►
From YouTube: OpenSSF Vulnerability Disclosures WG (August 10, 2022)
A
A
I
have
a
couple
little
things,
but
I
do
have
to
leave
at
the
bottom
of
the
hour.
I
have
to
record
a
black.
B
A
B
A
B
This
might
be
my
first
time,
even
though
I
think
I've
worked
with
all
of
you
in
different
places.
I
think
I'm
brian
fox
co-founder
cto
sota
type
background
and
apache
maven
apache
software
foundation
and
osf
governance
board.
So
many
working
groups,
so
many
sigs,
I'm
still
trying
to
you-
know,
collect
an
audit
of
all
of
them
in
my
head.
So
I
can
really
understand
how
we
can
help.
So
I
try
to
pop
in
when
I
can.
B
All
right
anybody
else
want
to
say
any
other
new
timers
want
to
say
hello.
A
Great
well
welcome
awesome,
awesome
awesome,
so
it
looks
like
francis
is
going
to
help
us
take
notes,
a
few
items.
I
wanted
to
chat
about
bellandorf
just
dumped
it
into
the
general
slack
channel,
but
it
is
now
official
we'll
be
having
an
open
ssf
day
in
dublin
on
tuesday.
I
think
it's
september
13th
and
they
will
be
soliciting
a
short
call
for
papers
if
anybody's
interested
in
putting
something
together
related
to
the
working
groups
or
the
efforts
of
the
open
ssf.
A
I
think
perhaps
this
might
be
a
great
place
to
unveil,
reveal
our
cbd
guide
for
finders.
That
would
give
us
some
additional
pressure
to
push
this
over
the
finish
line.
I
will
be
there,
as
with
my
goose
hat
I'll,
be
kind
of
helping
shepherd
things
along.
So
if
anyone
will
be,
there
is
interested
in
either
putting
together
a
brief
presentation
about
something
or
if
you
want
to
do
some
kind
of
meetup
or
maybe
we
want
to
get
together
and
collaborate
on
elements
of
our
work
group
work.
D
D
Much
appreciate
you
chris
much
appreciate,
thank
you,
but
yeah
thanks
for
having
me
again
for
the
second
time.
A
Everybody
is
welcome.
We
love
your
feedback.
You
were
a
good
contributor
in
previous
meets,
so
thank
you
very.
A
D
A
A
D
Yeah
you
go
from
belfast
to
scotland,
but
dublin
to
wales.
A
A
D
Oh
for
sure
it
should
be
on
everyone's
list.
I
mean
we
have
castles.
You
know
you
can
actually
stay
in
castles,
see
when
you
go
up
north
right.
It's
like
don't
be
booking
out
hotels,
just
search
for
castles
to
stay
in
all
right,
a
wee
car
just
plan.
Your
trip
out
is
amazing.
I
do
it
like
before
before
I
got
injured
and
laid
up.
That
was
pretty
much
my
spring
break
because
we'll
just
go
up
north
and
we
just
do
the
500
and
we
just
drive
the
500
miles
up
north
nice
yeah.
That's
awesome!
D
D
Has
already
got
his
eye
on
this
castle
outside
of
edinburgh?
I
don't
know
the
one
he's
talking
about,
because
yeah
it
was,
it
was
notorious
for
throwing
the
best
parties
like
but
yeah.
I
know
the
castle
that
randall's
one
they've
got
his
eye
on
well.
Randall's
missus
has
got
her
eye
on.
A
Very
nice,
so
yes,
please,
if
you're
interested
in
either
participating
or
having
some
type
of
meetup
around
the
eu
oss,
please
let
us
know
and
then
a
semi-related
foundation
business.
A
The
tac
has
started
having
the
working
groups
come
in
and
report
on
activities
so
to
I
did
the
the
best
practices
working
group
yesterday
for
the
tech.
