Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / Vulnerability Disclosures WG / 10 Aug 2022
OpenSSF / Vulnerability Disclosures WG / 10 Aug 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: OpenSSF Vulnerability Disclosures WG (August 10, 2022)

Description

Notes: https://docs.google.com/document/d/1mZEi6EvbH2mvn-gHOUIaysAjHlwJXjJdJ7gMlelSkVU/edit#heading=h.u5im5d90xac4

A

Hello, everybody, sorry, I'm a bit tardy, I had uh actual work. I had to deal with real quick, not my fun job.

B

Are we are we keeping this meeting because I know we were like debating.

A

I have a couple little things, um but I do have to leave at the bottom of the hour. I have to record a black.

B

Hat.

A

Podcast.

B

Nice yeah.

A

Got some security researchers were chatting with from vusek.

A

So if I could have your indulgence for at least a half hour, maybe less we probably can cut out early depending on what the group demands.

B

We want it all.

A

All right, we are.

B

At.

A

Two, after the hour we will get started. Do we have any new friends here to the group that wanted to introduce themselves and say hello to the team.

B

uh This might be my first time, even though I think I've worked with all of you in different places. I think uh I'm brian fox co-founder cto sota type background and apache maven apache software foundation and osf governance board. So many working groups, so many sigs, I'm still trying to you- know, collect an audit of all of them in my head. So I can really understand how we can help. So I try to pop in when I can.

A

Well, this should be one of your favorite ones, brian going forward. You.

B

Said that on the last one I did.

A

It's all true, I love all my children equally.

B

All right anybody else want to say uh any other new timers want to say hello.

C

Do I count as a young first time, member.

B

Maybe you could just introduce yourself sebastian.

C

Well, I'm sebastian crane, I'm hailing from the spdx project, primarily and given that I have an empty calendar, I'm doing the tour of the open ssf today.

A

Great well welcome uh awesome, awesome awesome, so it looks like francis is going to help us take notes, um a few items. I wanted to chat about uh bellandorf just dumped it into the general slack channel, but it is now official we'll be having an open ssf day in dublin on tuesday. I think it's september 13th and they will be soliciting a short call for papers if anybody's interested in putting something together related to the working groups or the efforts of the open ssf.

A

I think perhaps this might be a great place to unveil, uh reveal our uh cbd guide for finders. That would give us some additional pressure to push this over the finish line. um I will be there, uh as with my goose hat I'll, be kind of helping shepherd things along. So if anyone will be, there is interested in either putting together a brief presentation about something uh or if you want to do some kind of meetup or maybe we want to get together and collaborate on elements of our work group work.

A

All that is on the table if you're interested and will be in ireland, any questions.

D

Sorry, when are you guys going to be in ireland, so that's actually quite close to where I am.

A

We will be in ireland the week of september 12th.

D

I don't think I'm going to be fit and ready to be traveling by the time. Unfortunately, I've literally just recovered from an operation right, so I yeah, hopefully you're able.

A

To remember fuzzy.

D

Much appreciate you chris much appreciate, thank you, um but yeah thanks for having me again for the second time.

A

um Everybody is welcome. We love your feedback. You were a good contributor uh in previous meets, so thank you very.

D

Much man- and I was just seeing whether or not I could make.

A

It.

D

Out.

A

There.

D

But I highly doubt that I highly doubt that.

A

All right, well we'll be there, and maybe we can come to you who knows I don't know how far you would be in glasgow. Oh you're in glasgow, awesome, yeah, just a little uh ferry ride over.

D

Yep yep hit the plane. It's a lot easier.

C

They have ferries from glasgow to dublin. Well,.

A

They have theories over to scotland and then we'd apply to the bus or.

D

Yeah you go from belfast to scotland, but um dublin to wales.

C

All right I mean I'm slightly jealous because I live on the coast, but there's no ferry service to anywhere.

A

I just had the good fortune- I was in dublin in july for the first global conference, so I got to experience a lot of ireland that was pretty fun. We took a couple day tours north west and south, so.

D

It's kind of cool, oh wow, ireland is just a lovely place. It's such a special country.

A

It was, it was beautiful and I'm actually sad. I was supposed to go to edinburgh a couple years ago, but I had medical issues, so I wasn't able to go and we were going to do scotland and all of ireland then. So I still scotland's still on my list.

