►
From YouTube: OpenSSF Vulnerability Disclosures WG (January 11, 2022)
A
B
B
B
B
B
A
C
A
A
I
had
a
bit
of
a
hiccup
with
my
drive
that
I'm
fixing
and
then
I'm
sending
in
my
PRS
just
so
that
it'd
be
noted,
cool
thanks
all
right.
It
is
three
after
the
hour
if
I
could
have
folks
mark
their
attendance.
If
you
have
any
opens,
please
add
them.
Welcome
to
the
January
11th
edition
of
the
vulnerability
disclosures
working
group,
Happy
2023,
everybody
glad
to
see
we
are
continuing
to
operate
and
roll
forward.
C
Carolyn
Sanders
I'm
a
contractor
with
my
appoint
group
supporting
a
lot
of
federal
clients
thanks.
Everyone
welcome.
A
D
Hi
everyone
I'm
Yesenia,
Sun,
hey
Crow,
see
you
again
I'm
from
the
Linux
Foundation
Alpha
Omega
product
project
with
Jonathan.
A
A
A
A
All
right,
first
and
foremost
on
the
agenda,
the
LF
is
hosting
the
open
source.
Summit
North
America
it'll,
be
in
May
in
far
off
an
exotic,
Vancouver
British
Columbia,
a
real
tropical
hot
spot
in
may.
They
have
a
call
for
papers
that
will
close
February
5th.
A
So
this
group,
especially
I,
would
strongly
encourage
us
to
brainstorm
and
have
some
ideas
and
submit
one
to
many
presentations
to
that.
There's
a
bunch
of
little
micro
conferences
and
they're
Pro
there
most
likely
will
be
an
open
ssf
day
as
well,
but
I
would
strongly
encourage
this
group
to
put
together
some
proposals
talking
about
our
work,
maybe
even
having
a
session
dedicated
on
some
of
our
cvd
guides.
If
they're.
Ideally,
there
should
be
like
real
Linux
developers
there.
A
So
maybe
we
can
entice
them
in
to
learn
about
the
maintainer
cvd
guide,
I'm
glad
to
help
coordinate
anybody
to
get
papers
done,
I'm
glad
to
co-present
I'm
glad
to
review,
provide
feedback
on
anything.
However,
we
would
like.
However,
you
were
interested
in
contributing.
Let
me
know,
but
deadline
is
February
5th
I
already
have
a
couple
things
lined
up
with
wheeler
for
the
best
work.
A
I'm
sorry,
the
second
best
working
group,
because
this
is
the
best
obviously,
but
he
and
I
were
talking
about
some
best
practices
stuffs.
Hopefully-
and
if
this
group's
interested-
please
let
me
know-
and
ideally
going
forward,
we're
gonna
have
I,
will
work
on
getting
some
kind
of
calendar
so
that
we
can
be
kind
of
strategic
about
how
we
engage
with
the
assorted
security
and
open
source
conferences
so
that
we
can
start
to
get
our
message
more
broadly,
more
broadly
heard.
A
A
A
All
right
next
up
I
will
give
an
update
on
the
open
source
security
search,
special
interest
group
progress.
We
are
status.
Beige
I
submitted
a
issue
with
attack.
December
9th
I
have
received
an
incredible
volume
of
zero
comments
on
it.
I've
also
talked
at
two
Tech
meetings
about
it,
and
I
probably
will
talk
at
a
third
tech
meeting
in
two
weeks
again
so
right
now,
the
cert
is
on
hold
pending
tack,
comments,
feedback
and
then
moving
it
up
to
the
GB
for
funding
consideration.
A
So
hopefully
we
will
have
approval
and
we'll
begin
to
actually
start
funded
work.
Maybe
the
end
of
February
we'll
see
how
that
goes.
I'll
continue
to
supply
updates
on
that
and,
if
you
in
the
meantime,
if
you
get
a
chance
to
review
the
plan,
if
you
have
comments,
please
submit
a
PR.
Send
a
note
to
the
Sig
mailing
list
make
an
issue
in
the
sigs
repo
and
we
will
try
to
address
those
concerns.
A
All
right
before
we
talk
about
next
projects,
I
wanted
to
make
a
note.
We
are
currently
doing
a
cattle
call
for
meeting
times
for
an
APAC
version
of
this
call.
I've
had
a
request
from
a
bunch
of
folks
from
Australia
that
are
interested
in
participating,
so
we're
going
to
try
to
capture
a
time
that
we
can
collaborate
more
with
some
APAC
friends.
