►
B
B
B
C
I
speaking
repressors,
he
made
one
of
the
other
working
group
meetings,
five
minutes
after
and
five
minutes
before.
E
E
D
B
E
C
A
All
right,
landlady
called
sorry
about
that
we're
trying
to
we're
having
some
electrical
stuff
done,
including
doorbell,
wires
snapped
and
oh
I'm
having
my
office
for
some
reason.
I've
had
my
office
circuit
prep
three
times
in
the
past
three
days,
so
I've
been
on
meetings
and
like
Boom.
The
whole
thing
goes
dead
and.
A
A
And
last
time
it
happened,
I
had
to
my
my
depth:
desk
lost
its
positioning,
so
I
had
to
I
had
to
take
my
monitor
or
my
desktop
out
from
underneath
the
thing
and
put
it
over
there
and
then
unscrew
something.
So
the
whole
desk
could
go
all
the
way
down
to
its
full
depth
and
then
come
back
up
because.
C
A
Needed
to
re-home
what
what
like
ground
was
yeah,
it's
a
whole
nightmare
anywho.
We
seem
to
be
having
a
very
small
turnout
for
this.
This
particular
Sig,
but
in
order
for
us
to
become
an
official
Sig,
all
we
need
is
to
have
at
least
two
companies
showing
up
to
every
single
meeting,
and
we
have
three.
If
we
count
the
Linux
Foundation.
A
Meiji
was
in
a
customer
call
so
we'll
see
what
happens
there.
A
F
A
Okay,
let
me
do
the
rest
of
these
mark
them
as
non-present.
A
If
you
can
mark
yourself
as
present,
if
you're
here,
let
me
make
this
a
little
bit
darker,
so
you
can
actually
see
your
own
name.
If
you
are
here,
okay
and
you.
B
A
D
My
name
is
Mike
scavenum
I
lead
an
open
source
security
team
at
Microsoft
and
coleed
Alpha
Omega
super
interested
in
getting
vulnerabilities
fixed
at
scale,
so.
B
C
I
made
one
comment
before:
where
was
this
section?
Oh
yeah,
for
the
opt
out
we
we
talked
about
last
time
if
somebody
does
opt
out
still
assigning
an
ID.
C
A
Good
question
a
problem
currently
well:
okay,
it's
a
couple
different
things.
We
could
do
modern.
A
A
You
can
provide
all
that
information
all
at
once
and
the
problem
with
that
is
that,
like
each
repository
can't
get
like
a
unique
message
or
a
unique
sort
of
thing,
but
because
that
was
driven
that
was
originally
driven
by
the
API,
where
you
wanted
a
bulk,
an
operation
via
the
Sorry
by
the
UI.
There's,
no
reason
why
we
can't
send
like
4,
30,
30,
40
50
pull
requests
we're
going
to
generate
generate.
A
You
know,
X
number
of
unique
commit
jobs
where
each
one
has
its
own
unique
message,
and
then
we
can,
theoretically,
as
we're
generating
the
pull
request,
say
hey.
This
has
been
assigned
this
by
the
way
this
has
been
assigned
this
particular.
A
Identifier,
yeah,
yes,
good
news,
GitHub
has
an
API
for
creating
or
sorry
yeah
GitHub
has
an
API
for
ghsas.
Now
I've
used
it.
It
is
not
available
until
tomorrow,
I
got
Early.
Access
I
have
permission
from
Kate
to
talk
about
it,
ik
Catelyn,
so
yeah,
so
she
she
gave
us.
She
gave
me
permission
to
talk
about
it.
Specifically,
we
so
the
functionality
that
supports
upfront
is.
C
C
A
So
it
has
support
for
listing
all
advisories
in
a
repository
that
are
that
are
the
repo
maintainer
can
get
all
the
triage
drafting
published
and
then
get
your
GitHub
user
can
only
get
the
publish,
advisories,
hello,
Azeem
he's
not
joining.
A
There
it
is
okay,
if
you
could
toss
your
attendance
on
the
meeting
notes,
it
will
help
us
get
chords.
Are
requisite
yeah?
It's
fine!
You
can.
You
can
add.
A
If
you
add
yourself
to
the
meeting
notes,
then
it'll
go
towards
our
requisite
requirement
of
how
many
meetings
we
need
to
have
multiple
vendors
at
in
order
for
this
to
become
an
official,
Sig,
perfect,
so
list
all
advisors
in
a
repository
get
a
list
of
security
advisory
list,
a
single
advisory
in
a
repository,
updated
security,
single
security
advisory
in
a
repository
with
a
patch
call,
which
will
let
you
update
the
information
and
then
oh,
no,
this
post,
which
is
create
an
advisory
in
a
repository,
and
then
you
can
also
specify
credits
and
there
are
web
hooks
for
on
a
publisher
security
advisory
and
then,
if
a
new
private
vulnerability
is
is
submitted,
you
can
see
there's
web
hooks
for
those
things.
