►
From YouTube: OpenSSF Vulnerability Disclosures WG (May 18, 2022)
A
B
B
C
C
B
A
A
D
Not
quite
new,
but
I'm
a
second
timer.
It's
been
about
a
month
month
and
a
half
since
I've
joined,
but
I
I'm
I'm
hoping
to
be
back
and
listening
in
and
gleaning
some
good
information
excellent
and
I'm
in
denver
it's
supposed
to
snow
this
weekend.
So
for
those
of
you
who
are
rainy
and
sunny
I'm
jealous.
A
Very
nice,
anyone
else,
first
or
second
timer,
wanted
to
say
hello.
E
A
All
right
do
I
have
anyone
to
be
willing
to
help
out
inscribed
notes
with
us
today
or
hey
work.
Thank
you,
vicky.
A
All
right,
let
us
talk
about
the
open
source
summit
2..
C
I
can
try
yeah,
so
I
will
try
to
give
a
great
quick
recap
and
krobe
will
explain.
I
was
completely
wrong
and
start
over,
so
all
right,
so
I
I
honestly
don't
know
how
many
people
know
the
context.
So
let
me
start
from
the
top
a
number.
Well,
not
the
true
top
from
jane.
In
january,
the
white
house,
u.s
white
house,
had
a
meeting
where,
basically
hey
we're
concerned
about
open
source
offer
security
is,
doesn't
it
you
know?
Who
else
cares?
C
They
contacted
a
bunch
of
companies
and
almost
all
of
them
said.
Oh
yeah,
I
mean
it's
it's
an
important
topic,
I
mean
you,
you
know
open
source
is
widely
used.
We
don't
want
to
kill
it.
We
just
you
know,
want
to
make
sure
it's
secure
for
all
the
uses
it
has
now
and
they
contacted
all
these
companies
and
all
these
companies
said.
Yes,
we
totally
agree
and
there's
this
group
called
openssf
that
we're
all
working
together
on.
C
So
the
white
house
said
great
there's,
there
was
a
readout
of
three
goals
from
the
overall
me,
which
I
I
thought
was
actually
an
impressive
summary.
How
do
you
summarize
a
long
meeting
with
three
bullets?
I
thought
that
was
pretty
good,
actually
so,
of
course,
everyone's
busy,
but
more
recently
hey.
We
need
to
have
a
follow-up,
otherwise
things
will
languish.
So
a
number
of
folks
basically
tried
to
make
a
first
crack
a
first
cut
at
turning
those
very
high
level,
three
goals
into
more
specific
actions.
C
C
I
mean
we
had
a
lot
of
folks
involved
in
this
and
brian,
and
I
just
just
to
give
you
time
to
inside
baseball
here
brian
and
I
had
a
10
hour,
zoom
call
trying
to
take
each
of
the
of
those
individual
10
pieces
and
trying
to
make
it
look
like.
It
was
one
whole
thing
without
removing
the
important
information
but
make
it
look
like
it
was
written
by
a
single
group
which
you
know
making
consistency
is
hard,
but
especially
without
while
trying
to
not
remove
the
good
stuff.
C
I
think
it's
been
well
accepted.
We've
been
pitching
this
as
a
0.9.1,
I
mean
it
hasn't
gotten.
You
know
the
the
meeting
was
basically
an
opportunity,
for
this
is
a
draft
created
by
some
people.
You
know
not,
everybody
has
seen
it
reviewed
it,
but
that's,
okay.
This
is
a
starting
point.
This
is
a
draft.
What
do
you
think,
and
so
the
meeting
was
basically
a
number
of
folks,
some
of
them
involved
in
some
a
number
weren't,
basically
commenting
on
it.
Does
this
make
sense?
Does
it
not?
Where
is
it
missing?
C
And
so
the
goal
at
this
point
is
to
say
you
know:
here's
a
draft,
some
folks
put
together.
Let's
try
to
fix
it
and
prove
it
make
notes,
make
changes
one
particular.
I
will
note.
For
example,
I
led
the
education
stream.
C
C
Oh
okay,
that's
an
interesting
thought,
probably
not
so
much
k,
but
maybe
near
12,
so
you
know
so
so
I
think
there
were
some
interesting
comments
and
I
think
the
longer
term
goal
is
to
you
know:
try
to
turn
these
ideas
into
both
funding
and
action.
All
right,
crow.
Tell
me
everything.
I
got
wrong.
A
Oh,
you
did
very
well,
and
it
was
a
meeting
of
u.s
public
sector
folks
and.
A
A
couple
sessions
I
was
in
it
was
a
pretty
good
dialogue.
Unfortunately,
we
got
rat
hold
on
the
whole
high
school
thing
in
the
develop
the
education
group,
and
we
didn't
get
to
talk
about
the
actual
content.
Well,
that's
a
future
problem
for
another
working
group.
That
is
my
favorite.
A
So
my
intention
today
is
we've
kind
of
I
sent
an
email
out
to
the
list
in
hopes.
Folks
would
have
a
chance
to
review
the
document,
so
I
wanted
to
start
talking
about
a
mobilization
plan.