So
if
anyone
is
interested,
I
believe
I
gave
till
Friday
for
this.
A
It's
due
to
pull
and
close,
but
please
feel
free
to
express
your
opinion
if
you're
interested
in
participating
there,
we
will
just
like
the
cert
Sig,
will
report
back
to
this
main
group,
as
that
group
gets
off
the
ground,
but
so
far
we
actually
have
quite
a
few
folks
that
have
expressed
interest
so
I
think
it'll
it'll
be
a
good
productive
call,
including
some
other
voices
around
the
globe.
A
Any
comments
or
feedback
on
the
APAC
call.
B
Would
assume
that
lack
of
response
is
a
silent
approval.
B
A
A
I
have
heard
oh
I
want
to
grab
something.
I
mentioned
this
in
the
education
Sig
today
it
may
or
may
not
be
of
interest
here.
I
am
part
of
a
group
of
folks
that
do
judging
on
assorted
scholarships
through
an
organization
called
ISC
squared
right
now
they
are
kicking
off
there's
two
or
three
different
women
in
cyber
security,
scholarship
programs
that
they
are
doing
a
review
for
papers
on
so
I'll
make
the
same
offer
here.
A
If
anyone
has
any
ISC
squared
credentials
and
I'll
put
some
details
in
the
meeting
agenda,
when
I'm
done
talking
waving
my
hands
around,
but
if
anyone
has
any
ISC
squared
credentials
like
the
cissp
any
of
the
cloud
certs
csslp,
you
are
eligible
to
participate.
You
will
be
rewarded
not
only
by
helping
young
people.
Young
women,
especially
starting
off
their
cyber
careers,
but
you'll,
be
earned
some
delightful
cpes
towards
your
certification
requirements
and
again
you're
helping
the
General
Industry.
A
So
if
anyone's
interested,
please
let
me
know
and
I'll
be
glad
to
put
you
in
touch
with
Carol
over
at
ISC
squared
back.
Thank
you.
Thank
you.
Thank
you.
Somebody
was
sharp
on
the
copy,
paste
cool
cool,
but
it's
it's
very
worthwhile
work
and
they
the
scholarships
today
that
I'm
talking
about
that
I'll,
be
participating
in
are
focused
on
young
ladies
getting
into
stem
and
then
undergrad
and
graduate
ladies
getting
degrees
in
cyber
security,
miscis
and
related
degrees.
A
Cryptography,
I
get
there's
a
lot
of
folks
that
want
to
get
into
cryptography,
which
I
hated.
That
part.
That's.
That
was
my
weakest
part
of
the
exam
math,
but
it's
pretty
exciting,
but
they
also
have
a
lot
of
other
scholarships
towards
other
underserved
communities
towards
folks
in
the
military,
and
this
is
a
global
eligibility.
So
it's
not
just
North
America
I've
had
the
opportunity
to
talk
to
review
submissions
from
folks
from
Europe
aipac,
Africa,
South,
America
everywhere,
except
Antarctica,
come
on
Anarchy.
A
B
Actually
so
I
put
one
in
before
this,
so
let's,
let's
I
got
a
quick
one,
hi
Trevor
I
don't
mean
to
call
you
up,
but
I.
Also
so
I
sent
an
invite
to
Trevor
to
to
it's
like
30
seconds
ago,
in
the
middle
of
the
beginning
and
I,
don't
think
he
introduced
himself,
but
he
pinged
me
with
a
question
that
this
working
group,
maybe
of
use
to
start
out
with
so
let
Trevor,
I'm
gonna.
Let
you
introduce
yourself
and
then
start
if
you
so
feel
comfortable
to
do
so.
E
Completely
fine
can.
Can
everyone
hear
me:
okay,
yeah,
okay,
so
I
think
I've,
actually
I
recognize
Madison's
name
here
as
well.
I
think
I've
reached
out
in
the
past,
but
I'm
a
PhD
student
at
NC
State
and
what
we
are
working
is
we're.
Trying
to
a
latest
paper
was
to
identify
silent
vulnerability
fixes.
So
this
is
when
developers
fix
vulnerabilities,
but
don't
release
security,
advisories
yeah.
So
what
we
have
is
we
found
about
260
some
fixes
across
like
Pi
Pi,
Maven
npm
and
in
the
past.
E
What
we've
tried
to
do
is
reach
out
to
developers
but
didn't
have
the
best
success.
Tracking
down
open
source
software
developers
is
a
little
difficult.
