►
From YouTube: OpenSSF Vulnerability Disclosures WG (July 27, 2022)
A
Hey
there,
all
I've
dropped
a
link
to
the
notes
into
the
chat.
A
I
do
not
know
whether
we
have
an
official
agenda
or
anything
like
that
going
on
for
today,
or
I
know
crow
is
on
a
boat,
so
he
is
out
of
the
office
this
week.
A
I
can't
recall
whether
he
asked
someone
else
to
to
lead
this
meeting
in
his
stead,
and
there
is
currently
not
a
co-chair
of
this
group.
A
Hey
morning,
madison,
do
you
remember
whom
probe
tapped
to
lead
this
call
in
his
stead.
A
I
don't
see
it
well
all
right,
then,
that's
fun
in
the
meantime,
if
you
have
not
seen
it
yet,
there's
a
link
to
the
notes,
please
sign
in
hey
francis.
Will
you
tap
to
leave
this
call
or
we
only
tap
to
leave
the
other
call.
A
Okay,
then,
well
that's
great.
A
C
Yeah
it
that
would
definitely
be
helpful
if
we
can
do
that.
It
looks
like
there's
a
section
on
here
for
outstanding
areas
to
address,
so
I
assume
that's
within
the
document
itself,
so
that's
work
that
still
needs
to
be
done
right.
A
That's
my
guess.
I
suspect
that
crow
put
this
agenda
together
before
he
left
yeah,
fair
cool
yeah.
Well,
in
that
case,.
A
Let
us
just
sort
of
get
going
here.
Let
me
open
up
the.
I
guess
I
just
accidentally
took
over
the
call-
apologies
to
everyone
in
advance
for
me
not
being
prepared
and
for
me
still
being
kind
of
bleary
from
a
6am
call.
A
Now
I'm
about
to
drop
yet
another
link
into
the
chat.
This
one
is
to
our
work
in
progress.
The
document
we
are
working
on
right
now,
which
is
our
vulnerability
disclosure
guide
for
finders.
A
There
we
go
so
krog
has
very
helpfully.
First
of
all,
hi.
Is
there
anyone
new
here
and
anyone
like
to
introduce
themselves.
A
That's
a
no
okay
great
who
wants
to
be
scribed.
Who
would
like
to
take
some
notes?
A
Normally,
I
would
put
my
hand
up,
but
if
I'm
driving
the
bus,
I
can't
also
take
notes.
A
Need
you
for
a
lot
of
the
a
lot
of
the
document
stuff?
So
if
we
could
split
the
difference
there
and
have
francis
take
notes.
A
A
A
Be
huge
and
close,
the
sidebar
close
the
sidebar
there
we
go
all
right
so
here
we
have
our
fabulous
document
that
we're
working
on.
A
Now
this
is
currently
down
at
the
bottom
and
I
closed
the
sidebar,
which
would
make
this
easy.
Hangout
guard
me
all
right,
so
we
do
have
a
glossary
here.
I
went
through
the
document
this
week,
one
of
these
days-
and
I
found
a
bunch
of
jargon
and
acronyms,
and
I
just
put
them
in
a
file-
threw
them
through
sort
dash
you
and
then
plopped
them
here
with
a
cut
and
paste.
A
A
D
A
A
I
think
that's
a
great
idea
for,
and
perhaps
we
can
once
we
get
this
kind
of
started,
maybe
it
makes
sense
to
hand
this
to
the
education
working
group.
A
Excellent
well,
in
the
meantime,
we
do
have
to
get
it
started
so
and
madison
you've
offered
to
jump
on
that.
I'd
like
to
recommend
that
we
just
generally
have
some
homework
for
this
week.
A
Well,
two
weeks,
I
guess
that's
this
one
meets
every
other
week
where
everyone
dive
in-
and
you
know,
as
you
see
things
start
to
add
to
it
in
particular,
in
the
glossary
which
is
completely
empty.
A
Another
thing
that
I
added
this
week
is
the
bibliography
where
pretty
much
I
just
went
through
the
entire
document,
and
I
found
every
single
link
that
was
referenced
and
I
just
plunked
them
all
into
this
area.