If
anyone
had
any
thoughts-
and
I
would
like
to
zero
in
on
the
streams,
five
and
six
if
possible,
because
those
seem
most
related
to
this
particular
working
group
and
kind
of
see
what
interest
this
group
has
to
participate
in
further
refinement
of
those
those
two
areas
in
particular.
B
It
was
a
hell
of
a
good
consolidation
of
the
working
documents,
which
were
many
many
many
pages
long,
and
so
I
was
really
impressed
by
how
well
they
were
able
to.
You
know
really
shrink
that
down,
but
I
haven't
gotten
into
any
more
detail
than
that
because
it's
you
know
been
quite
occupied
but
yeah.
B
I
I
think
it's
a
good
start,
I'm
interested
in
hearing
what
people
had
to
say
at
the
meeting
about
funding
options
and
action
items
going
forward
like
what
are
going
to
be
next
steps
to
make
all
this
happen,
because
I
know
that
was
something
whenever
I
bring
it
up
to
others,
and
I
have
brought
this
up
to
others
in
other
communities
since
then,
and
as
a
result,
there
are
a
lot
of
new
meetings
on
my
calendar
to
try
and
fill
people
in
on
what's
going
on
in
openssf,
and
they
all
ask
about
the
money
aspect
which
is
interesting,
but
is
what
it
is
so
just
to
be
prepared
to
answer
their
questions
aside
from
saying,
go
to
the
working
groups
and
talk
to
them
which
hasn't
happened
yet.
B
But
but
I
would
like
to
prepare
them
with
more
information
on
that.
So
that's
that's
some
question.
I
keep
getting.
A
So,
and
to
provide
some
context
to
what
vicky
was
talking
about
each
of
the
streams
put
together,
a
proposal
like
we
would
like
to
do
x,
y
and
z,
and
they
put
together
a
suggested
budget,
or
this
is
the
things
we
need
generally
people
in
people's
time
and
that
came
down
to
some
dollar
figures,
and
that's
where
kind
of
the
next
step
is
that
dave
is
referring
to
is
now
that
we
have
this
plan,
it's
kind
of
generally
cohesive.
A
A
I
believe
the
intention
is
that,
as
member
organizations
find
projects
that
they're
interested
in
they
potentially
once
the
plans
are
more
solid,
that
they
potentially
could
pledge
money
to
help
out
the
scanning
the
vulnerability
scanning
project,
for
example,
it
might
donate
some
engineers
time
or
some
tools
to
help
out,
but
that's
we
we
need
to
bet
the
idea.
Are
these
ideas
valid
and
are
we
interested
and
able
to
participate
or
try
to
encourage
some
other
people
to
take
up
those
banners.
F
F
Do
map
to
working
groups
is
kind
of
to
vikki's
question
like
what
is
the
operating
model
of
how
we
start
getting
stuff
done
here
is
the
intention
that
these
streams
do
need
to
nest
under
an
open,
ssf
work
group
and
the
work
group
is
the
owner,
for
you
know
kind
of
the
accountable
group
for
that
or,
as
you
were
saying,
crap,
it
kind
of
made
me
wonder
if
there
is
a
stream
where
a
relevant
work
group
disagrees.
A
My
intention
is
being
that
I'm
involved
in
a
few
working
groups
there.
I
feel
there
are
direct
correlations
between
several
of
the
streams
and
those
working
groups,
so
my
suggestion
is
going
to
be,
and
for
this
group
in
particular,
I
would
like
this
group
to
review
stream
five
and
six,
and
do
we
feel
that
those
are
efforts
appropriate
and
within
our
wheelhouse
to
participate
in,
and
if
so,
we
potentially
could
adopt
those
streams,
as
up
at
the
tac,
were
juggling
around
with
some
of
the
names,
but
they
would
become
a
special
interest
group.
A
You
know
a
a
body
of
work
that
this
group
and
other
people
could
participate
in,
but
it
would
be
kind
of.
We
would
be.
This
group
potentially
could
be
the
mothership
or
parts
of
those
streams
or
just
we
would
potentially
participate
in.
We
don't
necessarily
need
to
own
it,
but
you
know,
for
example,
if
the
stream
six,
which
is
predominantly
scanning
and
fuzzing,
that's
probably
going
to
be
a
lot
of
alpha
and
omega.
F
You
did
yes
come
back
to
more
questions,
but
you
did
you
know
just
for
for
what
it's
worth.
I
I
feel
like
this
group
should
be
heavily
involved
in
five,
if
not
the
owner,
only
because
it
would
be
very
at
odds
to
have
an
open,
ssf
incident
response
team
that
was
not
in
lockstep
with
the
vulnerability
disclosure
working
group.
I
don't
want
to
take
us
too
far
off
the
rails,
but
david
is
what
krobe
described
the
working
model
for
the
other
work
streams
as
well.
Is
that
the
intention
across
the
board.
C
It
seems
like
such
a
simple
question,
so
the
the
goal,
the
goal
one
was
to
figure
out
what
needs
to
be
done.
C
Okay
goal
two
is
to
figure
out
how
that
gets
done
and
to
be
that
and
to
be
fair,
we
were
intentional
little
coy
about
the
how,
because
we
were
trying
to
not
completely
kill
an
a
this
should
be
done
just
because
we
weren't
sure
necessarily
how
now,
of
course,
the
reality
is
that
I
think
everybody
who
worked
on
it
was-
or
I
think
every
worker
is
open-
was
part
of
open,
ssf
and
so
on.