A
There
will
be
support
for
adding
comments,
and
it
was
indicated
to
me
that
there
would
not
be
support
for
adding
collaborators
initially
in
the
first
pass.
It
would
only
support
you
opening
it.
The
reason
that
I
was
thinking
about
my
beautiful
is
every
one
of
these
API
calls
goes
against
your
API
rate
limit.
A
A
Know
whatever
whatever
yeah
well
yeah,
but
but
you
can't
add
another
collaborator,
so
basically
the
the
person
that
opens
the
GHSA,
the
only
person
that
can
modify
it.
Currently,
comments
are
coming.
The
ability
to
create
a
fork
is
coming
as
well.
A
So
one
of
the
problems
that
I
also
ran
into
that
I
mentioned
to
Kate
is
so.
Let
me
read
this
to
you
so
I'm
running
an
autofix
campaign
at
scale
across
open
source
as
long
as
I
use
the
same
exact
Branch
name
across
all
Forks,
when
I
force
update,
then
an
open
pool
and
then
open
a
polar
request.
You
know,
pull
request
is
already
open.
It
will
just
operate
as
an
update
instead
of
creating
another
duplicate.
Pr.
A
Does
that
make
sense?
So
basically
it
operates
as
a
because
you're
using
the
same
Branch
as
the
key.
The
reason
this
works
is
because
a
duplication,
key
is
a
branch
name.
Thus,
as
long
as
the
branch
remains
exactly
the
same,
no
duplicate
PRS
are
created,
except
for
there
is
a
race
condition
bug
in
GitHub,
where
I
have
actually
had
ended
up
with
two
polar
requests
for
one
branch.
A
It's
happened
like
three
times
in
the
past
thousand
polar
price
I've
generated
as
such.
No
State
needs
to
be
remembered
between
campaign
reruns,
but
now
with
ghsas
needing
to
be
created,
and
these
keys
are
non-deterministically
random
values
as
such.
If
you
want
to
update
the
pull
request,
every
two
weeks
you
need
to
persist.
A
mapping
of
repository
GHSA
externally
across
run
campaign
runs.
A
This
might
be
a
yeah
just
deal
with
it
problem,
but
it's
kind
of
annoying,
unless
perhaps
there's
some
way
to
shove.
It
I
mean
the
other
thought
that
I
had
was
because
you
can
list
all
ghsas
against
a
repository.
A
Theoretically,
you
could
shove
a
like
GitHub
supports
like
comments
in
the
pull
request,
header
and
or
you
can
sorry,
you
can
put
comments
in
in
markdown
that
are
not
rendered,
and
so
theoretically,
in
the
in
the
description,
you
could
put
a
markdown
comment
that
says:
do
not
remove
use
for
tracking
and
then
throw
an
ID
in
there
that
that
that's
the
campaign
ID,
and
that
will
be
the
thing
that
you
look
up
per
repository
to
do
the
correlation,
and
so
you
end
up
like
faking
a
branch,
but
with
it
with
a
comment
in
the
pull
request.
A
D
Problem
is
there
you'd
have
to
list
every
you
have
to
lift
everything
and
then
look
to
see
which
one
that,
like
there's
no
search
by
right.
A
But
there's
very
there's
very
few
ghsas
per
repository,
so
you're,
but
you
are
doing
an
extra
get
request.
Her
submission,
instead
of
being
able
to
just
modify
an
existing
campaign,
you
already
know
is
present
it's
it's
a
trade-off
between
the
overhead
and
complication
of
persisting
versus
the
downside
of
hitting
the
GitHub
rate
limiter
again.
E
A
Now
that
manoir
is
here
azim,
do
you
want
to
introduce
yourself
real
fast?
Oh
he's
reconnecting
he's
forked
himself.
He
forked
yourself,
nazim.
F
No
I
I
had
to
rejoin
because
my
mic
wasn't
working
so
I
I
hope
you
guys
can
hear
me
now.
I
had
a
quick
question
on
the
GitHub
API
limits
thing.