So
what
we
were
wondering
now
at
this
point
the
advice
or
the
fixes
are
quite
old,
so
most
of
them
well
over
six
months
to
a
year
to
two
years,
because
this
project
was
done
wow
six
seven
eight
months
ago,
and
what
we're
wondering
at
this
point,
given
the
timeline
of
when
those
fixes
occurred,
is
it
appropriate
just
to
release
those
fixes?
E
We
were
targeting
the
Global
Security
database,
so
GSD
I'll
just
go
ahead
and
publish
those
fixes.
We
have
a
bunch
of
different,
like
we
have
granularity
at
the
commit
level
of
when
the
fix
occurred,
package,
names
versions
and
so
forth.
A
I'll
start,
and
everyone
else
is
welcome
to
join
in
my
opinion-
is
as
long
as
you've
done.
Your
due
diligence
and
you've
made
a
legitimate
attempt
to
reach
out
to
those
projects
and
to
coordinate
with
those
developers
around
the
communication
and
getting
the
fixes
out
there.
I
think
you
would
be
perfectly
fine
using
something
like
the
GSD
to
publish
those
updates
so
that
Downstream
consumers
understand.
B
I
would
do
that
I
would
I
mean
the
other
thing
you
can
do
is
you
can
get
a
CBE
number
and
I
suggested
you
work
with
like
Snick
or
you
could
go
directly
to
miter,
and
you
know
if
you,
if
you've
attempted
to
reach
out
to
the
maintainers
they
haven't
responded.
You
do
think
it's
a
valid
security
vulnerability
if
the
maintainer
has
not
responded
to
say
no,
no,
this
wasn't
a
security
vulner
related
to
security
hardening
and
you
get
a
CV
number
and
they
are
upset
about
it.
B
They
can
always
go
back
to
miter
or
the
issuing
CNA
and
ask
to
contest
the
cve
so
it'll
be
listed
as
even
though
it
will
remain
in
the
database
for
cve.
It
will
show
up
as
like
vendor,
disputed
or
whatever
and
then
like,
usually
most
vendors
Downstream
don't
flag
for
that.
So
it
gives
the
maintainer
the
opportunity
to
opt
out
retroactively
if
you've
done
some
bit
of
work
after
making
a
valid
attempt
to
try
to
reach
out
to
them.
In
the
beginning,.
A
Depending
on
where
those
projects
are
housed,
there
are
potentially
multiple
CNAs
that
could
help.
Not
only
can
you
go
right
to
miter
the
CDE
program,
you
could
potentially
talk
with
red
hat.
You
could
talk
with
Google
GitHub,
there's
a
lot
of
different
organizations
that
potentially
can
assist
I.
Think
there's
one.
B
Specifically,
I
think
that
the
node.js
team,
which,
of
course
is
run
by
GitHub,
is
its
own
CNA.
My
Madison
correct
me
if
I'm
wrong,
but
they
could
also
do
some
of
this
leg
work
if
you
give
them
like
all
the
npm
projects
and
said
hey
I
like
this
is
all
the
ones
that
we've
identified
or
I
don't
know
Madison.
You
could
probably
speak
to
that
better
than
I
can.
F
B
B
G
Yeah
everything
everyone
said
already:
my
additions
are
I
think
you
said
this
is
a
specific
research
project.
It's
not
a
long-running
process
that
you're
describing.
E
Correct
this
was
just
a
research
project,
so
we
yeah.
G
G
You
know
one
two,
three
n
parties
to
go
deal
with,
since
these
are
public
and
to
Crow's
Point
earlier,
if
you've
done
some
moderate,
due
diligence
trying
to
reach
folks
and
they're
not
answering
because
they're
busy
and
fixing
some
bugs
and
that's
fine
and
that's
very
normal
in
this
community,
you
are
I,
think
clear
and
I
I
I'm
a
cve
board
member.
So
I'm
not
supposed
to
say
this,
but
if
I
were
in
your
shoes,
I
would
bulk
bulk
assigned
via
GSD?
G
Have
them
on
record
they've
got
IDs
they've
got
write-ups.
You've
got
you
know,
git
commit
your
commit
URLs,
it's
a
balance
of
how
much
time
you
want
to
spend
I'd
be
happy
to
help
you
and
so
what
others
to
do
it
via
cve,
but
it
it
has
these
issues
of
the
hierarchy
and
who
you're
supposed
to
go
with.
C
G
Yeah
so,
and-
and
they
should
all
have
separate
IDs
this
in
the
CV,
this
entire
area
of
how
many
things
do
we
have
and
how
many
do
we
publish
and
what
IDs
they
have.