If
you're
curious,
the
video
will
be
on
youtube
in
a
day
or
so
to
kind
of
see,
but
we
will
be
on
the
schedule
to
talk
to
the
tac,
the
first
full
week
of
september
september
6th,
so
I
will
be
putting
together
a
deck
there's
a
link
here,
just
doing
a
brief
update
of
kind
of
what
we're
up
to
and
what
our
next
projects
are.
A
So
if
anybody
has
any
ideas,
they'd
like
to
contribute
to
that,
let
me
know
I
have
like
the
speeds
and
feeds
of
the
group.
I
have
that
in
a
previous
email.
So
don't
worry
about
that.
But
if
there's
anything
in
particular
work
items
that
we
are
working
on
or
updates,
you
want
to
give
or
efforts.
We're
involved
in,
please
feel
free
to
make
some
edits.
B
A
Tac
pac
technical
advisory
committee-
they
are
the
group
that
is
the
liaison
between
the
working
groups
and
the
governing
board.
A
All
right
does
anyone
have
any
opens.
We
want
to
talk
about.
A
A
Gone
through
many
different
revisions,
it's
looking
better.
I
still
think
we
have
a
little
bit
further
to
go
where
I
would
solicit
contributions
from
the
group.
If
you
scroll
down
to
page
12,
we
start
the
appendices
so
right
now
we
have
two
areas:
we're
going
to
be
collecting
information
on.
A
So
if
anybody
has
any
contributions
to
the
glossary
of
terms,
we
would
prefer
kind
of
standards
based
definitions
so
like
for
cve,
we
would
go
out
to
the
cve
page
and
kind
of
get
their
official
definition
of
themselves,
but
if
anybody
is
able
to
contribute
to
any
of
these
glossary
items
that
are
there
or
if
you
have
additional
things,
you
think
help
provide
security,
researchers,
context
about
coordinated
vulnerability,
disclosure
to
open
source
groups,
please
feel
free
to
add
those
and
then
we
started.
A
The
next
item
is
our
bibliography,
so
kind
of
a
library
of
resources
that
we
feel
are
important
to
cbd
or
we've
used
in
compilation
of
this
document.
So
if
you
have
any
good
resources,
please
place
them
there
and
then
finally-
and
probably
the
most
important
piece
is
on
page
14-
is
the
templates
and
examples
it's
nice
to
have
a
guide
that
instructs
people
how
to
do
things,
it's
better
to
give
them
a
guide
and
tools
to
be
able
to
execute.
A
So
we
have
an
example
of
what
a
disclosure
template
might
look
like
what
an
embargo
template
might
look
like.
So
if
we
have
any
examples
of
existing
art
or
anything,
we
want
to
create,
let's
get
those
linked
there
and
ultimately,
this
word.
This
google
document
is
going
to
get
moved
into
a
git
repository
once
we
are
done.
A
Do
we
have
a
deadline?
Oh
we
do
now.
I
would
like
to
get
let's
see
if
we
can
push
this
through
to
the
finish
line
before
that
september,
6th
tack
update.
A
We
were
going
to
try
today
for
black
hat,
but
we
got
distracted.
So,
let's
see,
let's
put
a
new
date
of
september
6th
as
well.
We
would
like
to
have
the
final
draft
ready
and
that
way,
if
we
were
so
inclined,
we
could
potentially
present
that
the
following
week
at
the
dublin
conference-
yes
madison.
B
Do
we,
I
know
we
had
talked
about
the
linux
foundation
editors
in
getting
this
basically
copy
edited.
Do
we
need
that
to
be
done
sooner
so
that
they
have
time
to
do
that.
A
Yes,
you
are
right
hum
hum
hum.
We
are
coming
down
to
the
finish
line,
so
how
about?
A
If
we
could
have
things
by
august,
31st
give
us
enough
time
to
do
the
writing
and
I
think
the
copy
editors
said
they
only
needed
a
few
days,
but
that
gives
me
time
to
go
back
and
bother
them
and
get
on
their
schedule.
A
All
right
so
august
31st,
it
is
thank
you
madison
keeping
us
focused,
so
our
homework
for
today
is
for
those
of
you
new
to
the
group.