Did
you
did
you
ever
consider
like
having
a
like
a
GitHub
app
specifically
for
this,
like
a
alpha,
omega,
app
or
anything
of
the
site,
because
that's
also
a
way
for
projects
to
show
that
they
are
actively
you
know
signing
in
for
getting
these
PRS
and
it'll
also
help
you
get
away
with
the
API
limits.
A
That
is
a
thought.
The
problem
with
using
a
GitHub
app
is
that
we're
integrating
with
modern
and
modern
has
its
own
API,
GitHub,
app
and
I.
Don't
know
if
you
can
re
I,
don't
know
if
I
can
use.
That
token
is
an
API
like
you
basically
you
hand,
modern,
an
API
token
and
say
here,
use
this
API
token
to
do
things
for
you
and
I,
don't
know
if
you
can
give
it
another
apps
API
token
to
do
that.
F
Right
I
mean
we
could
also
have
the
fallback
option
of
like
hey
like
if
you
you
know
specifically
or
come
in
you.
You
probably
have
some
extra
features
and
if
you
don't,
we
can
fall
back
on
the
default
rate.
Limiting
my
interactions
with
GitHub
API
I
I
know
that
it's
not
too
difficult
to
move
between
a
regular
app
token,
and
you
know
GitHub
app
token.
So
if
we
have
someone
on
mode
and
might
be
worth
considering
asking
them
like,
you
know,
if
they're
compatible
with
app
tokens.
A
We,
you
know,
as
as
so
I
think
that
if
people
want
to
use
particular
modern
campaigns
right,
they
could
potentially
sign
in
and
and
register
an
account
there
and
set
up
what
campaigns
they
want
to
run.
When
that
supported.
A
That's
a
thought,
yeah
that
that
is
but
I
hear
I
hear
what
you're
saying
where
maybe
some
sort
of
opt-in
mechanism
where
you,
where
I,
mean
we're
not
a
company,
so
we're
not
offering
a
service,
but
most
most
of
the
time.
You
see
this
like
code,
cuff
right,
you
sign
you,
you
accept
your
organization
into
it
or
whatever
right
like
those.
That's
that's
how
this
thing
operates.
Normally,.
D
A
It's
not
the
rate
limit
in
particular
that
you
run
into
so
so
you're
saying
get
up,
get
up.
That's
the
GitHub
app
rate
limit.
D
D
A
So
for
every
pull
request
it
requires
three
API
calls.
It
requires
an
API
Call
to
Fork.
Sorry
I
have
this.
In
my
in
my
documentation,
it's
the
first
one
is
to
Fork
the
Repository.
A
A
Okay,
so
it's
three
three
API
it's
three
API
calls
per
and
then
additionally,
if
we're
adding
ghsas
into
the
flow,
it's
one
to
get
if
the
G,
if
the
repository
is
so,
then
you've
got
one
to
say,
is
there
an
existing
GHSA?
That's
already
there
if
it
is
grab
it?
The
second
one
is
to
create
it.
If
it's
not
and
then
the
F.
So
then
you
got
the
fork
and
the
push.
D
A
F
So
I
think
the
question
is
I
mean
I.
Think
the
secondary
rate
limits
are
something
we
hit
with
scorecard
to
and
there's
no
way
around
it.
So
the
question
is:
how
quickly
do
we
want
to
roll
out
these
campaigns
right
like?
Is
there
a
requirement?
Could
we
roll
it
out
for
a
few
days?
Maybe
right
like
do
we
lose
anything
by
slowing
this
down.
A
A
Like
you
know
from
start
to
end,
if
it
can
take,
let
you
know
if
we
can
get
it
under
six
hours
or
per
run,
that's
ideal.
Otherwise,
I
gotta
start
bringing
it
up
into
you
know.
So
my
current
plan
right
is
to
run
these
campaigns
at
six
pm
every
weekday
week
weekend.
Every
weekday.
A
The
problem
is
that
as
soon
as
I
use,
my
GitHub
account
to
do
this
I
actually
essentially
stopped
being
able
to
use
my
GitHub
account
because
it
runs
against
my
rate
limit
and
so
I
I.
You
know.
B
A
That's
another
conversation.
That's
in
this
document
right,
that's
another!
That's
another!
One
part,
so
part
of
this
specification
and
part
of
one
of
the
documentation
points
is
that
there's
an
expectation
that
you
use
a
real
person
account,
but
it's
actually
an
accurate
like
an
actual
GitHub
account,
that's
being
used
and
maintained
for
this
work
like
it
has
to
represent
a
true
person
because
of
the
social
impact
of
it.
F
A
F
I
mean
this
is
a
side
comment
in
terms
of
the
social
impact.