G
It's
it's
been
in
progress
for
years
and
it's
still
sort
of
in
progress,
so
I
personally,
like
when
someone
comes
along
with
a
research
project
and
you've
got
all
the
research
and
part
of
it
is
of
course
thank
you
documenting
stuff
got
fixed
great,
even
the
act
of
doing
that
is
a
kind
of
a
natural
experiment.
So
you
could
try
the
cve
process
and
say
wow
we
put
in
300
IDs.
We
went
to
like
five
CNAs.
G
It
was
horrible
and
took
us
forever,
that'd
be
a
great
finding
which
I'd
expect
you
to
have,
or
we
just
wrote
a
script
that
fired
off
a
bunch
of
gsds
and
Josh
just
took
them
all,
and
then
we
were
done
so.
This
is
part
of
the
experiment.
I
want
to
tell
you
your
research
reports,
but
this
is
always
under
development,
so
any
anytime
somebody
can
sort
of
poke
an
edge
a
little
bit
in
the
assignment
area,
I'm
interested.
So
yes,
I
can
but
yeah
I.
B
Guess
the
question
that
I
have
is
how
how
consumed
is
the
GSD
database
versus
I
mean
npd's
database
is
pretty
ubiquitously
consumed,
and
so
the
the
downside
is,
if
you,
if
you
just
go
with
GSD
I,
think
that
you're
going
to
have
less
impact
on
getting
the
downstream
consumer
consumers
to
actually
force
them
to
rev
versions
forward
than
you
would
with
my
with
miter
and
and
the
CBE
process,
because
the
CBE
process
is
more
ubiquitously
used
across
the
industry
currently
and
so
it'll.
A
So
I
have
two
additional
thoughts.
First
off
this
group
is
the
perfect
place
for
us
to
formulate
a
reasonable
response
and
some
best
practices
around
vulnerability,
identification
and
communication.
So
if
this
group
feels
GSD
is
the
awesome
sauce,
we
could
you
know,
figure
out
a
way
to
endorse
that
and
move
that
forward,
or
we
could
develop
a
process
that
does
both
you
know,
does
the
bulk
upload
to
cve
and
also
GSD.
A
So
it's
kind
of
this
group
we
have
the
ability
to
kind
of
set
that
standard
and
try
to
encourage
the
ecosystem
to
move
forward
with
whatever
process,
or
you
know
things
we
desire.
We
feel,
are
good
and
will
be
acceptable
to
our
development
and
maintainer
Friends
and
then.
Secondly,
as
I
mentioned
in
my
earlier
update,
that
is
currently
status
beige
in
the
future,
there
could
be
a
group
called
the
OSS
cert.
That
would
be
a
group
that
is
funded
and
put
together
to
help
with
issues
just
like
this.
B
A
Don't
exist
yet,
but
that
is
part
of
the
intention
of
that
group
is
to
assist
in
easing
coordination
and
connecting
researchers,
maintainers
and
downstream
consumers
so
stay
tuned
in
the
future.
There
might
be
somebody
that
can
more
actively
help,
but
hopefully,
today
that
the
team
has
given
you
some
ideas
of
what
your
available
options
are
and
courses
could
be
to
get
you
what
you
need
to
get
your
important
information
out
there.
B
From
Real
World,
like
actual
trying
to
get
CBE
experience
I,
you
know
this
group.
This
group
aims
to
be
vendor
neutral,
yada,
yada
Snick
has
been
particularly
easy
to
get
CBE
numbers
with.
They
have
a
research
team.
You
can
they
the
work
that
you
were
doing
where
you
scanned
commit
fees
to
find
on.
You
know
unreported
vulnerabilities.
B
They
already
have
a
team
inside
of
Snick
that
does
that
sort
of
work,
so
they're
familiar
with
those
sort
of
flows,
so
you
just
be
giving
them
more
more
data
points
to
go
and
consume.
They
would
actually
put
a
real
person
on
them
and
actually
like
go
through
the
process
of
trying
to
get
the
CDs
for
all
those
things.
B
So
from
minimizing
me
like
amount
of
work
you
have
to
do,
they
are
a
good
resource,
I,
I
and
I
I
in
the
email
that
I
sent.
You
I
alluded
to
this.
The
reason
that
I
dislike
snack
is
because
their
database
for
the
information
they
provide.
They
do
issue
a
CV
number.