D

Oh for sure it should be on everyone's list. I mean we have castles. You know you can actually stay in castles, see when you go up north right. It's like don't be booking out hotels, just search for castles to stay in all right, a wee car just plan. Your trip out is amazing. I do it like before before I got injured and laid up. That was pretty much my spring break because we'll just go up north and we just do the 500 and we just drive the 500 miles up north nice yeah. That's awesome!

D

I highly recommend it if anybody's ever over. Just by all means do hit me up more than happy to show you around.

B

Real estate in scotland, specifically of the castle variety.

D

Has already got his eye on this castle outside of edinburgh? I don't know the one he's talking about, because um yeah it was, it was notorious for throwing the best parties like but yeah. I know the castle that randall's one they've got his eye on well. Randall's missus has got her eye on.

A

Very nice, um so yes, please, if you're interested in either uh participating or having some type of meetup around the eu oss, please let us know and then a semi-related foundation business.

A

uh The tac has started having the working groups come in and report on activities so to I did the uh the best practices working group yesterday for the tech. If you're curious, the video will be on youtube in a day or so to kind of see, but we will be on the schedule to talk to the tac, uh the first full week of september september 6th, so I will be putting together a deck there's a link here, um just doing a brief update of kind of what we're up to and what our next projects are.

A

So if anybody has any ideas, they'd like to contribute to that, let me know I have uh like the speeds and feeds of the group. I have that in a previous email. So don't worry about that. But if there's anything in particular work items that we are working on or updates, you want to give or efforts. We're involved in, please feel free to make some edits.

B

There.

A

And that will be done to the tac early september.

A

Any questions about that.

B

How do you spell tech.

A

Tac uh pac technical advisory committee- they are the group that is the liaison between the working groups and the governing board.

A

All right uh does anyone have any opens. We want to talk about.

A

All right, let us briefly look at our cbd guide for finders check in the state of that I'll post. A link here in the zoom chat.

A

Gone through uh many different revisions, it's looking better. I still think we have a little bit further to go where I would solicit uh contributions from the group. If you scroll down to page 12, we start um the appendices so right now we have two areas: we're going to be collecting information on.

A

So if anybody has any contributions to the glossary of terms, we would prefer kind of uh standards based uh definitions so like for cve, we would go out to the cve page and kind of get their official definition of themselves, but if anybody is able to contribute to any of these glossary items that are there or if you have additional things, you think help provide security, researchers, uh context about coordinated vulnerability, disclosure to open source groups, please feel free to add those and then we started.

A

The next item is our bibliography, so kind of a library of resources that we feel are important to cbd or we've used in compilation of this document. So if you have any good resources, please place them there and then finally- and probably the most important piece is on page 14- is the templates and examples it's nice to have a guide that instructs people how to do things, it's better to give them a guide and tools to be able to execute.

A

So we have an example of what a disclosure template might look like what an embargo template might look like. So if we have any examples of existing art or anything, we want to create, uh let's uh get those linked there and ultimately, this word. This google document is going to get moved into a git repository once we are done.

D

With the.

A

Major edits, so any questions or comments on the three items in the appendix appendices.

A

uh Do we have a deadline? Oh we do now. uh I would like to get let's see if we can push this through to the finish line before that september, 6th tack update.

A

We were going to try today for black hat, but we got distracted. So, let's see, let's put a new date of september 6th as well. We would like to have the final draft ready and that way, if we were so inclined, we could potentially present that the following week at the dublin conference- yes madison.

B

Do we, I know we had talked about uh the linux foundation editors in getting this basically copy edited. Do we need that to be done sooner so that they have time to do that.

A

Yes, uh you are right um hum hum hum. We are coming down to the finish line, so how about?

A

If we could have things by uh august, 31st give us enough time to do the writing and I think the copy editors said they only needed a few days, but that gives me time to go back and bother them and get on their schedule.

A

So august 31st feel like a good deadline. We can.

A

All right so august 31st, it is thank you madison keeping us focused, so uh our homework for today is for those of you new to the group. Please read: the document fresh eyes are always helpful and provide your comments in the document or to the mailing list or in our slack, preferably in the document. So we can kind of see it all together and as we let's see, if we can get these last few items uh tightened up, do we want to schedule maybe some uh a couple working side.