I
I
think
might
be
worth
considering
talking
to
Dustin
Ingram
on
on
the
like
he's
he's
on
the
ghost
team
at
Google,
so
they
actually
did
something
similar
where
they,
you
know
they
went
out
at
to
try
and
fix
some
of
these
vulnerities
I
think
we
should
be
cautious
of
how
badly
people
respond.
If,
like
there
is
a
bot,
you
know
making
PRS
because
they'll
they'll
be
like
this
is
Spam
right,
so
yeah
I
mean
I
I.
F
Think
that's
a
side
note,
but
in
terms
of
the
API
rate
limits
I
I'm
curious
to
know
like
is
there
a
reason
we
want
to
use
GitHub
actions?
Is
it
because
it's
easy?
Is
that
something
we
can
just
quickly
spin
up
gke
cluster
for
I.
A
Mean
yeah
we
could
run,
we
can
run
the
script
somewhere
else,
I,
just
the
the
best
place
for
me
to
launch
this
thing,
where
I
had
a
a
something
that
would
run
on
a
scheduled
basis
is,
is
you
know,
get
of
actions?
I,
don't
I,
don't
particularly
kit
where
it
runs.
I
just
I
just
want
to
be
able
to
configure
it
from
a
repository.
A
Yeah
I
mean
eventually
this
all
run
within
the
Omega
triage
portal.
E
A
Yep,
and
also
and
again,
another
another
high
level
even
beyond
all
this
is
the
the
working.
The
the
goal
of
this
working
group
has
come
out
with
a
set
of
recommendations
for
how
to
do
this
work
so
that
anybody
else
can
implement
it,
even
if
they're
not
working
within
the
alpha
omega
ecosystem.
A
A
I,
don't
know
if
you've
seen
this
yet
azim,
there's
a
document
that
I've
been
working
on
as
a
part
of
this
sig
called
the
open,
ssf
compliant
automated
vulnerability
fix
Campaign,
which
defines
what
it
means
to
be
a
campaign
that
is
compliant
with
this
specification,
which
is
the
goal,
is
to
basically
say
this
is
a
set
of
constraints
under
which
anyone
wanting
to
do
this
work,
no
matter
what
technology
stack
they're
doing,
they
are
compliant
with
what
the
open
ssf
suggests.
F
Yeah
I
just
saw
the
link
for
it
now.
I've
just
had
a
brief
look
at
it,
but
I'll
take
a
look
at
it.
B
A
Did
you
see
Michael?
Did
you
see
Xavier's
suggestion
under
two
mandatory
private
disclosure
right
now
he
said
so.
I
had
to
scratch
out
the
whole
thing
about
the
top
10
000
critical,
open
source
projects,
because
I
said
this
before,
but
for
those
people
that
didn't
catch
this
before
I
didn't
realize
the
top
10
000
critical
projects
list
was
first
off
unordered
and
second
off
not
owned
by
the
critical
projects
working
group.
A
It's
an
alpha
omega
list,
and
so
the
primary
thing
is
because
it's
unordered
there
is
no
top
10
within
the
top
ten
thousand.
There
is
just
it's
on
the
list
or
off
the
list,
and
so
my
proposal
was
that
we
can
that
and
come
up
with
something
different
Xavier's
perspective
or
suggestion.
Was
this
the
policy
being
before
going
public
with
this
camp?
With
this
campaign
you
must
disclose
privately
a
coordinated
disclosure
to
set
to
the
set
of
projects
for
which
exploitation
in
the
wild
could
be
a
significa
could
have
significant
consequences.
A
You
should
assess
what
this
set
is
on
a
case-by-case
basis
and
use
your
judgment
to
find
the
right
balance
between
manual
work
and
your
automation,
automated
campaign.
D
D
The
last
step
on
the
in
the
on
the
latter
is
is,
is
you
know,
full
disclosure
through
a
public
pull
request
and
I'm
I'm,
hoping
to
minimize
that,
to
the
smallest
degree
possible,
but
I
recognize
that
that
will
exist.
A
F
Say
maybe
I
most,
do
you
mind
giving
me
a
summary
of
what
savior
said?
Is
it
that
we
need
to
reach
out
to
them
to
say
hey?
Do
you
agree
to
be
part
of
the
campaign?
Is
that
what.
A
It
is
no,
no,
so
the
exact
wording
for
the
press
for
the
protocol
step
of
mandatory
private
disclosure.
The
exact
wording
he's
proposing
is
before
going
public.