B
The
the
downside
of
that
is
that
any
consumers
like
GitHub
and
whoever
they
don't
get
that
structured
format
data
you
guys
have
to,
like
all
the
other
consumers
of
that
CD
number
have
to
reconsume
it
using
a
manual
person
right.
So
it's
it's
it,
the
the
upside.
Is
you
get
the
CV
out
there
it'll
have
the
positive
impact
downside.
B
It
won't
be
in
a
structured
format,
but
you
can't
use
somebody
like
GitHub
currently,
because
the
maintainer
is
not
Loop,
so
github's
not
going
to
let
you
issue
the
CV
number
in
the
way
that
would
give
you
the
ability
to
put
it
into
a
structured
format,
because
github's
database
is
Creative.
Commons
they're
not
going
to
accept
it
unless
it
comes
in
as
a
cve
number
and
then
Madison's
team
consumes
it
and
puts
it
in
the
in
the
in
the
in
the
feed.
B
So
you
know
that's
the
state
of
the
world,
so
I
I
would
go
with
my
suggestion.
If
I
were
used,
I
would
go
with
Snick
first
and
then,
if
they
say
we
can't
help
you
or
we
can't
help
you
with
this
subset
then
go
to
miter
and
because
miter
unfortunately
in
my
experience,
will
be
slower
to
react.
Things
will
take
a
little
bit
longer,
but
you
could
actually,
you
know
if
you
could
actually
have
a
like
an
actual
email
thread
going
with
snake.
You
know
today
pretty
quickly
and
they'd.
A
Point
of
order
I,
my
friend
Dan,
corrected
me
I,
believe
it
is
Sneak.
Okay,
fine
sneak.
B
Yeah
I
can
give
you
the
I'll,
send
you
an
email
with
the
direct
email
address
of
that
they
have
like
a
portal
on
their
website,
and
then
they
have
an
email
that
they
don't
announce.
I'll,
send
you
the
email
that
they
have
to
to
directly
communicate
with
them.
So
I'll
send
that
to
you.
A
B
Now
now
we
can
be
the
one
that
was
listed
on
the
open.
B
Get
there
yeah,
Madison
and
I
have
done
about
one
slack
message
between
the
two
of
us
brainstorming
on
this
on
what
we're
gonna
do
you
know
we
need
to?
We
need
to
yeah.
B
We
will
we're
going
to
work
on
the
slide
deck,
but
shmuel
is
in
on
the
20th.
It's
Madison
and
I
are
speaking
so
yeah.
F
It's
fine,
we'll
be
fine,
I'm,
not
worried
about
it.
One
thing,
though,
that
I
would
like
this
group's
help
with
is.
We
will
be
discussing
the
finder
guide
while
we're
there
right.
There
are
a
couple
of
open
PRS
against
the
guide
that
I
would
really
love
if
we
handled
before
I
advocated
for
this
publicly,
just
like
I
think
they're,
like
fixing
some
typos
and
a
couple
of
other
things,
so
I
personally
think
it
would
be
really
great
to
share
this.
If
those
were
handled.
B
Gonna
have
notification,
feed
is,
is
two-packed
Madison.
F
C
B
F
G
A
A
If
it's
Randall's
litter
thing
ignore
it,
but
today,
during.
B
B
Our
next
two.
B
B
A
E
A
D
A
A
B
Yeah
so
brief
update
on
the
snakey
animal
case,
I
between
the
meeting
that
I
had
last
so
we
met
what
before
the
holidays
last
year
and
the
maintainer
was
not
gonna
fix
it.
I
sat
down
with
him
on
a
video
call
for
an
hour,
went
around
in
circles
for
about
40
minutes
and
then
finally
realized
that
the
minimally
invasive
change
that
or
the
change
that
I
was
asking
to
make.
He
thought
was
huge
and
I
said
no.
No.
B
All
you
have
to
do
is
make
this
minimally
invasive
change
that
won't
break
your
API.
That
much
and
he's
like,
oh
I,
can
change
that
I'm
like
great
so
he's
gonna
fix
it.
So
there's
a
there's
now,
a
patch
for
this
six-year-old
remote
quote:
execution,
vulnerability
and
snake
animal
yeah
I
spent
an
hour
during
my
my
vacation
in
Punta
Cana
on
this
call,
but
the
yeah.
So
the
guy
is
the
guy's
gonna
fix
it.
There
is
not
a
release
out
yet
I
think
the.
C
B
Has
been
patched
and
then
I'm
planning
on
retroactively,
updating
the
cve
number
that
get
Google
put
out.