This
needs
to
be
cleaned
up
and
put
into
some
sort
of
reasonable
format.
So
it's
not
just
links,
but
it's
actual
text.
A
A
A
Well,
some
of
us
still
print
these
things
from
time
to
time.
I
I'm
not
looking
at
the
agenda
it's
on
the
other
tab.
I
will
jump
to
that
in
a
minute,
but
first
I
wanted
to
point
out
that
there
was
a
call
for
templates
to
make
it
easier
because
everybody
hates
a
blank
page
right
and
there
were
two
templates
that
we
had
previously
created
for
the
earlier
for
the
maintainer
disclosure
guide
I
linked
to
them
here
in
the
template
section.
A
Versions
that
will
be
appropriate
for
finders
rather
than
maintainers,
or
at
least
see
whether
the
maintainer
one
will
qualify.
Is
it
good
as
is,
do
we
need
a
new
version
for
finders
rather
than
simply
maintainers,
and
it's
fine?
If
we
do
totally
cool
files
are
free,
so
we
can
just
create
a
new
file
and
link
to
it.
Also,
while
we're
here,
what
other
templates
do,
we
think
might
make
sense
for
people
to
for
us
to
create.
D
A
Here
we
all
right
yeah.
That
would
be
great,
thank
you
francis
for
that.
So,
while
he's
looking
for
that,
are
there
other
templates?
I
if
I
recall
correctly
looking
in
this
document,
some
of
the
things
that
were
mentioned
is,
for
instance,
a
personal
vulnerability
disclosure
policy
template.
D
A
Yeah,
so
if
we
click
up
here
to
the
document.
A
I
believe
this
is
something
that
jonathan
worked
on
along
with
you:
madison
youtube,
we're
working
on
this
document
together,
and
he
has
his
own
vulnerability
disclosure
policy
for
how
he
handles
these
things,
and
it's
written
up
in
this
document.
A
As
far
as
what
you
would
like
to
do
and
how
you
would
handle
your
disclosures.
B
A
D
My
one
fear
my
one
fear
about
this
is
if
we
end
up
having
somewhat
of
a
very
complicated,
even
guide,
to
browse,
if
you
want
to
handle
like
cvd
like,
I
think
it
makes
sense
to
have
like
a
something
for
personal
disclosures,
but,
like
this
guide
is
already
like
already
14
pages
long
right.
If
I
was
to
embark
and
do
this
like
by
myself,
I
would
probably
not
even
rate
past
the
first
two
pages.
A
That's
a
very
good
point:
francis
do
we
need
essentially
a
tldr
or
executive
summary
version
at
the
top.
B
B
In
my
experience
is
actually
kind
of
interesting
because
you
kind
of
find
both
people
you
find
like,
like
I
have
a
friend
of
mine
who
sends
a
lot
of
this
to
purcell
and
they
want,
like
his
bosses,
want
an
executive
summary
but
then
like
on
the
other
side,
you
have
other
projects
like
astro
with
fred
who
used
to
work
at
google,
who
wants
to
know
all
of
this
stuff
and
will
try
to
read
all
14
pages.
So
I
think
you
have
like
both.
You
have
people
on
both
like
size
of
the
aisle.
A
Yeah
and
that's
why
I
think
it
might
be
helpful
to
to
have
that
sort
of
thing,
so
we
can
make
it
as
accessible
as
possible
to
as
many
people
as
possible.
A
I
love
the
idea
of
a
one-pager
francis,
so
converting
this
into
a
one-pager
and
then
linking
back
to
it
for
more
information
would
be
a
great
future
task
for
this
group.
I
think.
A
We
already
have
another
one
pager
in
the
works,
but
just
lining
them
up.
It's
never
a
dull
moment
here
in
vulnerability.
Disclosure
working
group.
C
Something
else
that
we
had
talked
about
that
maybe
we
could
do
sort
of
the
way
that
I've
been
thinking
about.
This,
too,
is
laying
out
all
of
the
options
available
for
a
reporter,
and
maybe
we
can
even
give
some
more
feedback
in
like
levels
of
maturity
like
I
wouldn't
expect
a
brand
new
reporter
to
go
out
and
make
their
own
personal
vulnerability
disclosure
policy
themselves,
but
if
they're
actively
reporting
this
repeatedly,
that
might
be
helpful
for
them.