With
with
this
campaign,
you
must
disclose
privately
by
coordinator
disclosure
to
the
set
of
projects
for
which
the
which
exploitation
in
the
wild
would
have
significant
consequences.
A
You
should
assess
what
this
set
is
on
a
case-by-case
basis
and
use
your
judgment
to
find
the
right
balance
between
this
manual
work
and
your
automated
campaign.
That's
the
wording
he's
proposing
for
man
for
the
requirement
of
mandatory
private
disclosure.
A
C
E
D
But
we're
also
okay,
so
so
so
here's
the
the
negative
scenario
of
this
is
somebody
dropped
something
on
Twitter
and
says:
Hey,
look
z-lib
or
pick
a
popular
Library,
so
easy
to
crash
or
exploit
or
rce
or
whatever
people
got
guys
like.
Did
you
disclose
this
and
they're
like
I,
didn't
think
it
was
a
big
deal?
D
F
D
Day
like
do,
we
need
more
of
a
guard
rail
there
and
I
guess
what
I'm
you
know.
It's
so
I
think
I'm
sure.
If
it
was
you
Jonathan
or
you
send
me
put
together
that
that
kind
of
flow
chart
which
I
really
really
liked
I'm.
Looking
for
as.
D
Well,
but
but
if
it's
a
the
way
I
would
describe,
it
is
so
so
the
premise
is
this:
isn't
one
vulnerability?
It's
like
you
have
a
thousand
of
these
and
a
thousand
different
repositories
and
you're
you're
not
familiar
with
any
of
them.
There's
no
like
shortcuts
for
you,
so
for
each
of
these,
thousands,
if
they
support
private
vulnerability
disclosure,
disclose
it
that
way.
If
they
don't.
Let
me
talk
about
this.
You
know
open
up
an
issue
saying:
hey
I
found
a
secure,
a
serious
security
issue.
D
D
If
I
don't
hear
from
you
in
35
days
or
25,
whatever,
then
I
will
open
up
a
public
pull
request
and
that
way
it's
minimal
minimal
work
for
the
maintainer,
because
that's
that's
a
one-time
kind
of
workflow
config,
but
also
gives
the
maintainer
two
opportunities
to
receive
it
privately
and
if
they
ignore
the
issue
and
don't
have
private
vulnerability,
reporting
enabled
then
like
there's,
no
other
I
mean
other
than
like
parsing
out
like
security,
MD
files
for
contacts,
and
do
you
know-
and
now
now
it's
manual
at
that
point.
A
C
A
So
there's
two
concerns
that
I
have
the
first
one
is
things
don't
exist
yet?
Second
concern
that
I
have
is
by
expecting
a
flow
of.
You
must
open
an
issue.
Then
you
must
wait
for
a
response.
Then
you
must
write
your
your
taking
a
campaign
that
could
be
a
one-off
run
for
an
individual
right
and
turning
it
into
a
something
that,
in
order
to
automate,
you
must
have
long
running
automation
that
is
observed.
That
is,
that
is
not
just
single
cut
point
in
time.
A
So
I
I
see
what
you're
saying
as
a
as
a
as
a
value,
but
are
we
by
requiring
additional
steps
like
that,
raising
the
bar
to
the
point
where
it
is
almost
impossible
for
someone
else
to
duplicate
these
efforts
unless
they
use
our
tooling
or,
and
if
that
is
the
case,
is
that
okay,
like?
Is
that
something
we
want?
Or
do
we
do?
A
D
I
would
love
if
you
could
just
share
a
Google
doc
with
a
GitHub
account,
and
then
you
post
a
link,
a
private
link
to
that
the
the
maintainer
can.
Click
on
the
link
gets
offed
in
can
view
the
doc,
but
nobody
else
can,
like
that's
kind
of
you-
want
Hunter
Dev
I
want
Hunter,
Dev
yeah.
Obviously,
I
think
that
that
that,
in
a
lot
of
ways
solves
this
particular
issue.
A
No,
but
we
what
we,
what
you're,
what
we're
proposing
is
setting
a
set
of
policies
and
we
need
to
set
those
policies
when
you
set
a
baseline
at
least,
and
we
can
do
it
better
than
that.
But
but
this
is
what
we
Define
as
the
open
source,
security,
Foundation,
best
practice
policy,
or
actually
it's
a
specification.
So
it's
Gru
compliant
with
the
specification
or
not.
C
And
so
just
kind
of
recap
my
perspective
on
this,
so
the
idea
is:
if
you
follow
this
policy,
you
can
put
the
ossf
name
on
it
so
that
you
have
more
backing
or
looks
more
legit
coming
in
for
maintainers.