A

Final working sessions like we had done previously.

C

Sebastian, thank you. I just made some edits to the uh who is an open source, maintainer um section and uh google docs has decided to make practically every keystroke a different suggestion um anyway, it's I just thought it sounded a bit too specific to the github paradigm, and so I've added references to patches and things that other communities use excellent.

A

Thank you, sir. That is um one thing we want to highlight through all of our work is that there are a lot of different ways: open source executes, and you know github is a great tool. Lots of people put their code there, but that's not our only tool. So thank you for that sebastian.

C

And uh in some communities like debian, if you make a pool request, it will never get seen they leave the button there and no one will ever look at it.

B

Excellent.

A

All right so any uh comments or additional questions.

A

Thank you, madison.

B

When do you want to have one or two working sessions.

A

uh Well, let's see of the people here we'll do an email out to the mailing list, but of the folks here today who is interested through showing a raising of hands and then participating in a special, focused kind of tiger team type. Call to finish writing.

A

I'll hit my little nonsense button here.

A

All right so there's at least four of us, uh so let us say, um let's get a doodle together for early next week. Does that sound fine, okay? That works for me awesome is. Is anyone able to do the doodle to save me from monkeying around today.

B

I'm tied up at def con black hat world so have.

A

Me too remotely, but uh yes.

B

It's better than being in the heat my friend.

A

I didn't want to heat the heat and you know I pre got the sickness, so I.

B

Get it.

A

All right, so we will get a a doodle poll out to the mailing list and we will set that for early next week, try to get through the final revisions of the document and as needed. We will schedule potentially a second call later in the week or the week.

A

All after any other questions, comments or suggestions before we potentially leave early today.

B

If you do not plan to attend the working sessions, but do wish to have your opinions hurt do so in the next few days, because the working session may be early next week, like we just said so anything later than this, we may have to sadly ignore or push back yeah.

A

And and what the model will be is once we're done with the document we get it through. The copy, editing, it'll be posted up to our get repo, just like the maintainer guide and from there on we'll follow the pr process for adjustments. So you, your feedback, might get delayed for a while.

A

If you don't give it soon.

C

Sebastian.

C

Thank you just a final um question comment and that's that the term vulnerability disclosure seems to have uh adopted two meanings in various different groups: one's the disclosure of vulnerabilities by a researcher to a project, but I've also heard it in the context of projects reporting to the users. What vulnerabilities are present in a particular version so that the comment there is that it exists and the question is: what should we do about it?.

A

um From my body of work and experiences, um we're focused more on the former is getting the right. People engaged to correct the problem and then the actual uh communications piece is generally that one of the last steps of a a cvd process is, you know, the communication is very important, but you know we're focused on making sure we get the right people with the right skills to fix the problem, and then we will notify downstream.

A

Is the tail end of that.

B

I think it's worth mentioning mentioning in the guide. Thank you, sebastian I'll, put a comment.

A

Thank you, sir yeah good feedback. Anything else before we close out today.

B

I think we mentioned this uh in our last meeting or yesterday's meeting, but I think uh the documentation making sure that we have all the linking documentation in this that the supporting documentation as well.

A

Yeah, that was uh the appendix down towards uh page nonsense. Bibliography on page 13 is where we were assembling all the supporting material. So if we have additional ads, please put it there and then we'll go part of the last stages we'll be testing all the existing hyperlinks in the document make sure those are all valid.

B

Fair. Thank you.

B

Randall, I missed that last comment. If you don't mind adding it to the meeting notes, if it's relevant sure thank you.

A

Yeah, we just want to make sure that we're capturing our sources or good references and then, as we have hyperlinks within the body of the document, we want to ensure that they're valid.

A

Any additional comments or feedback.

A

All right so again, homework will be respond to the doodle if you are interested in a focused working session on the document. um Otherwise, your homework would be please review. The document. Add your comments so that we can get this closed out by the end of august and ideally potentially presented in dublin on september 13th.

A

Thank you all for your participation in collaboration and enjoy the rest of your black hat day. Thanks.

B

Cheers. Thank you. Bye.

D

Thank you very much. Take care guys.