So
we
we
we're,
not
unaware.
C
So
I
think
the
expectation
is
the
vast
majority
of
these
will
end
up.
Allows
us
I'll
speak
for
me.
I
can't
speak
for
brian,
but
because,
but
because
we
were
focused
yeah
I'll,
be
honest.
We
were
much
more
focused
on
get
this
document
go
in
good
shape
and
out
the
door
for
what
it
was
supposed
to
do,
but
the
I
think
at
least
for
me,
the
intended
next
step
is
where
there's
an
obvious
working
group
make
it
part
of
the
working
groups
process.
Now.
C
That
said,
I
expect
that
there'll
be
changes
both
in
terms
of
when
people
look
at
it'll
say:
oh
wait,
yes,
but
it
needs
some
change.
It's
great.
I
mean
it's
a
draft.
That's
that's
fine,
of
course.
It
may
very
well
be
the
wow
we're
not
doing
that
at
all.
Maybe
we
need
to
spin
up
something
else.
I
think
for
at
least
one
of
those.
It's
not
you
know.
C
We're
probably
may
need
to
end
up
spinning
up
a
whole
new,
open,
ssf,
either
working
group
or
something
like
that
you,
but
we
didn't
want
to
so
that
my
my
expectation
is
those
that
are
relevant
to
a
working
group
or
some
other
or
or
a
special
interest
or
rsif,
or
something
within
the
open,
ssf
we'll
end
up
in
the
in
those
and
if
there's
just
nothing
that
maps
then
we'll
either
either
a
working
group
will
say:
yeah
we're
interested
or
we'll
spin
up
something
else
or
now
here's
the
weird
thing
we
actually.
C
This
may
seem
strange.
We
were
really
focused
on
what
needs
to
be
done.
Some
of
the
things
I
don't
may
not
be
openness
of
work
at
all.
C
In
particular,
there
are
some
actions
that
make
more
sense
for
public
organizations,
and
by
that
I
mean
governments,
and
although
this
was
a
meeting
with
the
white
house,
this
is
not
a
u.s
only
thing.
We
very
much
want
this
to
be
international.
So
if
the
usa,
some
of
these
things
really
governments
are
the
obvious
actor
there
and
so
for
them
I
mean
the
open
ssf
can
pitch,
but
in
the
end,
it's
governments
who
have
to
make
that
decision.
C
Yeah
and
just
to
point
down
that
particular
point,
because
unfortunately
I
am
familiar
with
this.
If
you're
dealing
with
colleges
and
they're
talking
about
accreditation,
you're
talking
primarily
about
acm
and
ieee,
I
have
beat
my
forehead
bloody
trying
to
get
them.
I
mean
some.
Some
of
you
may
be
feeling
with
the
story
already.
My
apologies
for
the
repeat,
but
you
know
after
10
years,
working
with
some
of
those,
I
managed
to
get
them
to
add
the
word
security
as
something
that
might
be
important.
C
Not
any
content,
mind
you
just
that
security
might
be
important,
and
that
was
the
extent
of
their
willingness
to
consider
security
as
relevant
to
computing
curricula.
So
I
kind
of
got
tired,
but
you
know
that's.
You
know
the
the
I'm
I'd
like
to
think.
However,
today
is
a
different
day
and
that
there'll
be
more
of
an
appetite
to
actually
address
the
problem,
as
opposed
to
ignore
it.
G
C
Not
only
can
I
imagine,
I
actually
have
an
engineering
degree.
This
is
my
that
my
undergraduates
in
engineering
and
the
complete
and
utter
disconnect
from
the
engineering
world
from
the
software
world,
which
is
doing
engineering,
because,
if
you're
solving
human
problems
with
limited
resources,
that's
engineering
and
the
fact
that
they
don't
understand
that
they're
engineering
is
a
real
problem.
C
So,
yes,
I
I
think
it
it's
a
crying.
Shame
I'd
like
to
think
the
world
has
changed
a
little.
I
think
we've
got
a
lot
of
folks
who
think
software
is
only
math
and
doesn't
affect
any
people,
so
we're
going
to
have
to
overcome
the
computers
or
math
agenda
start.
B
Vicky,
I
think
I'm
I'm
with
everyone.
Who's,
had
a
look
at
this
or
heard
about
this-
that
I'm
very
eager
to
figure
out
next
steps,
and
I
guess
what
is
the
next
step
to
figure
out
next
steps
right.
Obviously,
getting
everyone
to
have
a
look
at
the
document
would
be
great
you're.
A
I
tried
to
get
people
to
do
pre-homework.
Obviously
I
was
had
limited
success
in
that,
so
everyone
on
this
call
and
I
will
send
a
note
to
the
mailing
list
and
then
slack
your
homework
or
our
next
call
is
to
skim
the
whole
document.
But
I
would
like
this
group's
feedback
on
streams.
A
Five
and
six,
you
know
do
we
feel
these
are
things
this
group
has
some
affinity
for
or
some
ownership
potentially,
and
is
this
something
we
are
passionate
about
working
and
if
so,
what
will
most
likely
happen
is
if
we
have
enough
people
in
that
are
part
of
our
regular
working
group.