Yes,
so
the
requirement
should
be
the
Baseline
to
not
cause
problems
for
the
ossf.
If
somebody
uses
their
name
to
do
a
polk
campaign
like
this
correct.
D
And
also
I
think
as
a
policy,
you
know
I
I,
the
policy
versus
process,
so
so
the
the
underlying,
like
great
I,
need
to
report
privately
to
GitHub.
What
does
that
mean
in
GitHub?
It
means
it
means
you
know.
Actually
it
means
this
little
sub
workflow
I
had
I
bitbuck,
it
I
have
just
a
website
and
an
email
address
I
like
everything
else.
There
could
be
different
and
we
could
actually
say
that
you
know
what
we
can't
automate.
The
random
person's
website
with
you
know
just.
F
F
A
One
final
wrench
is,
if
we
so
so
are
we
is,
is
the
group
leaning
towards
stating
that
the
Baseline
is
to
require
an
attempt
at
private
vulnerability,
splitter
Michael?
That
seems
to
be
what
you
are
flat
you're
aiming
for
is:
does
anybody
have
any
other
opinions.
A
A
I
have
another
question:
how
upset
will
be?
How
will
how
upset
will
maintainers
be
if,
as
a
part
of
this,
they
find
out
that
what
we've
disclosed
in
an
automated
way
is
not
a
vulnerability,
but
it's
just
a
bone.
It's
just
a
security
hardening
now
you've
falsely
flagged
into
something
that
they
needed
to
be
more
serious
about
or
because
it
looks
like
it's
getting
merged
from
a
GHSA
looks
like
a
security
issue,
but
is
now
they
determine
not
a
security
issue.
A
D
I
mean
if
we're
submitting,
if
we
or
anybody
else
are
submitting
kind
of
garbage
vulnerabilities
I,
would
expect
that
they
would
push
back
on
that.
D
So,
and
we
can
say
you
know
sorry,
you
know
we're
not
perfect.
Thanks
for
you
know,
helping
us
get
better
I.
Think
that's
I,
think
that's
okay,
I
mean.
If
all
of
our
stuff
is
garbage,
then
that's
that's
a
completely
different
story.
We
shouldn't
be
doing
it,
but.
D
A
Okay,
final
question:
what
do
we
do
if
there
are
projects
that,
for
example,
the
there
are
certain
Apache
software
Foundation
projects
that
don't
use
GitHub
issues
for
issue
tracking
they
use
jira?
How
do
we
handle
this
flow
for
projects
that
have
intentionally
disabled
issues
for
a
repository.
D
It's
a
terrible
solution.
Yeah
I,
I,
I
Apache,
is
is
special
in
some
way.
Are
there
lots
of
others
like
Apache,
though,
or
can
we
just
solve
for
Apache
as
a
one-off.
D
Yeah,
how
about
this?
Let's
try
to
handle
those
manually
for
the
first
three
months,
see
how
it
is
if
it.
If
we,
if
we
have
to
do
those
you
know
three
times
in
three
months,
then
it's
probably
not
a
big
deal.
If
we
have
to
do
them
200
times
in
three
months,
then
it's
not
sustainable,
and
we
need
to
thank.
D
D
E
E
But
as
Michael
said,
it's
an
empirical
evidence
of
like
in
the
three
months,
do
you
encounter
it
three
times
or
200
times?
If
you
encountered
200
times,
then
eventually
you'll
automate
it,
but
for
now,
since
the
idea
is
to
do
do
it
manually
for
or
see
like
how
it
goes,
how
it
pans
out,
then,
if
you
have
access
to
the
like,
if
you
have
the
capability
of
filing
jira
issues
issue
tickets,
then
you
can
just
go
ahead
and
do
that.
How.
A
Enabled-
and
you
can
reasonably
determine
that
this
project
is
not
so
like
this
ties
in
a
two
right:
mandatory
private
disclosure-
if
it,
if
widespread
it
would
exploitation
of
that
project
is
not
relevant,
then
just
do
a
pull
request
and
saying
hey
in
the
future.
If
you
don't
want
to
get
this
viable
request,
turn
on
private
vulnerability,
disclosure.
F
D
Got
it
so
there's
no
there's,
no
technical
reason
why
any
GitHub
repository
could
not
enable
it,
but
because
it
is
opt
in
like
it
like.
We
all
know
what
that.
What
that
that
that
that
does,
but
over
time,
like
I,
expect
that
number
to
only
increase,
and
we
should
have
a
kind
of
a
I
think.