That
stated
that
there
was
no
fix,
because
now
there
will
actually
be
a
fix,
but
I.
B
B
Funny
thing
about
this
is
as
soon
as
you
go
and
fix
this
stuff,
then
you
have
to
go
and
also
go
and
report
it
back
to
like
anybody,
who's
written
a
static
code,
analysis
tool
to
like
alert
on
this
vulnerability
like
code
ql
like
it's
all.
These
people
spend
all
this
time
working
on
like
static
code
analysis
tools
to
find
these
vulnerabilities
across
all
all
the
downstream
consumers.
B
It's
my
rant
so
yeah,
so
I'm,
I'm,
I'm
gonna,
do
that
with
code
ql
and
see
if
there's
anybody
else,
that's
alerting
on
this
particular
vulnerability,
saying
hey
it's
fixed
now:
yeah
yeah,
oh
and
then
on
top
of
that
I'm.
Also
looking
at
I'm
looking
at
yaml
parsers
in
general
across
the
industry,
and
there's
been
this
long
trend
of
remote
code,
execution,
vulnerabilities
in
yaml,
parsers
and
I.
Finally,
I
pinged
the
specification
authors
of
the
yaml
spec
and
said
hey.
B
This
has
been
like
a
long-standing
issue
and
like
this
has
been
something.
That's
all
the
yaml
parser
seems
to
have
done
this.
Can
we
put
something
in
the
spec
like
the
yaml
spec
itself,
to
say
this
is
not
good
behavior,
and
so
that
conversation
has
started.
They
seem
dubious,
but
I
am
going
to
continue
to
push
on
that
so
that
maybe
we
can
fix
at
the
spec
level
instead
of
just
individual
parsers
so
or
loaders.
B
A
Yeah
any
questions,
comments,
feedback
for
Jonathan
on
the
snake,
Saga.
A
A
But
currently
we
have
proposals
to
create
plugins
or
add
tooling,
to
enable
the
CBD
guides
and
I
just
talked
with
talked
with
Francis
from
Google
and
he's
going
to
come
back
and
he's
actually
going
to
try
to
Champion
and
lead
a
group
working
on
this.
So
not
only
will
we
have
an
awesome
set
of
CBD
guides
will
have
some
tools
and
plug-ins
and
some
automation
that
could
help
people
implement
the
things
in
there.
D
A
A
Yes,
oh
star:
if
someone
is
interested
in
implementing
the
steps
in
our
guides,
are
there
ways
we
could
help
ease
that
automate
that
hey.
A
But
we
would
again
software
lives
in
many
different
types
of
repos
maintainers
work
in
a
lot
of
different
spaces.
So,
while
we
may
focus
on
some
of
the
big
major
repos,
we
need
to
think
about
ways
to
empower
other
types
of
developers
and
researchers,
but
yeah.
There
is
no
no
bad
idea
there.
So
if
you
have
an
idea
for
any
kind
of
assistance
for
people,
whether
right
now,
we
have
security,
researchers
and
project
maintainers
are
our
two
Targets.
A
B
I've
thought
about
adding
like
refined,
git
I
mean
a
lot
of
the
stuff
that
I
use
on
GitHub
anyways
I
was
I've,
always
thought
about,
like
there's
certain
things
that
refined
GitHub
is
great
for
the
people
that
don't
over,
find
GitHub
is
a
as
a
chrome
plug-in
that
adds
a
bunch
of
UI
elements
and
improves
the
GitHub
UI
across
the
board
for
if
you're
using
GitHub
a
lot,
it's
a
really
good
Chrome
plugin,
but
you
it
basically
like
you
know.
B
Instead
of
GitHub
asking
GitHub
to
implement
a
feature
you
can
just
you
know,
go
and
issue
a
pull
request
to
this
plugin
and
then
add
a
feature
that
you
may
need
to
GitHub
as
a
user
experience
that
you
know
you
can
control
instead
of
having
to
you
know
harass.
You
know
PMS
at
GitHub
to
get
things
to
get
implemented,
so
at
least
things
that
are
driven
by
the
UI
and
so
I've
thought
about
trying
to
automate
some
of
my
workflow
and
and
make
things
easier
to
access
via
that
methodology.
B
A
Our
other
project,
which
again
does
not
mean
we
can't
do
more
than
one
at
the
same
time,
is
a
cvd
guide
for
open
source
consumers,
and
we
had
some
question.