C
So
maybe,
if
we
like
organize
the
information
into
not
really
maturity
levels,
because
I
don't
think
it
needs
to
be
like
that
that
defined,
but
that
could
be
helpful.
So,
if
you're,
a
newer
reporter
you're,
really
just
looking
at
like
the
high
level,
most
basics
and
something
else
that
we
had
talked
about
before
that
we
haven't
yet
done
either
is
we
can
explicitly
call
out
in
various
sections
like
this
is
what
the
openssf
recommends.
C
D
We
did
write
down
the
options
for
disclosures
in
the
doc
just
just
below
the
personal
vulnerability
disclosure
section.
If
you
want
to
scroll
down
to
that
medicine.
This
may
not
answer
your
full
question,
but
I
think
it
starts
to
address
it.
C
Yeah
yeah,
I'm
just
thinking
like
that
that
might
even
be
useful
to
surface
like
along
the
way
like
throughout
the
whole
document.
That
way,
if
somebody
wants
to
just
scan
through
it,
they
can
just
look
at
you
know:
open
ssf
recommended
actions
for
each
section.
Basically,
that
might
be,
and
then
from
that
you
could
make
a
really
easy
one.
Pager.
A
Yeah,
I
think
that
it
might
make
sense
to
finish
the
document
in
its
full
form
and
then
use
it
as
essentially
a
basis
for
pulling
things
out
and
and
reorganizing
it
and
use
it
as
a
kind
of
a
source
document
to
build
it
on
for
additional
content.
B
One
thing
I
want
to
kind
of
throw
out
there
and
I
and
I
pick
on
js
a
lot
because
they're
kind
of
like
the
pain
point
in
the
gen
2
ecosystem,
because
they're
very
young
people
that
don't
understand
any
of
this
stuff-
and
I
think
I
don't
know
if
this
document
at
some
point
addresses,
because
I've
noticed
that
there's
the
maintainers,
especially
in
javascript-
that
don't
really
understand
the
point
of
security
at
all
like
they
just
see
it
as
a
problem,
and
I
there's
I've
noticed
that
there's
a
friction
point
because
maintainers
don't
really
sometimes
understand
why
you
want
security,
and
then
they
have
people
reporting
security
things.
B
B
A
Let
me
drop
this
link
into
the
chat
for
you.
If
I
can
find
the
chat,
because
it
hides
that
once
you
start
sharing
there,
you
go
so
I
think
that
is
most
likely
covered
in
this
maintainer
guide.
E
Also
also
one
bit
of
a
homework
that
I
have,
I
was
going
to
take
a
stab
at
adding
in
a
kind
of
a
human
element
within
the
security.
I
think
security
policy
section
or
not
policy,
I'm
using
the
wrong
words
here,
but.
E
E
You
know
you're
you're,
typically
working
with
you
know
engineers
and
volunteers,
and
it's
maybe
much
less
that
business
side
you
might
get
when
you're
working
with
a
commercial
organization
submitting
vulnerabilities
so
just
kind
of
insert
a
little
bit
of
the
human
elements
of
look
have
patience,
they're
volunteers,
their
schedules
are
different.
It
might
not.
E
You
know,
work
out
exactly
as
you're
expecting
timeline,
wise
and
and
the
same
as
referencing
the
the
maintainer
doc
saying
look
and
it's
the
same
for
the
maintainers
they're
recognizing
that
they're
working
with
security
researchers-
and
you
know,
there's
human
elements
for
all
of
this,
and
I
think
I
forget
exactly
where
it
was.
I
think
it's
certainly
where
the
section
was.
I
was
going
to
try
to
work
on
that.
E
Oh
yeah
security
policy,
understanding
how
the
project
handles
vulnerabilities
trying
to
submit
it
somewhere
and
there,
but
it
certainly
could
float
because
I
I
think
it's
important
to
add
that
in
no
matter
what,
wherever
it
goes,
I
think
that's
an
important
part
to
add
in
like
who
is
it
you're
going
to
be
dealing
with
and
step
into
their
shoes
for
a
minute
to
try
and
understand
where
things
might
get
complicated.