They
feel
that
this
is
valuable
and
it
belongs
here.
A
We'll
probably
set
up
a
separate
series
of
calls
and
a
special
interest
group
dedicated
towards
those
things,
and
I
think
at
least
initially,
because
we're
going
to
need
to
there's
a
lot
of
work
to
actually
trim
and
refine,
because
there
were
a
lot
of
ideas
thrown
out,
we'll
probably
be
meeting
at
least
weekly
for
some
period
of
time.
This
potentially
smaller
group
and
then
reporting
back
into
the
full
working
group
periodically.
A
All
right,
thank
you.
I
appreciate
everybody.
I
think
it's
it's
a
big
opportunity.
I
think
there's
a
lot
of
big
things
and
if
you
note
other
areas
within
the
document,
so
something
like
in
stream,
two
or
ten,
that
you
feel
we
need
to
at
least
keep
tabs
on
or
participate
in.
Let
me
know,
but
this
will
probably
require
a
little
more
investment
in
time
than
our
bi-weekly
calls.
As
we
want
to
move
this
forward
david,
you
had
your
hand.
C
Yeah,
if
I
can
just
it's
not
long,
it's
a
couple
pages,
it
won't
take
you
long
to
read
it's
and
a
lot
of
this
is
you'll,
look
and
say:
oh
yeah,
but
hopefully
it'll
be.
You
know.
Hopefully
I
think
there's
some
additional
refinements
and
some
ideas
and
I'm
looking
forward
to
more
refinements
as
we
go
along
and
the
link
is
in
our
notes.
A
All
right,
thank
you,
everybody
for
your
time
and
attention
to
that
matter,
and
before
we
move
on
to
our
cbd
guide,
I
just
wanted
to
put
a
shout
out
to
the
austin
conferences
that
are
going
on
for
the
linux
security
conference
and
the
open
source
summit
north
america
held
in
austin
the
week
of
june
20th.
If
you
haven't
already
signed
up
to
go,
I
would
encourage
you
to
consider
it.
I
believe
they
are
offering
hybrid
options
any
of
us
here
in
the
brady
bunch
little
display
will
be
there
and
presenting
and
doing
stuff.
A
G
I
just
think
madison.
Neither
of
us
have
made
any
progress
on
the
document
ourselves,
so
we
need
to
grab
some
time
on
each
other's
calendar
and
continue
to
work
on
that.
H
Yeah
I
was
traveling
last
week
and
haven't
had
a
chance
to
look
at
it,
so
I
should
have
more
time
coming
up.
Hopefully,.
A
A
Yeah
it'll,
be
part
of
a
sig
kind
of
like
the
the
great
mfa,
giveaway
or
distribution
would
would
have
been
a
sig
okay.
Well,
that's.
B
Mickey
I
started
to
have
a
look
at
it
and
kind
of
poke
about
and
see.
B
What's
what's
what
I
added
a
whole
bunch
of
suggestions
and
edits,
I
got
about
third
or
half
away
down
through
it
and
I
had
hoped
to
swing
back
around
in
the
last
couple
days,
but
life
but
yeah,
making
progress
on
just
generally
editing
that
and
asking
a
whole
bunch
of
questions
in
there
so,
and
this
is
coming
from
somebody
who,
unlike
you,
know,
madison
or
jonathan
or
yourself,
while
I'm
highly
knowledgeable,
I
am
not
a
specialist
in
security,
so
I
I
think
asking
some
of
those
questions
that
y'all
might
just
take
for
granted
could
be
very
useful
as
far
as
being
able
to
communicate
between
different
groups.
H
H
B
Exactly
that's
what
I
was
thinking
and
I
know
the
open
source
side
incredibly
well,
and
you
know
highly
conversant
on
the
security
and
so
being
able
to
translate
a
little
bit.
I
think
might
be
helpful.
I'm
trying
anyway,
so.
C
A
Did
anyone
else
have
any
thoughts
commentary
they
wanted
to
do?
I
would
encourage
you
in
your
spare
time,
when
you're
not
reading
a
document
to
throw
your
eyeballs
on
the
cbd
guide
so
that
we
can
get
this
moving
forward.
I
think.
A
C
Okay,
just
real
quick,
there's
a
bullet
note
about
significant
argument:
discussions
going
on
on
oss
security,
mailing
list
about
vulnerability
disclosures
in
general.
I'm
not
sure
I
can
easily
summarize
that,
but
it's,
but
it
is
absolutely
relevant
to
this
working
group.
It's
basically
a
very
spirited
disagreement
on
what
is
appropriate
roles
for
vulnerability
disclosures.
C
The
very
quick,
overly
simplistic
summary
is
the
linux
kernel
developers
really
can't
do
things
in
private,
very
long,
and
if
and
since
different,
they
use
it's
supposed
to
run
on
a
vast
number
of
different
hardware.
They
really
have
to
get
fixes
out,
so
their
process
has
been
general.
You
know
fix
the
vulnerability.
A
bug
is
a
bug.
Is
a
bug
and
just
not
note,
that's
a
security
problem.