We
had
a
question
in
the
chat
from
sandapan
and
the
a
consumer
would
be
anyone
Downstream
from
a
maintainer.
So
while
A
supplier,
like
Ubuntu,
suse,
Red,
Hat,
a
distro
so
to
speak,
could
be
considered
a
consumer
they're
more,
they
more
fall
into
a
supplier
role.
They
have
some
different
obligations
and
tasks
within
the
supply
chain.
A
This
guide
is
focused
primarily
on,
like
a
think
about
an
Enterprise
end
user,
so
like
a
bank
or
a
developer
working
at
a
retailer
or
that
type
of
person
would
fall
into
that
Persona
and
we
do
have
our
personas
documented
in
our
git
repo
I'll
track
down
a
link
in
a
minute,
but
so
we
were
thinking
about.
We
have
two
awesome
guides
they're,
getting
more
awesome
as
Madison
resolves
her
PR
now
we
would
have
potentially
a
third
focused
on
this
consumer
Persona.
So
this
is
another
task.
A
A
All
right
and
then
our
other
project
idea
was
a
guide
for
maintainer,
so
kind
of
like
a
supplementary
or
a
companion
piece
for
our
existing
CBD
guide,
but
a
guide
for
maintainers
on
handling
incidents,
and
the
idea
here
is
more
of
a
Playbook
that
if
you're
a
maintainer-
and
you
have
a
report-
or
you
get
information
about
an
active
incident,
this
is
steps
meaningful
steps.
You
could
take
right
meow
to
work
on
addressing
that
issue,
so
this
could
be
a
checklist,
A
playbook,
but
not
intended
to
replace
the
cvd
guy.
A
C
A
Cool,
thank
you
so
I
have
give
me
a
second
while
I
Google
around,
so
we
within
another
working
group.
We
are
spinning
up
a
oh
I
have
a
typo
in
the
title:
oh
bad.
A
We
are
spinning
up
a
subgroup.
That's
going
to
focus
in
on
a
best
practices
guide
around
source
code
management,
best
practices.
So
we
could
do
something
similar
here
where
we
set
up
a
poll
and
have
people
that
are
interested
in
working
on
any
of
these
three
projects
and
kind
of
Express
when
they're
available
to
do
that.
So
would
are
folks
interested
in
me
setting
up
three
polls
and
kind
of
see
if
we
get
some
razor
hands
of
folks
that
are
interested
in
contributing
towards
these
efforts.
C
A
B
B
Oh
another,
another
project,
idea
kind
of
so
we
have
these
guides
right
as
they're
written
this.
So
like
the
idea
of
like
speaking
about
these
con.
These
these
these
guides
is
one
way
of
getting
the
information
about
these
guides
out
there.
But
is
there
other
avenues?
B
Video,
you
know
so
I,
don't
know
something
some
some
other
alternative
sort
of
media
way
that
we
could
communicate
this
stuff
out
there
to
get
it
into
people
that
people's
hands
in
a
way
that
they
might
consume
it
better.
You
know,
you
know
more
more
densely
packed.
You
know.
B
Hey
high
level
I
have
ADHD
thinking
about
how
someone
like
myself,
which
I
read
the
guy,
because
I
was
working
on
it,
but
like
someone
who,
like
you
know,
wants
something
faster,
I
video,
you
know
a
bunch
of
Graphics,
something
like
that:
a
more
condensed
version
of
this
information
in
a
in
a
a
a
way
that
they
they
could
share
it
consume
it.
You
know
yada
yada,.
B
But
like
that
sort
of
content,
format
right
is
fast,
dense,
you
know,
and
and
and
I
don't
know.
If
any
of
us
can
come
up
with
content
like
that,
but
there
may
be
external
organizations
and
firms
that
we
could
contract
with
that
are
good
at
creating
Graphics
that
are
high
quality
to
help
us
put
the
messaging
that
we've,
the
the
messaging
we've
already
put
in
writing,
condensing
it
even
further
into
a
format
that
could
be
quickly
consumable
by
people.
C
A
So
I
personally
feel
this
is
an
excellent
idea.
I
have
a
couple
suggestions
on
how
it
could
be
executed
does,
but
does
anyone
else
have
any
similar
thoughts
on
Jonathan's
proposal
to
augment
and
create
some
different
views
of
our
information
to
get
it
out
to
more
viewers.
A
So
I'll
start
rambling
in
hopes
of
other
people
kind
of
stewing,
the
creative
juices.
We
have
a
couple
Outlets
today
Jonathan.
We
absolutely
could
leverage
the
LF
marketing
team
Jennifer.