A
Yeah,
it
probably
makes
sense,
there's
a
section
near
the
top,
which
is
covering
I'm
showing
you
on
the
screen
here
right
now,
who
is
an
open
source
maintainer?
What
are
their
motivations
and
then
set
it
a
quick
section
right
there,
because
this
is
right
at
the
top
of
the
document,
and
it
really
helps
to
set
the
mindset
and
you
set
the
expectations
right
up
front:
yeah
you're,
not
working
with
a
corporation.
These
are
individuals,
so
don't
be
a
big
jerk
face.
E
D
D
A
Wouldn't
have
done
a
wonderful
job,
so
are
there
other
templates?
We
would
like
to
include
here.
E
I
think
a
vulnerability
report
submission
template
would
be
important,
so
I
was
going
to
look
around
to
see
if
we
we
have
any.
I
know
we
do
like.
I
know
I
could.
I
could
get
one
also.
If
anyone
else
has
any
that
are
I
mean,
do
we
do?
We
have
one
in
the
maintainer
guide,
like
what
a
vulnerability
report
should
look
like
a
submission.
A
E
A
We
do
the
templates.
There
are
only
the
two
that
I
linked
to:
okay,
there's
policies,
notifications,
but
I.
E
Think
a
submission,
a
submission
template
like
this
is
what
you
should,
and
I
know
we
kind
of
talk
about
it
within
the
document
as
well.
It's
already
written
in
there,
but
this
is
what
your
submission
you
know.
Speaking
to
the
researchers.
This
is
what
your
submission
should
include.
You
know
it
should
have
the
variability
description
it
should
have.
You
know
whatever
details
should
be
there
so
yeah
an
example
would
be
good.
There.
E
C
No,
that
makes
sense,
I
was
going
to
say
we,
the
security
labs
team
at
github
often
takes
on
the
role
of
the
reporter,
because
they're
doing
a
lot
of
vulnerability.
Analysis
work,
so
they
have
guides
internally
that
have
been
shared
with
me
that
I
keep
meaning
to
put
here
too.
So,
I'm
happy
to
once.
We
have
francis's
starting
point.
Add
to
that
too,
if
needed.
A
Wonderful,
do
you
have
any
other
examples?
You
would
like
to
share
that
you
could
pull
out.
That
would
make
sense
in
this
context,
for
a
researcher.
A
D
A
No,
not
400.,
no,
because
I'd
imagine
this
is
going
to
be
if
it
ever
hits.
10
templates.
I
would
be
really
surprised
if
you
look
at
the
maintainer
guide,
their
templates
there's
only,
I
think,
a
max
of
like
five
or
so,
and
these
three
have
almost
exactly
the
same
content
inside
of
them,
I'm
not
even
going
to
click
through
because
they're
all
the
same.
Actually
I
will
click
the
wrong
one,
because
they're
all
the
same.
A
So
yeah,
I
I'd,
expect
we're
not
going
to
get
that
many,
but
the
ones
that
we
will
have
will
be
informative,
going
for
quality,
not
quantity,
all
right,
explanation
on
vulnerability,
identities,
page
four,
click,
the
right
tab.
A
Let
me
see
vulnerability
identities,
look
at
that
all
right,
so
july,
13th
reach
out
to
os
talk
about
ids
in
general
and
about
how
we've
chosen
cve
osv.
I
don't
know
what
that
means.
C
Let
me
check
oh
yeah,
so
we
were
talking
about
specific
vulnerability
identifiers
and
in
this
we're
going
to
recommend
and
say
that
folks
should
get
a
cbe
id.
The
other
thought
was
that
there
are
a
number
of
other
identifiers
floating
around
the
security
ecosystem.
Maybe
it
would
be
help.
It
would
be
helpful
to
define
those
two
for
reporters,
because
they're
likely
to
experience
those
and
the
question
that
we
have
then
I'm
pretty
sure
from
about
two
weeks
ago
is
there
was
a
thought
that
reporters
might
be
able
to
get
an
osv
identifier.
C
I
reached
out
to
oliver
myself
the
osv
dev,
and
they
cannot
do
that.
Osv
assigns
osb
identifiers
to
a
very,
very
specific
subset.