An
open,
ssf
campaign
to
hey
turn
on
private
vulnerable
reporting
would
be
would
be
great
from
you
know,
using
our
kind
of
Pulpit.
F
To
right
to
do
that,
yeah
so
good!
You
know
please
like
I
guess
my
point
is
since
I'm
assuming
we
are
writing
this.
You
know
policy
for
the
person
who's
actually
going
to
be
disclosing
the
vulnerability
right.
So
should
we
be
writing
the
policy
to
say
you
know
if
you
have
means
to,
you
know,
disclose
this
or
message
this
in
an
automated
way.
Then
it
is
a
requirement
on
you
else.
F
I
mean
it's
more
of
a
recommendation
and
it's
basically
optional,
because
we
yeah
I
mean
I
I,
think
we
it's
still
pretty
new,
so
I,
don't
know
how
difficult
it's
going
to
be
for
somebody
to
you
know,
go
and
do
this
manually
if
they
have
to
even
do
it.
Yeah.
E
So
I
I
just
had
a
quick
question.
The
apis
are
going
to
be
available
tomorrow,
as
in
tomorrow
in
future
or
tomorrow,
as
in
tomorrow.
Tomorrow,.
A
Is
in
tomorrow,
Kate
Catlin.
The
reason
that
they're
not
up
today
is
because
github's
github's
merge
queue,
got
backed
up.
A
A
Get
all
security
advisories
against
a
repository
for
repo
maintainers
triage
draft
and
published
for
anybody
else,
only
published
security
advisories,
and
then
you
can
get
a
security
advisory,
get
a
specific
security
advisory
from
the
ID.
You
can
patch
a
security
advisory
by
putting
a
patch
request
against
that
API
and
then
posts
will
create
an
advisory
in
a
repository,
and
then
you
can
set
credits
and
then
there's
also
web
hooks.
A
So
the
web
hooks
that
it'll
support
are
on
publish
of
a
security
advisory
and
if
a
new
private
vulnerability
report
is
submitted,
so
it
enters
the
triage
State.
That's
for
maintainers.
D
I
I,
just
I,
just
I,
just
had
a
random
thought
going
back
to
like
how
you
like
your
kind
of
traditional
way
of
of
doing
this,
where
you
create
the
GS
GHSA
in
your
account,
give
the
maintainer
access
to
that.
Would
it
is
there
like.
A
There's
no
API
currently
to
give
you
a
list
of
all
of
the
maintainers
for
a
repository
because
it
creates
a
channel
by
which
maintainers
can
get
spammed.
You
can
tell
whether
or
not
a
pro
a
maintainer
is
a
maintainer
of
a
project
by
looking
at
the
GitHub
issues
and
seeing
the
tag
that
shows
up
on
their
name
but
I,
don't
know
if
that's
available
by
by
the
API
or
not
so
the
the
way
that
I
I
don't
know
what
heuristic
Hunter
Dev
is
using
to
determine
which
projects
are
maintain
or
what?
A
B
F
I
think
there
is
such
an
API,
but
it
probably
needs
much
higher
Scopes,
like
maybe
admin
scope
or
something
like
an
org
admin
should
be
able
to.
Oh.
A
D
Okay,
so
so
come
back
to
this,
so
so
this
URL
here
and
I
I
now
were
I'm.
Sorry
to
take
us
down
the
rabbit
hole
but
like
so
api.github
repos
madler,
the
full
name
of
it
is
madler's
elib
the
owner,
login
is
madler
and
the
type
of
that
owner
is
a
user.
D
B
A
I,
don't
I
mean
if
I,
let
me
look
at
this
real
fast.
A
So
there's
something
like
thirty
thousand
okay,
so
Apache
there
are
1011
Apache
software
Foundation
repositories,
but
Foundation
is
208.
Okay,
Google
has
181
cradle,
has
53.
Microsoft
131
Spring
103.
A
These
are,
let's
see,
21
US
Government,
wildfly
15.
out
of
31
000.
A
But
you're
saying
so
what
what
your
proposal
I
presume
is
we
Fork
the
repository.
We
enable
private
vulnerability
reporting.
We
use
our
Fork
as
the
source
of
the
private
vulnerability
report
and
put
the
report
there
and
invite
the
the
Upstream
maintainers
account
to
it.
D
Either
that
or
use
the
I
don't
know
if
this
is
even
possible,
but
you
use
the
GHSA,
like
you
have
your
own,
your
own,
your
own
repo.
You
create
a
new
GS
GHSA
as
a
way
to
make
a
private
message,
so
you
say:
hey
folks.
