
anything
else,
maybe
more
at
a
high
level
that
we
want
to
talk
about
like
presenting
the
work
that
we're
doing
on
this
more
before,
like
while
we
have
a
bit
of
a
group
here,
I,
don't
know
if
it's
I
don't
know,
maybe
it
is
I.
Don't
know
if
it'd
be
very
valuable
for
everybody
on
the
call
to
sit
here
and
go
through
like
making
the
actual
presentation
itself,
but
I
would
also
expect
whatever
presentation
that
we
could
create
from
this
we'd
share
with
the
rest
of
the
group
and
in.
D
A
Right
I
mean
the
idea
is
like
this
is
a
resource.
The
cfp
sort
of
text
is
something
like
you
know,
for
my
talk
that
I've
been
giving
around
the
world
I
just
have
a
basic
like
you
know,
abstract
that
I.
Just
like
you
know,
oh
this
abstract
needs
to
be
only
140
characters
all
right.
Well,
now,
I
gotta
cram
it
into
like.
You
know
less
sort
of
thing
but,
like
you
know,
having
a
basic
template
of
like
this
is
a
bunch
of
the
words
that
we've
written
already.
You
can
craft
it.
A
B
A
A
A
A
B
F
A
Yeah
I'm,
just
speaking
about
it,
I
mean
no.
My
talk
has
been
very
different.
I've
been
the
talk
that
I've
been
giving
is
titled
scaling
the
security
researcher
to
eliminate
against
Social
Security
vulnerabilities
once
and
for
all,
which
is
the
one
I've
been
getting
all
over
the
world.
This
is
not
my
host
guide.
Okay
got.
F
A
D
F
D
F
G
B
G
G
B
Okay,
perfect
I,
appreciate
that
that's
very
good
to
know
I
think
I
think
do
we
have
a
process
for
for
PRS
and
feedback
I
I
assume
not,
which
is
why,
when
I
made
mine
I
didn't
know,
is
there
somebody
that
we
should
add
as
a
reviewer?
How
do
we
decide
what
actually
gets
approved?
Does
probe
just
unanimously?
Do
this.
D
B
Foreign
okay,
great,
thank
you
for
sharing
that
so
yeah.
Anybody
welcome
to
contribute
to
it.
I
will
be
on
and
off
of
it
throughout
the
day
and
we'll
see
if
we
can
get
something
done
today
and
if
not,
obviously
we
can
still
continue
in
the
previews,
as
for
other
other
conferences
where
we
might
want
to
evangelize
the
same
thing
and
and
just
because
we
want
our
want
to
and
are
talking
about,
the
finder
report,
because
it
happens
to
be
the
most
recent
work
that
we've
done.
B
A
What
I
guess
the
only
thing
that
I
would
love
feedback
on
is
because
titles
are
hard,
I
I,
you
know
I'm
just
at
like
you
know,
I'm
trying
to
beat
clickbaity,
because
that's
what
every
good
title
is
and
I
came
up
with,
so
you
found
a
security
vulnerability
now.
What
does
anybody
else?
Have
any
suggestions?
Is
that
a
good
title,
a
bad
title,
a
horrendous
title,
doesn't
make
any
sense
or
do
we
like
do
we
want
something?
That's
more
specific
to
the
vulnerability
guide
or
I.
B
A
My
presenter
name
and
then
you're
like
putting
title
on
your
presenter
name.
It's
like
my
title,
who
I'm
working
for
is
gonna,
shift
very
radically
between
now
and
schmoo,
so
which
one
do
I
put.
Who
I
am
now
or
who
I'm
going
to
be
then,
which
is
why
I'm
going
to
be,
then,
is
not
yet
public
yeah,
so
I.
B
A
Oh
I
hate
this
too
bios
are
limited
to
100
Words,
which
means
50
words
each
do
you?
Do
you
have
a
a
I
pursue
you've
spoken
in
conferences,
so
you
have
a
bio
I,
just
sharpened
mine,
so
much
actually
I
do
already
have
a
50
word,
bio
for
sure
movie,
because
I
already
submitted
a
cfp
earlier
for
different
talk.
We.
A
A
Our
body
call
that's
very
fair,
that's
very,
very
fair,
because
anybody
who's
read
the
guide,
because
I
will
my
as
soon
as
I
get
off
the
call
my
plan
is
to
read
the
guide.
Is
there
anything
in
particular
that
for
the
people
that
have
read
the
guy
that
we
want
to
make
sure
we
highlight
specifically
I
will
write
down
some
bullet
points
on
that.
B
I
think
we
want
to
highlight
that
there
are
a
number
of
options
available
right,
which
is
like
part
of
the
problem.