C
C
So
I
mean
there
are.
There
are
reasonable
points.
I
don't
have
a
simple
summary,
but
I
would
suggest
taking
a
look
at
some
of
the
arguments
there,
because
I
think
this
is
a
broader.
This
is
a
microcosm
of
a
broader
issue
of
of
you
know.
As
soon
as
you
release
the
patch
whether
or
not
you
revealed
it,
attackers
really
do
read
commit
lines
and
some
of
them
will
create
attacks
from
it.
C
On
the
other
hand,
it
doesn't
you
know,
there's
a
lot
of
folks
who
just
they
their
way
of
attack
as
they
download
metasploit,
which
they
might
be
able
to
spell
and
and
for
that
crew,
not
revealing
the
details
is
helpful.
So
it's
it's
a
complicated.
There
are
points
on
both
on
all
sides,
but
I
think
it's
relevant
very
much
for
this
group.
E
Just
maybe
give
a
counter
point
to
that
david.
I
think
that
I
believe
this
working
group,
though,
is
more
about
the
smaller
projects
and
trying
to
give
them
good
advice,
rather
than
maybe
very
large,
well
established
projects,
and
we
can
disagree
with
the
colonel
and
we
often
do,
but
we
also
work
within
their
rules.
G
What's
the
subject
line
for
this
email?
Oh!
Thank
you!
Oh
as
it
was
a
security
linux
just
so
it's
not
in
the
vulnerability
working
groups,
email.
C
A
C
Oh
yeah
right
right,
but
but
always
the
security
has
been
around
for
decades.
Linux
distros
has
been
around
not
quite
as
long
but
almost
but
quite
for
a
long
time.
Same
group
yeah
same
organizers,
solar
designer,
and
you
know
also.
C
And
I
could
link
to
individual
emails,
but
there
are
so
many
messages
and
of
course
they
can
add.
I
wish
I
could
sort
by
just
the
subject,
but
I
didn't
find
a
link
for
that.
B
So
a
lot
of
us
don't
have
the
time
or
cycles
to
follow
various
linux
and
lkml
type
lists.
So
would
it
be
possible
david
or
anyone
else,
who's
on
the
list
after
things
kind
of
simmer
down
a
bit
to
get
someone
from
the
linux
kernel
dev
community
to
come
and
summarize
that
and
kind
of
coordinate
with
us,
or
is
that
a
bridge
too
far?
At
this
point.
C
I
mean
it'd
be
possible,
but
I
I
do
want
to
clarify
this
is
not
a
summary
of
the
linux
kernel.
This
is
the
linux
kernel
developers
disagreeing
with
the
linux
distro
mailing
list.
Those
are
two
different
groups
with
very
little
overlap.
Okay,
linux
just
grows.
Great
kh
is
one
of
the
few
kernel
developers
who's
also
on
that
list,
but
in
general
these
are
not
the
same
groups
at
all.
Linux
distros
is
primarily
for
well.
Okay,
we
got
three
groups,
oss
security,
linux
disk
grows
and
the
linux
kernel
developers.
B
C
It
has
some,
but
it's
mostly
the
developers
of
distributions
of
linux,
ker
operating
system,
I.e,
ubuntu,
red
hat
and
so
on.
Okay,
yes,
they
absolutely
do
have
kernel
developers
on
there.
But
the
interest
of
this
is
one
of
the
challenges.
The
interests
of
the
lin
of
linux.
Distros
see.
There's
there
are
different
houses,
there
are
different
interests
and
incentives.
There
we
go.
There
are
different
incentives
for
the
linux
kernel
developers
and
linux
distros,
and
this
leads
to
complications
there.
We
go.
F
Yeah
I
was
just
going
to
ask:
I
was
super
quickly,
trying
to
jump
around
and
get
the
gist
of.
What's
going
on.
Here
is
a
good
summary
to
say
you
know,
abstract
things
away
from
the
kernel,
because
special
community
special
things
policies
is
this
really
about
a
distribute,
a
group
of
distributors,
of
an
open
source
project
as
part
of
their
managed
services
or
districts
that
they're
doing
are
having
a
hard
time
with
the
upstream's
embargo
policies
or
their
disclosure
policies.
Is
that
the
tension
here.
F
Yeah,
I
was
oh,
as
I
was
thinking
about
you
know,
is
the
value
here
that
I
don't
think
we're
going
to
change
the
kernel,
but
you
know
so
is
the
value
baby
we
think
about?
Are
there
other
open
source
projects?
I
know
when
we
were
going
through
the
embargo
section
in
the
cbd
guide,
for
example,
that
that
was
a
really
tough
area
about
you
know.
On
one
hand,
it's
not
if
the
maintainers
are
doing
something
that
doesn't
work
for
the
the
distress.
F
F
So
maybe
that
is
the
more
abstract
discussion
we
should
focus
on
rather
than
trying
to
jump
into
any
sort
of
kernel.
Mailing
list
run
duck
hyde,.
G
Well,
I
guess
the
other
question
that
I
have
is
like
what
was
the
process
beforehand,
so
the
process
before
is
the
kernel.
Vulnerability
comes
up,
and
then
it
gets
handed
to
the
the
distro
developers
privately,
or
does
it
just
go
public
immediately
as
soon
as
the
linux
found
as
soon
as
the
the
kernel
developers
fix
it.
