►
B
B
B
E
E
D
B
E
C
A
All
right,
landlady
called
sorry
about
that
we're
trying
to
we're
having
some
electrical
stuff
done,
including
doorbell,
wires
snapped
and
oh
I'm
having
my
office
for
some
reason.
I've
had
my
office
circuit
prep
three
times
in
the
past
three
days,
so
I've
been
on
meetings
and
like
Boom.
The
whole
thing
goes
dead
and.
A
A
C
A
Needed
to
re-home
what
what
like
ground
was
yeah,
it's
a
whole
nightmare
anywho.
We
seem
to
be
having
a
very
small
turnout
for
this.
This
particular
Sig,
but
in
order
for
us
to
become
an
official
Sig,
all
we
need
is
to
have
at
least
two
companies
showing
up
to
every
single
meeting,
and
we
have
three.
If
we
count
the
Linux
Foundation.
A
A
F
A
B
B
C
A
A
You
can
provide
all
that
information
all
at
once
and
the
problem
with
that
is
that,
like
each
repository
can't
get
like
a
unique
message
or
a
unique
sort
of
thing,
but
because
that
was
driven
that
was
originally
driven
by
the
API,
where
you
wanted
a
bulk,
an
operation
via
the
Sorry
by
the
UI.
There's,
no
reason
why
we
can't
send
like
4,
30,
30,
40
50
pull
requests
we're
going
to
generate
generate.
A
A
Identifier,
yeah,
yes,
good
news,
GitHub
has
an
API
for
creating
or
sorry
yeah
GitHub
has
an
API
for
ghsas.
Now
I've
used
it.
It
is
not
available
until
tomorrow,
I
got
Early.
Access
I
have
permission
from
Kate
to
talk
about
it,
ik
Catelyn,
so
yeah,
so
she
she
gave
us.
She
gave
me
permission
to
talk
about
it.
Specifically,
we
so
the
functionality
that
supports
upfront
is.
C
C
A
A
There
will
be
support
for
adding
comments,
and
it
was
indicated
to
me
that
there
would
not
be
support
for
adding
collaborators
initially
in
the
first
pass.
It
would
only
support
you
opening
it.
The
reason
that
I
was
thinking
about
my
beautiful
is
every
one
of
these
API
calls
goes
against
your
API
rate
limit.
A
A
A
So
one
of
the
problems
that
I
also
ran
into
that
I
mentioned
to
Kate
is
so.
Let
me
read
this
to
you
so
I'm
running
an
autofix
campaign
at
scale
across
open
source
as
long
as
I
use
the
same
exact
Branch
name
across
all
Forks,
when
I
force
update,
then
an
open
pool
and
then
open
a
polar
request.
You
know,
pull
request
is
already
open.
It
will
just
operate
as
an
update
instead
of
creating
another
duplicate.
Pr.
A
Does
that
make
sense?
So
basically
it
operates
as
a
because
you're
using
the
same
Branch
as
the
key.
The
reason
this
works
is
because
a
duplication,
key
is
a
branch
name.
Thus,
as
long
as
the
branch
remains
exactly
the
same,
no
duplicate
PRS
are
created,
except
for
there
is
a
race
condition
bug
in
GitHub,
where
I
have
actually
had
ended
up
with
two
polar
requests
for
one
branch.
A
It's
happened
like
three
times
in
the
past
thousand
polar
price
I've
generated
as
such.
No
State
needs
to
be
remembered
between
campaign
reruns,
but
now
with
ghsas
needing
to
be
created,
and
these
keys
are
non-deterministically
random
values
as
such.
If
you
want
to
update
the
pull
request,
every
two
weeks
you
need
to
persist.
A
mapping
of
repository
GHSA
externally
across
run
campaign
runs.
A
A
A
But
there's
very
there's
very
few
ghsas
per
repository,
so
you're,
but
you
are
doing
an
extra
get
request.
Her
submission,
instead
of
being
able
to
just
modify
an
existing
campaign,
you
already
know
is
present
it's
it's
a
trade-off
between
the
overhead
and
complication
of
persisting
versus
the
downside
of
hitting
the
GitHub
rate
limiter
again.
E
A
F
No
I
I
had
to
rejoin
because
my
mic
wasn't
working
so
I
I
hope
you
guys
can
hear
me
now.