We
could
figure
out
some
tweets.
We
could
do
some
blogs.
A
That
is
a
very
simple
and
quick
way
to
get
information
out
like
next
week.
Don't
quote
me
out
of
time,
but
that's
very
quick
to
Market.
We
have
the
ability.
If
this
group
is
interested,
we
could
create
our
own
video,
our
own
graphics
and
then
work
with
the
LF
team.
They
have
a
graphics
budget,
so
we
can
kind
of
again
talk
with
Jennifer
to
get
like
an
infographic
put
together
or
if
someone
within
the
group
has
a
creative
tinge
to
their
skill
set,
we
definitely
could
leverage
some
of
that.
A
So
that's
two
option.
Three.
There
is
the
best
special
interest
group.
The
education
working
group
has,
as
part
of
their
plans,
to
address
the
mobilization
plan.
Is
they
will
be
spinning
up
a
openssf
podcast
focused
on
appsec
topics,
so
we
could
file
an
issue
over
in
the
education
Sig
and
request
collaboration
that
that
group,
which
ends
up
being
me,
create,
does
assistance
on
doing
podcasts,
webinars
and
just
kind
of
focusing
time,
and
then
those
the
education
people
are
again
focused
in
on
that
topic
that
delivery
of
content.
A
So
we
have
the
LF
Education
team
we
also
can
lean
into
if
they
were
different.
If
we
wanted
to
make
a
class-
and
we
probably
should
make
a
class
as
part
of
the
LF
curriculum
on
the
cvd
practices,
that
would
probably
be
another
great
idea.
So
those
were
just
a
handful
of
things.
We
can
do
short
to
medium
term.
A
B
Yeah
I
I
I
know
that
you
can
get
nice
Graphics
out.
If
you
you
know,
having
worked
for
companies
that
you
know
have
marketing
teams
that
you
know
you
you
contract
with
the
right
one
and
you
get
nice
Graphics
out
of
them
right.
You
get
nice
videos
and
stuff
like
that.
So
trying
to
figure
out,
you
know
what
to
communicate
and
then
also
you
know
how
to
do
so
in
a
fast
way
and
then
trying
to
tap
into
one
of
those
resources.
I!
B
B
A
I
I
will
suggest
that,
since
most
of
us
assist
in
selling
free
software,
they're
generally
is
frowned
upon
to
spend
a
lot
of
dozens
of
dollars.
But
that
is
an
option.
A
We
could
potentially
put
a
proposal
together
and
shoot
that
up
to
the
attack
for
a
governing
board
approval
if
we
wanted
to
get
involved
an
agency
and
that's
again,
I
deal
with
those
folks
all
the
time
and
they
have
varying
prices
and
they
even
can
do
stuff
less
expensively
by
you
know
Contracting
out
through
the
internet,
if
I
need
help
with
Graphics
or
whatever
you
can
for
a
lower
fee
and
not
necessarily
going
through
a
professional
agency.
A
We
have
a
lot
of
options
and
I
would
first
off
suggest
and
strongly
encourage
you
to
write
up
your
idea
as
a
issue
within
a
repository,
so
other
people
can
type
in
their
feedback
and
we
can
collaborate
on
that.
I
think
it's
a
great
idea,
though,
and
I'm
glad
to
help
any
other
comments
shut
up,
Siri.
A
G
A
All
right,
but
yeah
I
would
ask
you
to
write
the
idea
up
in
an
issue
Jonathan,
and
that
way
we
can
get
some
more
eyes
and
I.
The
education
Sig
definitely
will
help
longer
term.
You
know
later
this
year,
but
if
we,
if
we
wanted
to
do
something
sooner,
we
there's
nothing.
Stopping
us
to
have
a
call
to
you
know,
do
an
outline
for
an
infographic
and
then
start
to
solicit
around.
A
A
All
right,
well,
I,
will
adjourn
our
call
this
week.
Thank
you,
everyone
for
participating,
Madison
and
Jonathan.
If
you
would
like
a
second
set
of
eyes
on
your
presentation
or
an
audience,
let
me
know
ping
me
in
on
the
slacks,
and
otherwise
we
will
talk
to
everyone
within
two
weeks.
If
you
have
feedback
on
anything
pop
it
into
an
issue,
talk
about
it
on
slack
or
send
something
out
to
the
mailing
list
and
I'll
be
sending
you
all
some
spam
with
some
doodle
pulls
shortly
enjoy
the
rest
of
your
day.
Can.