Please
read:
the
document
fresh
eyes
are
always
helpful
and
provide
your
comments
in
the
document
or
to
the
mailing
list
or
in
our
slack,
preferably
in
the
document.
So
we
can
kind
of
see
it
all
together
and
as
we
let's
see,
if
we
can
get
these
last
few
items
tightened
up,
do
we
want
to
schedule
maybe
some
a
couple
working
side.
C
Sebastian,
thank
you.
I
just
made
some
edits
to
the
who
is
an
open
source,
maintainer
section
and
google
docs
has
decided
to
make
practically
every
keystroke
a
different
suggestion
anyway,
it's
I
just
thought
it
sounded
a
bit
too
specific
to
the
github
paradigm,
and
so
I've
added
references
to
patches
and
things
that
other
communities
use
excellent.
A
Thank
you,
sir.
That
is
one
thing
we
want
to
highlight
through
all
of
our
work
is
that
there
are
a
lot
of
different
ways:
open
source
executes,
and
you
know
github
is
a
great
tool.
Lots
of
people
put
their
code
there,
but
that's
not
our
only
tool.
So
thank
you
for
that
sebastian.
C
And
in
some
communities
like
debian,
if
you
make
a
pool
request,
it
will
never
get
seen
they
leave
the
button
there
and
no
one
will
ever
look
at
it.
A
All
right
so
any
comments
or
additional
questions.
A
Well,
let's
see
of
the
people
here
we'll
do
an
email
out
to
the
mailing
list,
but
of
the
folks
here
today
who
is
interested
through
showing
a
raising
of
hands
and
then
participating
in
a
special,
focused
kind
of
tiger
team
type.
Call
to
finish
writing.
A
All
right
so
there's
at
least
four
of
us,
so
let
us
say,
let's
get
a
doodle
together
for
early
next
week.
Does
that
sound
fine,
okay?
That
works
for
me
awesome
is.
Is
anyone
able
to
do
the
doodle
to
save
me
from
monkeying
around
today.
A
Me
too
remotely,
but
yes.
B
A
A
C
Thank
you
just
a
final
question
comment
and
that's
that
the
term
vulnerability
disclosure
seems
to
have
adopted
two
meanings
in
various
different
groups:
one's
the
disclosure
of
vulnerabilities
by
a
researcher
to
a
project,
but
I've
also
heard
it
in
the
context
of
projects
reporting
to
the
users.
What
vulnerabilities
are
present
in
a
particular
version
so
that
the
comment
there
is
that
it
exists
and
the
question
is:
what
should
we
do
about
it?.
A
From
my
body
of
work
and
experiences,
we're
focused
more
on
the
former
is
getting
the
right.
People
engaged
to
correct
the
problem
and
then
the
actual
communications
piece
is
generally
that
one
of
the
last
steps
of
a
a
cvd
process
is,
you
know,
the
communication
is
very
important,
but
you
know
we're
focused
on
making
sure
we
get
the
right
people
with
the
right
skills
to
fix
the
problem,
and
then
we
will
notify
downstream.
B
I
think
we
mentioned
this
in
our
last
meeting
or
yesterday's
meeting,
but
I
think
the
documentation
making
sure
that
we
have
all
the
linking
documentation
in
this
that
the
supporting
documentation
as
well.
A
Yeah,
that
was
the
appendix
down
towards
page
nonsense.
Bibliography
on
page
13
is
where
we
were
assembling
all
the
supporting
material.
So
if
we
have
additional
ads,
please
put
it
there
and
then
we'll
go
part
of
the
last
stages
we'll
be
testing
all
the
existing
hyperlinks
in
the
document
make
sure
those
are
all
valid.
B
A
All
right
so
again,
homework
will
be
respond
to
the
doodle
if
you
are
interested
in
a
focused
working
session
on
the
document.
Otherwise,
your
homework
would
be
please
review.
The
document.
Add
your
comments
so
that
we
can
get
this
closed
out
by
the
end
of
august
and
ideally
potentially
presented
in
dublin
on
september
13th.