I
had
a
quick
question
on
the
GitHub
API
limits
thing.
Did
you
did
you
ever
consider
like
having
a
like
a
GitHub
app
specifically
for
this,
like
a
alpha,
omega,
app
or
anything
of
the
site,
because
that's
also
a
way
for
projects
to
show
that
they
are
actively
you
know
signing
in
for
getting
these
PRS
and
it'll
also
help
you
get
away
with
the
API
limits.
A
That
is
a
thought.
The
problem
with
using
a
GitHub
app
is
that
we're
integrating
with
modern
and
modern
has
its
own
API,
GitHub,
app
and
I.
Don't
know
if
you
can
re
I,
don't
know
if
I
can
use.
That
token
is
an
API
like
you
basically
you
hand,
modern,
an
API
token
and
say
here,
use
this
API
token
to
do
things
for
you
and
I,
don't
know
if
you
can
give
it
another
apps
API
token
to
do
that.
F
Right
I
mean
we
could
also
have
the
fallback
option
of
like
hey
like
if
you
you
know
specifically
or
come
in
you.
You
probably
have
some
extra
features
and
if
you
don't,
we
can
fall
back
on
the
default
rate.
Limiting
my
interactions
with
GitHub
API
I
I
know
that
it's
not
too
difficult
to
move
between
a
regular
app
token,
and
you
know
GitHub
app
token.
So
if
we
have
someone
on
mode
and
might
be
worth
considering
asking
them
like,
you
know,
if
they're
compatible
with
app
tokens.
A
A
That's
a
thought,
yeah
that
that
is
but
I
hear
I
hear
what
you're
saying
where
maybe
some
sort
of
opt-in
mechanism
where
you,
where
I,
mean
we're
not
a
company,
so
we're
not
offering
a
service,
but
most
most
of
the
time.
You
see
this
like
code,
cuff
right,
you
sign
you,
you
accept
your
organization
into
it
or
whatever
right
like
those.
That's
that's
how
this
thing
operates.
Normally,.
D
A
D
A
A
A
Okay,
so
it's
three
three
API
it's
three
API
calls
per
and
then
additionally,
if
we're
adding
ghsas
into
the
flow,
it's
one
to
get
if
the
G,
if
the
repository
is
so,
then
you've
got
one
to
say,
is
there
an
existing
GHSA?
That's
already
there
if
it
is
grab
it?
The
second
one
is
to
create
it.
If
it's
not
and
then
the
F.
So
then
you
got
the
fork
and
the
push.
D
A
F
So
I
think
the
question
is
I
mean
I.
Think
the
secondary
rate
limits
are
something
we
hit
with
scorecard
to
and
there's
no
way
around
it.
So
the
question
is:
how
quickly
do
we
want
to
roll
out
these
campaigns
right
like?
Is
there
a
requirement?
Could
we
roll
it
out
for
a
few
days?
Maybe
right
like
do
we
lose
anything
by
slowing
this
down.
A
A
A
B
A
That's
another
conversation.
That's
in
this
document
right,
that's
another!
That's
another!
One
part,
so
part
of
this
specification
and
part
of
one
of
the
documentation
points
is
that
there's
an
expectation
that
you
use
a
real
person
account,
but
it's
actually
an
accurate
like
an
actual
GitHub
account,
that's
being
used
and
maintained
for
this
work
like
it
has
to
represent
a
true
person
because
of
the
social
impact
of
it.
F
A
F
I
mean
this
is
a
side
comment
in
terms
of
the
social
impact.
I
I
think
might
be
worth
considering
talking
to
Dustin
Ingram
on
on
the
like
he's
he's
on
the
ghost
team
at
Google,
so
they
actually
did
something
similar
where
they,
you
know
they
went
out
at
to
try
and
fix
some
of
these
vulnerities
I
think
we
should
be
cautious
of
how
badly
people
respond.
If,
like
there
is
a
bot,
you
know
making
PRS
because
they'll
they'll
be
like
this
is
Spam
right,
so
yeah
I
mean
I
I.
F
A
Mean
yeah
we
could
run,
we
can
run
the
script
somewhere
else,
I,
just
the
the
best
place
for
me
to
launch
this
thing,
where
I
had
a
a
something
that
would
run
on
a
scheduled
basis
is,
is
you
know,
get
of
actions?