So
it's
not
something
that
researchers
could
like
go
and
get
themselves
like.
They
could
a
cde.
A
And
we
see
find
osv
what
it
is
when
you'll
see.
A
Cbe
are
the
only
ones
specifically
called.
Are
there
any
others?
We
should
mention
in
this
context,.
A
C
E
Yeah-
and
I
think
part
of
the
conversation
was
also
just
that
education
for
researchers-
that
in
some
cases
you
might
work
with
a
project
that
doesn't
isn't
going
to
want
to
use.
Maybe
any
of
the
above,
and
just
that
awareness
that
all
you
might
get
is
a
security
advisory
or
a
ghsa
or
something,
and
that
might
just
be
it.
There
might
not
be
anything
on
top
of
that.
C
I'm
happy
to
at
least
start
it.
Considering
my
team
is
the
one
science
ghs
I'm
more
than
happy
to
talk
about
vulnerability,
identifiers.
A
Okay:
explanation
of
how
dev
works
of
how
open
source
dev
works
and
flows
and
talked
about
scheduling
backlog
that
would
be
I'm
guessing
who's.
An
open
source
maintainer.
A
A
A
Nope,
this
is
a
three
okay.
This
is
something
I
am
eminently
qualified
to
work
on.
A
Whereas
I
am
less
qualified
to
work
on
things
such
as
the
identifiers,
so
I
will
jump
on
that.
One.
A
A
E
Was
also
thinking
vicky,
I
had
a
I
had
a
comment
in
that
section.
I
think
it's
who
our
oss
maintainers
or
one
of
those
ones
so
right
in
that
area
where,
if
in
within
this
whole,
explain
the
difference
between
those
two
types
of
open
source
you
might
interact
with
also
just
in
general,
you
could
also
interact
with
a
a
two-person
open
source
shop
or
a
distro
list.
A
Have
fun
okay,.
A
D
D
A
Okay,
now
that's
a
very
good
context.
Thank
you.
So
the
table
certainly
helps
a
lot
and
it
fleshes
out
a
lot
of
this,
but
we
should
probably
actually
just
a
table
include
all
of
these
bug.
Bounty.
A
E
I
think
I
think
one
thing,
and
here
was
definite
some
of
the
definitions
that
we
have,
because
you
know
this
is
a
it's
a
combination,
right
of
of
of
experiences.
I
think
all
of
us
putting
contributing
here.
Maybe
if
we
are
able
to
find
a
standard,
I
don't
know
if
cert
has
actual
like
definitions
of
what
these
are
versus.
E
Some
of
the
definitions,
we've
kind
of
put
into
this
already
because
crystal
and
I
were
looking
through
some
of
these
and
we
were
like
well
full
disclosure
in
our
day-to-day
experience.
Full
disclosure
just
means
disclosing
the
entirety
of
the
report,
not
necessarily
what
we
have
full
disclosure
defined
as
or
for
as
far
as,
like
you
know
doing
that
as
a
last
resort.
E
So
I
think
if
we
are
able,
if
there
is
a
definition
base
out
there
kind
of,
I
guess,
goes
back
to
our
glossary
stuff
right,
but
finding
joint
definitions
on
what
all
of
these
are.
A
It
looks
like,
according
to
crystal
there
are
iso
standards
for
this.
I
don't
know
whether
they
are
publicly
available
or
whether
they
cost
an
arm
and
a
leg.
A
Yeah
but
there
may
be
some
like
with
spdx
it's
nice
or
standard,
but
it
also
has
a
public
standard
that
anyone
can
get
to
so.
E
Yeah,
I
can
definitely
take
a
look
at
some
of
the
references,
I'm
not
sure.
I'm
not
sure
I
want
to
be
the
ones
writing
definitions
for
these.
I
like
that
they're
already
there,
but
if
I
can
find
the
resources
that
we
all
can
agree
upon
and
and
reference
those
I'm
happy
to
I'm
happy
to
collect
some
of
those,
and
I
know
some
of
that
works
going
into
the
glossary
already.
C
I
just
put
in
a
comment
there
linking
to
search
definitions
for
full
disclosure,
private
disclosure,
limited
disclosure.