Is
that
you
don't
know
what
to
do,
but
you
could
also
do
a
lot
of
different
things
right
once
you
think
you
found
this
information,
so
I
think
one
of
the
benefits
of
the
guide
is
that
it
does
highlight
all
of
the
different
options.
I
mean.
Obviously
we
give
our
preference
right,
our
our
opinion
of
here's,
the
way
that
we
think
that
you
should
do
this,
but
there
are
a
lot
of
options.
B
B
And,
and
so
for
like
for
me
personally
too,
when
I
when
I
was
recording
this
podcast
yesterday
about
this
guide,
one
of
one
of
the
things
that
I
like
to
say,
and
that
I
like
to
really
really
reiterate,
is
that
vulnerability
disclosure
is
a
human
process.
There
are
humans
involved.
There
are
different
motivations,
there
are
emotions
right
there.
There
are
a
lot
of
a
lot
of
human
parts
of
this
process
that
can
cause
it
to
go
well
or
degrade.
G
B
D
A
G
So
there's,
there's
kind
of
a
level
there
where,
like
you,
don't
want
to
like
go
all
the
way
or
don't
make
assumptions
is
another
one
like
just
don't
assume
that,
like
you're,
going
to
be
ignored
either
just
because
you're
not
getting
a
response
or
like
it's
not
important,
and
then
you
do
something
that
causes
or
aggravates
the
problem.
That
much
more.
E
A
D
G
E
Faster
I
can
share
this,
the
pain
right
now,
trying
to
use
Firefox
and
some
other
stuff.
That's
been
put
in
sandboxes
on
on
Ubuntu,
where
you
know
things
that
I
needed
for,
like
opening
local
HTML
Pages
become
very
cumbersome,
then,
and,
and
so
I
have
to
use
the
Firefox
teams
version
of
Firefox
that
installs
it
locally.
You
know
unsandboxed
or
on
I
forget
what
the
sandboxing
term
for
Ubuntu
is
but
outside
of
that.
E
Oh
the
the
snap
system,
sorry
snaps,
so
so
debates
between
you
know
people
at
the
end
of
the
supply
chain
and
the
and
further
up
are
perennial
and
have
existed
for
decades.
There's
no
no
hard
and
fast
solution
to
that,
except
just
more
conversation
and
and
and
but
any
any
any
system
is
gonna
have
to
accommodate
the
fact
that
stuff
does
change
as
it
moves
through
the
chain
and
it's
not
always
the
same
httpd
right.
A
G
Some
of
them
come
from
other
sources
but
like
in
the
sake
of
like
supply
chain
security,
he
yeah,
but
from
what
I've
seen
and
the
argument
is
like
Arch.
Does
it
too
so
like?
Are
we
really
that
wrong?
Because
and
then
you
go
to
like
divian
and
Debian
does
their
own
thing
too?
So
then
you
then
yeah
and
Arch
has
like
five
different
installations
of
Firefox.
A
A
Is
there
anything
else
that
we
want
to
make
sure
we
include
in
the
detailed
description
of
the
cfp,
so
this
is
this
is
what
they
say.
This
is
the
most
important
part
part
of
the
description.
You're.
Not
you
do
not
need
to
provide
detailed
information
that
demonstrate.
Oh,
you
need
to
provide.
You
do
not
need
to
you.
Do
you
need
to
provide
detailed
information
that
demonstrates
your
knowledge
of
the
topic
and
how
you
will
present
it
to.
B
G
B
G
Much
pretty
much
because
pretty
much
everyone
kind
of
told
us
the
same.
We
did
an
initial
Discovery
to
kind
of,
because
the
ideology
is
that
we're
going
to
be
surveying
people
and
groups
to
actually
get
like
the
full
core
set
of
services.
However,
kind
of
what
I
just
described
was
one
of
the
things
that
came
up
a
lot,
so
we
know
that
a
big
part
of
the
cert
is
going
to
be
facilitating
communication
between
groups
and
that's
right.
Now,
that's
going
to
be
like.
G
In
other
words,
we're
going
we're
moving
away
from
patching
and
really
taking
on
additional
responsibilities
like
that,
and
what
we're
trying
to
do
is
we're
trying
to
like
not
like
I.
Think.
One
of
the
things
we
wanted
to
do
was
talk
to
someone
of
the
people
involved
with
some
of
the
bigger
incidents
and
figure
out
how
we
could
either
create
a
buffer
or
facilitate
Communications.
A
lot
of
it
is
in
facilitating
Communications,
currently.
B
B
A
G
Rebuilding
Vince,
so
it
is
a
coordination
tool,
because
the
ideology
is
that
if
you
found
something-
and
you
didn't
want
to
report
it
directly
to
like
the
group-
for
whatever
reason
you
could
report
it
to
us
and
then
what
would
happen
if
I,
if
I
get
the
whole
perspective
correctly,
is
we
would
we
would
create
a
vulnerability
report?