I,
don't
I,
don't
particularly
kit
where
it
runs.
I
just
I
just
want
to
be
able
to
configure
it
from
a
repository.
E
A
A
F
B
A
Did
you
see
Michael?
Did
you
see
Xavier's
suggestion
under
two
mandatory
private
disclosure
right
now
he
said
so.
I
had
to
scratch
out
the
whole
thing
about
the
top
10
000
critical,
open
source
projects,
because
I
said
this
before,
but
for
those
people
that
didn't
catch
this
before
I
didn't
realize
the
top
10
000
critical
projects
list
was
first
off
unordered
and
second
off
not
owned
by
the
critical
projects
working
group.
A
It's
an
alpha
omega
list,
and
so
the
primary
thing
is
because
it's
unordered
there
is
no
top
10
within
the
top
ten
thousand.
There
is
just
it's
on
the
list
or
off
the
list,
and
so
my
proposal
was
that
we
can
that
and
come
up
with
something
different
Xavier's
perspective
or
suggestion.
Was
this
the
policy
being
before
going
public
with
this
camp?
With
this
campaign
you
must
disclose
privately
a
coordinated
disclosure
to
set
to
the
set
of
projects
for
which
exploitation
in
the
wild
could
be
a
significa
could
have
significant
consequences.
D
A
F
A
It
is
no,
no,
so
the
exact
wording
for
the
press
for
the
protocol
step
of
mandatory
private
disclosure.
The
exact
wording
he's
proposing
is
before
going
public.
With
with
this
campaign,
you
must
disclose
privately
by
coordinator
disclosure
to
the
set
of
projects
for
which
the
which
exploitation
in
the
wild
would
have
significant
consequences.
A
A
C
E
D
But
we're
also
okay,
so
so
so
here's
the
the
negative
scenario
of
this
is
somebody
dropped
something
on
Twitter
and
says:
Hey,
look
z-lib
or
pick
a
popular
Library,
so
easy
to
crash
or
exploit
or
rce
or
whatever
people
got
guys
like.
Did
you
disclose
this
and
they're
like
I,
didn't
think
it
was
a
big
deal?
F
D
D
Well,
but
but
if
it's
a
the
way
I
would
describe,
it
is
so
so
the
premise
is
this:
isn't
one
vulnerability?
It's
like
you
have
a
thousand
of
these
and
a
thousand
different
repositories
and
you're
you're
not
familiar
with
any
of
them.
There's
no
like
shortcuts
for
you,
so
for
each
of
these,
thousands,
if
they
support
private
vulnerability
disclosure,
disclose
it
that
way.
If
they
don't.
Let
me
talk
about
this.
You
know
open
up
an
issue
saying:
hey
I
found
a
secure,
a
serious
security
issue.
D
A
C
A
So
there's
two
concerns
that
I
have
the
first
one
is
things
don't
exist
yet?
Second
concern
that
I
have
is
by
expecting
a
flow
of.
You
must
open
an
issue.
Then
you
must
wait
for
a
response.
Then
you
must
write
your
your
taking
a
campaign
that
could
be
a
one-off
run
for
an
individual
right
and
turning
it
into
a
something
that,
in
order
to
automate,
you
must
have
long
running
automation
that
is
observed.
That
is,
that
is
not
just
single
cut
point
in
time.
A
So
I
I
see
what
you're
saying
as
a
as
a
as
a
value,
but
are
we
by
requiring
additional
steps
like
that,
raising
the
bar
to
the
point
where
it
is
almost
impossible
for
someone
else
to
duplicate
these
efforts
unless
they
use
our
tooling
or,
and
if
that
is
the
case,
is
that
okay,
like?
Is
that
something
we
want?
Or
do
we
do?
A
D
I
would
love
if
you
could
just
share
a
Google
doc
with
a
GitHub
account,
and
then
you
post
a
link,
a
private
link
to
that
the
the
maintainer
can.
Click
on
the
link
gets
offed
in
can
view
the
doc,
but
nobody
else
can,
like
that's
kind
of
you-
want
Hunter
Dev
I
want
Hunter,
Dev
yeah.
Obviously,
I
think
that
that
that,
in
a
lot
of
ways
solves
this
particular
issue.