Thank
you.
A
A
A
And
they've
added
a
few.
I
have
not
I'm
sure
I've
read
this,
but
I
probably
noticed
it
needed
a
lot
of
work
and
then
moved
on.
A
So
does
anybody
have
any
or
some
would
somebody
like
to
volunteer
to
take
a
first
pass
through
this
to
at
least
move
it
up
into
the
finder
context
and
away
from
the
maintainer
context.
A
Looks
like
we
might
be
punting
on
this
one.
For
now,
I
don't
feel
qualified
to
do
this
accurately.
C
Yeah
one
thing
that
I
just
thought
of,
because
you
just
said
two
weeks:
I
myself
am
not
traveling
to
defcon
or
black
hat,
but
I
imagine
many
people
in
this
group.
Maybe
so
our
next
meeting
in
two
weeks
takes
place
then
I'm
not.
That
might
be
something
we
want
to
review,
maybe
cancel
or
move,
as
I
imagine
many
people
that
are
in
this
group
will
be
attending.
E
I'm
also
thinking
through
this
section
here,
because
a
lot
of
it
is
coming
from
the
and
I
I
I
doubt
we're
going
to
be
able
to
answer
this
on
the
spot
here,
but
some
of
these
sections
might
not
even
apply
and
might
not
even
you
know,
rank
high
enough
as
we're
prioritizing
what
we
want
to
include
and
what
what
might
be
a
little
extra?
How
do
we
vote
on
that.
E
Like
yeah
like
like
this
first
section,
for
example,
we're
not
sure
if
this
is
a
security
issue,
is
it
more
beneficial
for
us
to
be
looking
at
this
saying,
okay,
flip
it
around
in
researchers
language?
E
Would
we
even
want
to
write
something
like
that
in
the
researcher
guide
like
you'd
have
to
reframe
it
for
the
researcher,
and
then
we
have
to
assess
if
we
even
want
to
keep
it
in
the
guide?
Is
there
do
we
have
a
process?
Maybe
of
assessing
this
first
stop
and
saying?
What
do
we
want
to
keep
in
here
and
then
rewrite
it?
For
the
researchers
perspective.
A
I
don't
think
we
officially
have
a
process,
although
I
certainly
applaud
the
optimism
of
asking
whether
we
do,
I
think
probably
the
best
way
to
approach
it
at.
This
point
is
if
someone
would
like
to
volunteer
kayla
to
to
take
a
first
pass
at
this,
maybe
doing
it
in
suggest
mode,
first
or
maybe
going
through
and
like
if
there's
something
you
think
doesn't
belong
because
you're
right
it.
A
If
you're
a
researcher,
you
probably
have
a
pretty
good
sense
of
whether
this
is
a
security
issue
or
not,
and
then
just
strike
all
that
out.
E
Okay,
I'm
happy
to
take.
I
like,
I
love,
suggest
mode,
because
then
it
can
just
be
accepted
or
denied.
So
I'm
happy
to
go
through
this
and
suggest
mode
and
just
kind
of
kayla's
thoughts
on
whether
or
not
we
should
keep
this
for
refraining
or
not,
because
I
think
otherwise
someone's
going
to
put
a
lot
of
work
into
translating
this
for
the
researcher
and
then
we
might
take
a
look
at
something
and
be
like
shouldn't
even
stay.
So
I'm
happy
to
suggest
mode
here.
A
Excellent
pro
is
going
to
be
so
proud
of
us
all
right,
review,
brainstorming
ideas
on
p12,
and,
what's
that
that's
another
meeting
notification
that
I
can
ignore.
Oh
all,
right!
No,
you
know
I'm
closing
this
tab.
I
keep
clicking
it.
I
should
all
right
p12,
I'm
sorry
what
was
the
subject?
Brainstorming
ideas
on
p12.
A
A
A
A
D
A
C
I
don't
think
we
do
at
all
we,
we
might
touch
on
proof
of
concept
code
a
bit
and
including
that
in
your
initial
submission,
but
not
explicitly
exploit
code
and
also
sharing
that
publicly.
E
Well,
it's!
It
is
a
little
bit
referenced.