D
Here's
here
are
the
details
of
the
thing
grant:
grant
the
owner
of
the
other
one
access
to
it,
they'll
get
the
notification
and,
with
the
assumption
that
they
will
publish
their
own
advisory,
but
now
you've
communicated
with
them
with
them
privately.
A
D
The
vessel
with
the
pestle
yeah
I.
A
Have
actually
so
one
of
the
things
that
I
ran
into
is
a
real
issue?
Is
that
you
can't,
if
you
have
two
repositories,
that
both
originate
from
the
same
Fork?
So
you
have
a
fork,
you
have
a
and
a
depends
upon
B.
A
You
GitHub
doesn't
let
you
Fork
Fork,
A
and
B,
so
what
it
can.
So,
basically,
you
can't
generate
if
you've
got
two
main
projects
like
one
of
them
that
might
be
slightly
ahead
or
behind,
and
you
want
to
generate
a
security
effects
against
both
of
them.
You've
either
got
to
normalize
that
Central
repository
against
both
of
them
and
do
do
two
different
pull
requests
from
that
Central
repository
and
that
seems
like
a
nightmare
or
generate
the
second
pull
request
from
another
organization.
D
A
Oh
also,
one
of
the
things
that
I've
told
people
in
this
is
something
that
I
cover
in
I.
Don't
know
if
I
cover
this
in
my
job,
all
the
forks
that
I've
been
generating
for
pull
requests
come
from
an
organization
instead
of
a
repository
problem
with
that
that
I
just
found
out
as
a
recent
thing,
apparently
pull
requests
originating
from
organizations.
A
Don't
support
enabling
allow
allow
edits
from
maintainers
I
heard
somewhere
that
that
was
disabled,
because
if
a
maintainer
is
if
a
maintainer
can
make
a
change
to
an
organization,
account
I
presume
that
they
can
push
a
change
to
a
repository
or
to
that
branch
and
then
Force
credentials
out
of
that
organization
via
a
custom.
Get
of
action.
A
B
A
No,
like
I,
think
that
checkbox
doesn't
work
when
the
pull
request
originates
from
an
organization
which
means
that
either
you
generate
the
pull
request
from
your
personal
account,
which
means
your
personal
account
gets
bloated
with
a
billion
Forks
which
I
have
done.
I
have
almost
a
thousand
Forks
against
my
I,
have
a
thousand
repositories
plus
against
my
GitHub
organ,
my
GitHub
account
and
then
I
stopped
doing
that
and
started
generating
the
forks
against
an
organization
instead,
so
they
go
away
and
or
somewhere
else,
yeah.
A
E
Check
on
that
I
I,
don't
remember
it's
probably
because
we
were
doing
it
only
for
a
small
I
mean
compared
to
the
scale
that
you
are
doing
it.
It's
it's
on
a
much
smaller
scale,
and
that
goes
for
the
POC.
So
that's
that's.
Why
I
think
it
was
mostly
done
like
yeah,
not
on
the
organizations,
but
I
I
have
to
check
okay.
A
D
I
think
it's
ready
for
like
broader
use
and
comment.
I
mean
it's
not
widely
used
yet,
but
I
think
that's
just
there's
just
new.
You
know
elbow
grease
to
get
the
the
word
out
and
get
organizations
to
start
adopting
it.
I'm,
certainly
going
to
start
advocating
for.
A
It
there
is
so
two
things
one,
we
want
to
add
it.
We
wanted
to
add
a
specification
field
on
that
thing
to
determine
like,
and
so
so.
The
current
way
that
I've
been
allowing
people
to
opt
out
is
via
a
DOT
or
gh.robots.txt
file.
They
drop
in
their
dot,
get
a
repository,
and
if
we
can
instead
encourage
opting
in
opting
out
primarily
opting
out
via
requiring
that
file
to
be
present,
then
it'll
Force
some
level
of
adoption,
even
if
they're
opting
out,
which
would
be
kind
of
sad
but
also
positive.
At
the
same
time,
I.
D
Yep
I
think
I
think
that
would
be
great
and
having
that
it
was
just
accepts,
pull
requests
true
or
false.
Yeah.
A
A
D
A
D
I'm:
okay,
with
that
I'll
I'll,
take
a
look
at
the
the
pr
in
security
inside
spec.
Please.
A
Do
can
you
post
that
in
the
in
the
autofix
yeah
I'll
post
it
there
too
yep
all
right
all
right?
Thank
you
all
for
coming.
Thank
you
see
you
in
two
weeks,
yeah,
hey.