A
No,
but
we
what
we,
what
you're,
what
we're
proposing
is
setting
a
set
of
policies
and
we
need
to
set
those
policies
when
you
set
a
baseline
at
least,
and
we
can
do
it
better
than
that.
But
but
this
is
what
we
Define
as
the
open
source,
security,
Foundation,
best
practice
policy,
or
actually
it's
a
specification.
So
it's
Gru
compliant
with
the
specification
or
not.
C
And
so
just
kind
of
recap
my
perspective
on
this,
so
the
idea
is:
if
you
follow
this
policy,
you
can
put
the
ossf
name
on
it
so
that
you
have
more
backing
or
looks
more
legit
coming
in
for
maintainers.
Yes,
so
the
requirement
should
be
the
Baseline
to
not
cause
problems
for
the
ossf.
If
somebody
uses
their
name
to
do
a
polk
campaign
like
this
correct.
C
D
And
also
I
think
as
a
policy,
you
know
I
I,
the
policy
versus
process,
so
so
the
the
underlying,
like
great
I,
need
to
report
privately
to
GitHub.
What
does
that
mean
in
GitHub?
It
means
it
means
you
know.
Actually
it
means
this
little
sub
workflow
I
had
I
bitbuck,
it
I
have
just
a
website
and
an
email
address
I
like
everything
else.
There
could
be
different
and
we
could
actually
say
that
you
know
what
we
can't
automate.
The
random
person's
website
with
you
know
just.
F
F
A
A
A
I
have
another
question:
how
upset
will
be?
How
will
how
upset
will
maintainers
be
if,
as
a
part
of
this,
they
find
out
that
what
we've
disclosed
in
an
automated
way
is
not
a
vulnerability,
but
it's
just
a
bone.
It's
just
a
security
hardening
now
you've
falsely
flagged
into
something
that
they
needed
to
be
more
serious
about
or
because
it
looks
like
it's
getting
merged
from
a
GHSA
looks
like
a
security
issue,
but
is
now
they
determine
not
a
security
issue.
A
D
D
A
D
D
Yeah,
how
about
this?
Let's
try
to
handle
those
manually
for
the
first
three
months,
see
how
it
is
if
it.
If
we,
if
we
have
to
do
those
you
know
three
times
in
three
months,
then
it's
probably
not
a
big
deal.
If
we
have
to
do
them
200
times
in
three
months,
then
it's
not
sustainable,
and
we
need
to
thank.
D
E
E
But
as
Michael
said,
it's
an
empirical
evidence
of
like
in
the
three
months,
do
you
encounter
it
three
times
or
200
times?
If
you
encountered
200
times,
then
eventually
you'll
automate
it,
but
for
now,
since
the
idea
is
to
do
do
it
manually
for
or
see
like
how
it
goes,
how
it
pans
out,
then,
if
you
have
access
to
the
like,
if
you
have
the
capability
of
filing
jira
issues
issue
tickets,
then
you
can
just
go
ahead
and
do
that.
How.
A
Enabled-
and
you
can
reasonably
determine
that
this
project
is
not
so
like
this
ties
in
a
two
right:
mandatory
private
disclosure-
if
it,
if
widespread
it
would
exploitation
of
that
project
is
not
relevant,
then
just
do
a
pull
request
and
saying
hey
in
the
future.
If
you
don't
want
to
get
this
viable
request,
turn
on
private
vulnerability,
disclosure.
F
D
Got
it
so
there's
no
there's,
no
technical
reason
why
any
GitHub
repository
could
not
enable
it,
but
because
it
is
opt
in
like
it
like.
We
all
know
what
that.
What
that
that
that
that
does,
but
over
time,
like
I,
expect
that
number
to
only
increase,
and
we
should
have
a
kind
of
a
I
think.
An
open,
ssf
campaign
to
hey
turn
on
private
vulnerable
reporting
would
be
would
be
great
from
you
know,
using
our
kind
of
Pulpit.
F
To
right
to
do
that,
yeah
so
good!
You
know
please
like
I
guess
my
point
is
since
I'm
assuming
we
are
writing
this.
You
know
policy
for
the
person
who's
actually
going
to
be
disclosing
the
vulnerability
right.
So
should
we
be
writing
the
policy
to
say
you
know
if
you
have
means
to,
you
know,
disclose
this
or
message
this
in
an
automated
way.