C
It
depends
yeah.
This
is
way
more
complicated.
Very
much
depends
on
where
who
is
it
reported
to
if
the
vulnerability
is
reported
to
the
linux
kernel
developers,
which
is
pretty
actually
fairly
common,
their
general
process-
and
I
don't-
I
think
this
has
evolved
over
time,
but
their
general
process
today
is
they
do
their
best
to
fix
it.
The
fix
is
public,
the
fact
that
it's
a
vulnerability
is
not
disclosed
ever
but
linux,
the
linux,
the
colonel
team,
never
they
don't
even
get
a
cd
assigned
for
the
general.
C
They
have
a
policy
in
general.
We
do
not
re
produce,
evees
and
miter.
Basically,
at
this
point,
as
for
the
most
part,
decided
not
to
have
cves
for
the
colonel,
and
there
is
no
no
this
no.
This
is.
This
is
not
new.
This
is
a
long
term
and
there
are
actual
reasons
for
this.
We
can
go
into
this
later,
but
no
in
general,
kernel
vulnerabilities
are
never
given
to
cves.
C
There
are
current
vulnerabilities
that
get
cds,
but
it's
not
through
the
kernel
and-
and
we
can
talk
about
this
so
so
let
me
not
get
sidetracked
because
that's
a
separate,
that's
a
related,
but
not
the
same
discussion
yeah
go
ahead.
A
I
have
had
some
involvement
in
something
like
about
this,
and
I
know
that
there's
a
subject
matter
expert
on
the
phone
call
right
now,
please,
potentially
we
could
ask
the
subject
matter
expert
to
if
they
could.
Maybe
our
next
call
come
in
and
just
do
a
real,
quick
explanation
of
how
a
very
large,
very
mature,
very
publicly
visible
community
kind
of
handles
this,
and
I
think
we're
not
going
to
be
able
to
change
the
kernel
security
team's
behavior,
but
we
can
learn
from
it
and
be
able
to
share
that
as
part
of
our
good
practices.
A
We're
advocating
saying
this
is
something
that
can
happen.
This
is
an
example
of
how
a
community
operates
and
talk
about
how
we
can
how
downstream
consumers
like
the
distros
need
to
understand
and
kind
of
work
within
the
rules
of
that
community.
C
I
I
think
it
would
be.
This
is
worth
a
whole,
separate
discussion,
but
jonathan,
let
me
to
grant
greatly
and
ridiculously
oversimplify.
Part
of
the
challenge
is
that
installing
a
new
kernel
is
a
big
challenge
for
a
lot
of
cell
phones.
It
never
happens
if
it
happens,
we're
talking,
maybe
three
they're
hoping
to
reduce
it
from
three
months,
but
usually
six,
but
six
months
or
a
year
or
two
years
or
never
are
not
at
all
unusual.
C
If
you
think
that's
a
problem,
there's
a
large
number
of
people
who
agree
with
you
and
greg
kh
has
been
busting
his
tail
trying
to
get
the
time
between
a
kernel,
release
and
deployment
down.
I
I
think
he's
gotten
it
down
on
samsung
to
I
think
three
months,
which
is
an
incredible
accomplishment
because
it
used
to
be
measured
in
years.
C
So,
but
this
is
part
of
the
challenge
is
that
updating
applications
for
most
systems
is
a
lot
easier
than
updating
kernels.
A
lot
of
folks
are
not
prepared
to
update
them
at
all
and
again,
if
you
think
that's
a
bad
idea,
I
agree
with
you.
A
B
I
I
really
appreciate
and
respect
how
you
did
not
out
the
subject
matter
expert
and
allow
them
to
stand
up
for
themselves
and
raise
their
own
hand.
So
thank
you
very
much
for
doing
that.
Yay.
This
is
one
of
the
reasons
why,
apparently,
this
is
the
best
working
group,
so
I
do
want
to
give
them
the
chance
to
raise
their
hand
and
pipe
up,
though
either
in
chat
or
or
otherwise.
B
E
Before
and
I
still
work
in
red,
hat's
pset,
I
mean
it's.
What
I've
been
doing
for
the
past
six
and
a
half
seven
years
is
I
coordinate
our
disclosures
and
work
with
our
peers
and
across
open
source
projects
and
cert
and
vince
and
everything
else,
and
it's
a
big
bore
of
mess
for
all
the
distros
to
have
to
monitor
so
many
places
and
sources
of
data.
B
This
is
really
valuable
information
that
I
think
most
people
aren't
aware
of
just
how
complex
it
can
be
to
do
this
sort
of
stuff.
Is
that
what
you
were
kind
of
referring
to
probe?
Having
cliff
do
your
presentation
on
this.
A
A
So,
potentially
we
could
ask
cliff,
if
maybe
somebody
in
that
capacity
or
clifford
himself
might
be
willing
to
kind
of
give
us
a
little
just
a
high
level
explanation
of
how
the
the
flow
of
things
and
then
we
can
maybe
learn
from
that
and
figure
out
a
way
how
we
can
provide
some
advice,
because
kernel
is
one
very
large,
mature
security
group.