Madison,
you
were
in
the
the
what's
Vince.
A
A
G
A
D
G
Status,
we
have
the
plan,
I
mean
pretty
much.
The
plan
is
at
this
point,
pretty
much
finalized,
because
I
spent
most
of
yesterday,
like
rewriting
it
and
and
touching
it
up.
Chrome
just
needs
to
go
in
there
and
put
it
all
together
to
present
it
to
the
attack,
but
but
yeah,
and
there
is
still
room
for
improvement
on
the
plan.
G
However,
I
think
that
a
big
portion
of
it,
like
it's
really
hard
to
establish
services
without
doing
like
the
first
part
of
like
actually
doing
a
survey
and
actually,
like
figuring
out
like
how
it's
gonna
all
work
and
that's
one
of
the
things
like
one
of
the
things
we've
discussed.
Is
it's
going
to
be
really
hard
to
have
a
cert
for
like
groups
that
we
don't
have
any
contact
with
or
that
we
just
don't
have
not
like
signed
up
for
the
cert
or
something
along
those
lines?
G
And
we
definitely
don't
want
to
create
a
another
situation
where
we're
going
to
add
another
party.
That's
just
reporting
something
else,
so
I
think
right
now,
where
the
plan
stands.
Is
that
section
one
is
the
majority
of
the
plan
and
section
two
which
is
like
creating
the
actual
services
and
whatnot
that
will
come
after
or.
G
G
G
G
It's
because
of
the
fact
that,
like
we
were
I
set
it
up,
I
did
a
demo
and
we
I
got
called
out
like
three
times
on
like,
but
it's
AWS
what
about?
If
you
want
to
self-deploy
and
it
was
like
well
yeah.
So
what
we
did
is
I'm
I
know
a
lot
of
JavaScript
people,
so
I
know
the
people
in
Super
Bass
they're
like
a
Firebase,
open
source
alternative.
So
basically
we
made
like
a
proof
of
concept,
because
it's
not
that
difficult
to
rebuild
but
I.
G
G
And
I
would
also
say
that
part
of
the
cert
is
actually
we
have
something
on
the
plan
called
the
security
buddy
training,
which
is
kind
of
like
in
essence,
build
your
own
cert
or
like
why
you
should
have
a
cert,
so
I'm
kind
of
hoping
that
that'll
be
like
a
course
that
we
can
even
use
SKF
on.
Maybe
so,
therefore,
like
you
know,
there's
like
a
centralized
place
where
you
can
go
to
learn
about
like
setting
up
your
own
cert
but
yeah.
A
G
We
follow
a
lot,
the
first
framework,
the
first
cert
framework,
if
you
will
and
there's
two
types
of
cert
there's
a
cert
and
a
p
cert
a
cert
for
my
understanding
is
more
of
like
a
corporation
thing,
because
you're
going
to
attract
the
whole
corporations
like
Network
and
all
their
usage.
A
psert
is
a
product
cert
that
can
be
set
up
by
pretty
much
anyone
and
even
as
an
open
source
project.
B
Yeah,
if
you
want
to
look
up
more
about
the
differences
between
pizza
and
seizerts,
you
can
look
at
some
of
the
stuff.
That
first
has,
if
that's
helpful,
there's
tons
of
information
about
this.
The
security
buddy
program
is
particularly
interesting,
so
I
I'm
definitely
going
to
read
the
RFC
and
we'll
definitely
be
giving
feedback.
Art
and
I
used
to
actually
teach
a
course
together
about
how
to
set
up
your
own,
how
to
set
up
your
own
pizza.
So
that's
great
I
love
this.
G
D
G
D
G
But
I,
just
think
in
your
presentation,
like
search,
should
definitely
be
something
that's
promoted,
because
I
think
that
that
could
be
a
very
big
deal
like
I,
actually
think
it
might
unify
some
people,
because
I'll
say
one
of
the
things
that
Mike
said
is
that
they
specifically
avoid
reporting
things
to
certain
projects,
just
because
certain
projects
are
extremely
hostile
and
they
like
just
want
to
fight.
So
that's
one
of
the
things
that
we're
going
to
try
to
alleviate
with
the
search
so
I
think
the
more
Vision
or
Focus
we
have
on
it.
G
And
then
we've
also
had
the
conversation
of
what
happens
when
the
maintainer
speaks
a
different
language,
because
that
was
actually
one
that
we
kind
of
used
an
example
of,
because
somebody
didn't
get
a
response
to,
because
the
maintainer
only
spoke
Mandarin
and
he
like
got
real
like
abrasive
like
started
just
cussing
and
being
like.
You,
don't
care
about
your
effing
project
and
a
bunch
of
stuff
and
yeah.
So
I
get
it.