I
think
we
could
take
a
look
and
let's
see
if
it's
enough
or
not
like
on
page
five
there's
some
suggested
text
that
says
you
know,
or
example,
exploit
include
it
after
you've
established
a
secure
channel.
So
we
have
some
stuff,
but
I
don't
think
it
has
its
own
section.
D
We're
gonna,
I
don't
think,
you're
wrong.
I
was
just
gonna
say
that
there
is
some
resources
about
documented
processes
around
like
box
and
exploits
in
general.
Like
I
know,
project
zero
has
somewhat
of
a
public
thing
about
like
providing
exploits
roughly
30
days
after
disclosure
just
to
give
time.
This
is
something
we
could
piggyback
on
and
reuse.
A
Well,
that's
good
to
know
this
is
okay,
write
disclosure
for
the
public,
so
you
don't
have
to
do
it
twice.
This
sounds
very
jonathan.
I
vaguely
recall.
A
E
There's
vicki
there's
a
subsection
here
that
set
up
your
report
for
easy
intake
and
disclosure.
E
It's
and
it
has
like,
in
the
suggestion,
there's
a
suggestion
there
and
it's
specifically
yep
right
here-
write
your
initial
disclosure
for
public
consumption.
A
D
D
A
A
Vulnerability
disclosure
timelines
morton
has
a
comment
here
should
know
that,
for
some
projects,
strict
deadlines
might
not
be
possible.
Does
anyone
recall
in
here
whether
we
have
anything
specifically
about
timelines?
C
We
just
like,
at
a
very
high
level,
say
in
the
and
having
your
own
personal
vulnerability.
Disclosure
policy.
Part
of
that
is
picking
your
own
timeline,
so
we
don't
give
a
recommendation
for
numbers
in
there
by
any
means
or
specific
dates,
but
just
that's
that's
referenced
in
there,
but
it's
it's
clearly
not
done.
I
imagine
that's
why.
E
And
I
feel,
like
the
talk
of
embargoes,
has
popped
up
a
lot.
You
know
which
kind
of
goes
a
long
time
lines
I
feel
like,
and
I
know
it's
in
a
lot
of
comments,
but
I
don't
think
it's
actually
made
it
into
its
own
section.
Yet.
A
All
right,
so
we're
gonna
need
to
punt
on
that
one
for
now,
because
we're
running
low
on
time
unless.
A
Yeah
dependency
vulnerabilities.
What
needs
to
be
done
to
coordinate.
A
So
if
you
find
a
you
as
a
researcher,
find
a
bug
in
something
that
is
a
dependency
of
stuff,
it's
not
that
something
that
you
as
a
researcher
need
to
coordinate
at
all.
A
A
Do
we
have
some
sort
of
general
sense
of
whether
this
should
be
included
in
the
document?
I
just
mentioned
it
as
something
to.
D
A
E
Section
yeah
yeah:
we
can
go
ahead
and
this
was
actually
one
of
the
last.
I
think
the
last
item
to
discuss
on
specifically
for
this
as
well.
We
can
erase
vulnerability
disclosures
policy
content
all
the
way
through
the
end
of
the
I
can
do
it,
I'm
happy
to
erase
it,
but
that
was
the
section
that
crystal
and
I
worked
on
and
we
I
took
all
that
and
crunched
it
into
a
format
that
would
fit
above.
A
I
love
it
okay.
Well,
looking
at
our
notes,
it
looks
like
we've
gotten
through
the
agenda
as
such,
and
we
have
lots
of
to
do
items
out
there
lots
of
homework,
and
I
believe,
if,
oh
goodness,
look
at
all
these
notes
rock
star.
A
So
we've
got
a
lot
of
action
items
for
people.
If
you
don't
have
action,
items
feel
free
to
dive
in
and
help
on
the
document.
Anyway,
I
also
will
email
the
group
here.
We
go
in
two
weeks
to
see
whether
we
will
be
meeting
because
of
defcon
and
the
like
and
huge
props
to
madison
for
pointing
that
out
all
right.
Anything
else.
A
Okay,
excellent
call
today
everyone
thank
you
so
much
for
being
here.
Thank
you
for
all
your
help
and
thank
you
frances
for
the
wonderful
notes.