You
have
the
apache
security
team,
you
have
kubernetes
and
openstack.
A
You
have
these
very
big
kind
of
monolithic
security
teams
that
all
have
their
own
little
nuances
and
they
don't.
They
don't
operate
exactly
the
same
and
that's
very
different.
When
you
have
professional
security,
people
on
staff,
like
those
orgs
versus
a
small
mom-and-pop
student
project
or
whatever.
B
A
B
That,
and
especially,
I
would
love
to
have
that
recorded
like
these
meetings
are
so
we
can
have
it
available,
and
you
know
chop
that
video
up
and
just
be
able
to
present
that
to
people,
because
I
have
a
number
of
team
members
who
are
quite
early
on
in
their
careers
and
they
are
completely
unfamiliar
with
how
any
of
this
works
and
having
a
resource
like
that,
where
I
can
at
least
give
them
some
context
for
all
the
moving
parts,
or
at
least
the
biggest
moving
parts
right,
because
I
know
there's
a
lot
of
easy
little
ones
and
give
them
some
context
will
help
them
understand.
B
Just
what
we're
dealing
with
here.
So
I'm
not
going
to
volunteer
cliff
himself,
but
just
the
concept
of
this.
Yes,
please.
This
would
be
beautiful.
A
E
Mature
community
and
something
that
we
are
right
at
this
look
at
is
something
called
the
ir,
pi
r
irp,
the
insulin
response,
playbook
or
plan
like
how
do
we
handle
vulnerability
management
at
scale?
E
It's
something
that
we
are
looking
to
maybe
also
share.
I
don't
know
if
this
is
the
right
community,
but
like
something
that
we're
looking
at
in
conjunction,
and
so
this
aligns
quite
well
with
other
things.
I
have
lots
of
experience,
but
there's
also
a
larger
team
of
experts.
Potentially
I
can
take
the
the
desired
crow,
but
probably
like
ask
around
internally
see
what
makes
sense.
A
If
you
could,
that
would
be
great.
You
know
somebody
like
peter
or
anyone
else
kind
of
in
that
role.
If
they
were
interested
in
just
kind
of
talking
about
this,
I
will
have
to
see
about
recording
again
because
there
are
certain
sensitivities
around
these
groups
processes
and
I'm
gonna.
I
don't
wanna
speak
on
their
behalf,
because
I'm
not
a
member
of
that
community.
E
The
other
part
for
me
as
well
is
that,
like,
yes,
we
have
friction
with
the
linux
kernel,
but
we
do
consider
them
our
partners
still
and
it
is,
we
present
our
opinion.
They
present
their
opinion.
We
have
to
disagree,
but
we
then
work
together.
A
A
So
it's
not
without
the
interesting
moments,
but
in
general
it's
worked
fairly
well
for
the
last
two
and
a
half
decades.
G
How
do
they
handle
like
project
zero
that
comes
in
with
hey?
We've
got
a
90-day
disclosure
deadline,
and
you
know
we'll
be
publicly
disclosing
this
at
that
point,
you
know
whether
or
not
you're
ready
or
not.
D
A
Those
parties,
it's
a
thing
that
exists,
that
many
different
communities
and
vendors
have
to
work
with,
so
in
general
gpz,
you
know,
does
their
thing
they
are
sometimes
can
be
negotiated
with
on
their
timelines
if
they're,
if
you
can
demonstrate
that
something
can't
be
done
within
their
deadlines,
but
it's
not
just
because
you
don't
want
to
hit
a
date
generally,
isn't
a
very
good
reason
for
gpz
to
extend
your
embargo
time
again.
A
E
Yeah
I
I
would
personally
say
that
I
think
normally
it's
in
the
best
interest
for
people
to
be
honest
with
each
other
and
have
good
communications.
A
All
right:
well,
that
was
an
exciting.
A
C
Lob
a
bomb
but
thought
I
thought
it
would
be
wise
for
this
group
to
be
aware.
I
don't
think
we
can
change
other
people's
policies
necessarily,
but
I
think
at
least
being
aware
of
them.
I
also
john
jonathan
for
your
amusement.
I
posted
the
linux
kernel's
cve
policy
for
you,
you
should
click
on
and
thank.
G
G
Thank
you,
yeah
I'll,
take
a
look
at
that.
I'm
noticing
a
certain
amount
of
delicateness
by
which
both
of
you
or
anybody
who's
been
involved
in
the
linux
community
community
seems
to
articulate
themselves
around
this
particular
topic.
Is
there
I
presume
that
there's
a
it's
a
charge
topic
with
a
lot
of
like
egos
and
personalities
and
issues
that
like
have
caused
explosions
in
the
past
that
are
prompting
that
or.
A
Like
any
group
of
creative
people,
they
are
very
passionate
and
the
one
if
I
can
convey
nothing
else,
two
things
to
understand
about
working
vulnerabilities
in
open
source
is
everything
is
based
off
of
your
reputation,
your
professionalism,
how
you
conduct
yourself,
how
well
you
work
with
the
people
you're
disclosing
to
and
then,
as
a
former
supplier
of
software
understanding,
what
the
rules
of
the
community
you're
working
in
are
and
following
them,
so
that
they
continue
to
work
with
you
and
then
also
understanding
and
respecting
the
researcher
when
somebody's
reporting,
something
to
you
understanding,
kind
of
what
the
constraints
are
there
so
that
you
can
work
positively
towards
you
know
reducing
that
risk
for
the
end
consumers
kind
of
the
goal
for
everybody
in
the
process
yeah
it's
there
are
some
amazingly
smart
people,
and
sometimes
some
people
have
disagreements
like
like
every
family
does,
but
we
still,
we
love
each
other.