Then
it
is
a
requirement
on
you
else.
F
E
A
A
A
Get
all
security
advisories
against
a
repository
for
repo
maintainers
triage
draft
and
published
for
anybody
else,
only
published
security
advisories,
and
then
you
can
get
a
security
advisory,
get
a
specific
security
advisory
from
the
ID.
You
can
patch
a
security
advisory
by
putting
a
patch
request
against
that
API
and
then
posts
will
create
an
advisory
in
a
repository,
and
then
you
can
set
credits
and
then
there's
also
web
hooks.
A
D
A
There's
no
API
currently
to
give
you
a
list
of
all
of
the
maintainers
for
a
repository
because
it
creates
a
channel
by
which
maintainers
can
get
spammed.
You
can
tell
whether
or
not
a
pro
a
maintainer
is
a
maintainer
of
a
project
by
looking
at
the
GitHub
issues
and
seeing
the
tag
that
shows
up
on
their
name
but
I,
don't
know
if
that's
available
by
by
the
API
or
not
so
the
the
way
that
I
I
don't
know
what
heuristic
Hunter
Dev
is
using
to
determine
which
projects
are
maintain
or
what?
A
B
F
A
A
A
D
D
B
A
A
D
D
A
A
A
You
GitHub
doesn't
let
you
Fork
Fork,
A
and
B,
so
what
it
can.
So,
basically,
you
can't
generate
if
you've
got
two
main
projects
like
one
of
them
that
might
be
slightly
ahead
or
behind,
and
you
want
to
generate
a
security
effects
against
both
of
them.
You've
either
got
to
normalize
that
Central
repository
against
both
of
them
and
do
do
two
different
pull
requests
from
that
Central
repository
and
that
seems
like
a
nightmare
or
generate
the
second
pull
request
from
another
organization.
D
A
Oh
also,
one
of
the
things
that
I've
told
people
in
this
is
something
that
I
cover
in
I.
Don't
know
if
I
cover
this
in
my
job,
all
the
forks
that
I've
been
generating
for
pull
requests
come
from
an
organization
instead
of
a
repository
problem
with
that
that
I
just
found
out
as
a
recent
thing,
apparently
pull
requests
originating
from
organizations.
A
Don't
support
enabling
allow
allow
edits
from
maintainers
I
heard
somewhere
that
that
was
disabled,
because
if
a
maintainer
is
if
a
maintainer
can
make
a
change
to
an
organization,
account
I
presume
that
they
can
push
a
change
to
a
repository
or
to
that
branch
and
then
Force
credentials
out
of
that
organization
via
a
custom.
Get
of
action.
A
B
A
No,
like
I,
think
that
checkbox
doesn't
work
when
the
pull
request
originates
from
an
organization
which
means
that
either
you
generate
the
pull
request
from
your
personal
account,
which
means
your
personal
account
gets
bloated
with
a
billion
Forks
which
I
have
done.
I
have
almost
a
thousand
Forks
against
my
I,
have
a
thousand
repositories
plus
against
my
GitHub
organ,
my
GitHub
account
and
then
I
stopped
doing
that
and
started
generating
the
forks
against
an
organization
instead,
so
they
go
away
and
or
somewhere
else,
yeah.
A
E
Check
on
that
I
I,
don't
remember
it's
probably
because
we
were
doing
it
only
for
a
small
I
mean
compared
to
the
scale
that
you
are
doing
it.
It's
it's
on
a
much
smaller
scale,
and
that
goes
for
the
POC.
So
that's
that's.
Why
I
think
it
was
mostly
done
like
yeah,
not
on
the
organizations,
but
I
I
have
to
check
okay.
A
D
A
It
there
is
so
two
things
one,
we
want
to
add
it.
We
wanted
to
add
a
specification
field
on
that
thing
to
determine
like,
and
so
so.
The
current
way
that
I've
been
allowing
people
to
opt
out
is
via
a
DOT
or
gh.robots.txt
file.
They
drop
in
their
dot,
get
a
repository,
and
if
we
can
instead
encourage
opting
in
opting
out
primarily
opting
out
via
requiring
that
file
to
be
present,
then
it'll
Force
some
level
of
adoption,
even
if
they're
opting
out,
which
would
be
kind
of
sad
but
also
positive.
At
the
same
time,
I.