A
We
just
might
not
always
agree
over
thanksgiving
dinner.
C
E
C
C
A
And
just
different
perspectives
and
missions.
You
know
the
girl
developers
are
developing
software,
that's
their
job,
their
job.
Isn't
tech
support
so
to
speak.
They
are
less
sensitive
to
those
concerns.
They're
focused
on
making
sure
the
software
works
works
correctly,
adding
new
features
and
capabilities.
C
A
Any
other
thoughts
on
this
you
know
would
this
be
valuable
for
the
group
to
kind
of
listen
if
we
could
put
together
some
kind
of
high-level
overview
of
how
the
large
communities
deal
with
this
type
of
stuff.
Okay,
so.
A
See
if
I
can
work
with
my
my
brother
clifford
and
see
what
we
can
share
and
all
right
now
that
we're
close
to
the
top
of
the
hour.
Does
anyone
have
any
additional
thoughts
on
the
three
items
we
talked
about
today
or
any
new
items
they'd
like
to
discuss
or
bring
up
for
a
future
meeting.
I
I
don't
know
anything
about
what
we
just
discussed,
but
stretching
back
a
ways.
Vince
is
now
open
source.
I
It
was
out
on
friday,
I
believe
so
just
wanted
to
make
the
note
so
that
that's
all,
because
that
had
come
up
a
long
while
back
here.
So
now,
it's
finally
done
and
now
so
I.
G
I
I
don't
know
how
to
answer
that.
Actually,
I
haven't
tried
myself
to
spin
one
up
outside
of
our
outside
of
our
version,
because
that's.
G
D
I
G
I
H
A
I
Yeah,
let
me
try
jonathan
said
that
he's
got
it
going
it's
in
the
thank
you,
sir.
Okay
sure
that
takes
care
of
that
sure,
yeah
and,
as
always,
happy
to
chat
about
that
as
much
as
I
can.
I
just
wanted
to
make
everyone
aware,
since
that
was
something
we
talked
about
previously.
G
You'll
ruin
code
ql
against
it
and
see
what
it.
A
All
right,
thank
you,
so
I
would
also
so
as
another
bit
of
homework.
I
would
encourage
this
group
to
go.
Take
a
look
at
bits
out
on
github
and
you
share
your
thoughts,
and
I
think
this
is
potentially
a
platform
that
we
may
be
able
to
endorse
as
a
a
good
practice,
encourage
oss
communities
and
projects
to
maybe
leverage.
I
Great
and
I'm
happy
to
be
the
conduit
the
best
I
can
between
this
this
group
here
and
us,
and
emily
and
working
on
it
further
as
needed,
but
also
there's,
I
believe
you
know
the
usual
pathways
available
to
to
add
to
suggest
et
cetera,
et
cetera,
so.
A
I
Yeah,
that
seems
totally
feasible.
I
can't
speak
for
her,
but
I
don't
see
why
she
would
say
no,
so
I
can
easily
ask
her
and
try
to
convey
back
to
you
guys,
or
I
guess
maybe,
if
you
could
let
me
know
I
mean
you
had
mentioned
potentially
next
time
talking
about
other
stuff
with
clifford
and
stuff
like
that.
So
if
you
want
to,
let
me
know
when
a
target
would
be.
I
can
easily
convey
that
to
her
and
it
should
be
amenable
but
again
her
schedule
pending,
of
course,.
I
Yeah.
Okay,
let
me
let
me
ask
her
and
I
can
report
back
next
time
that
probably
that's
fine,
if,
if
not
I'll,
let
you
know
what
the
adjustment
would
be
then
and
we
can
move
from
there.
Thank
you
really
appreciate
that.
I
think
this
is
it's
going
to
be
very
helpful.
Okay,
great!
I
will
ping
her
now
and
then
get
back
to
you
once
again
awesome
and
so
any
final
thoughts
in
our
last
few
minutes.
G
I
have
a
question
krobe.
Can
you
do
me
a
favor?
Please,
can
you
please
invite
me
explicitly
to
these
meetings
so
that
I
get
it
added
as
a
thing
that
I
get
notified
against?
Is
that
possible?
Can
I
get
out
of
the
in
my
list?
I
can
talk
to
jory.
Are
you
part
of
the
mate?
I
think
it
goes
up
to
the
part.
G
B
G
It
looks
like
there
there's
a
way
like
there's
28
guests
on
the
invite
list.
So
how
do
I
get
myself
into
those
list
of
guests.
G
G
A
A
But,
like
vicky,
I
have
copied
the
entry
from
google
calendar
over
to
my
corporate
calendar,
but
yeah.
I
will
ask
jory
about
that
as
soon
as
I
hop
off
this
call
anything
else.
Today,
team.