►
From YouTube: OpenSSF Vulnerability Disclosures (May 17, 2023)
B
C
A
D
C
A
C
A
F
C
D
C
H
D
C
G
D
C
A
D
D
E
C
C
A
A
I
wanted
to
check
with
the
group
and
see
if
there's
anyone
interested
in
helping
kind
of
serve
as
a
co-lead.
Our
friend
Anne
from
Google
has
abandon
us
and
that
she's
a
very
busy
lady,
but
I,
wanted
to
see
if
there
was
someone
to
help
provide
backup
for
me
in
case
I
do
have
another
conflict
with
this
call
shouldn't
happen
very
often.
A
C
C
C
E
C
D
A
A
Good
Lord,
the
open
source
cert,
is
currently
still
under
consideration
by
the
governing
board
for
funding.
I
talked
with
omkar
the
new
managing
director
last
week
about
the
matter
and
he's
trying
to
strategize
how
he
wants
to
work
with
the
people
that
have
the
companies
have
provided,
pledges
and
just
kind
of
overall
how
the
mobilization
plan
and
other
efforts
fit
within
the
larger
strategy
of
the
organization.
A
So
I
don't
have
any
other
updates
and
we're
going
to
put
those
calls
on
hold
for
now,
just
to
stop
kind
of
wasting
people's
hour
logging
in
and
having
nothing
to
do,
but
ideally
we'll
get
some
direction
from
the
governing
board.
And
if
anybody
has
any
ideas
or
proposals
for
that,
Sig
feel
free
to
file
an
issue
or
PR
against
our
plan.
A
J
A
C
C
Two
weeks
ago,
the
meeting
didn't
get
added
properly,
so
we
ended
up
with
one
person
joining
the
meeting,
but
we
did
work
on
the
document.
There
is
also
going
to
be
a
meeting
this
afternoon
at
it's
not
on
the
calendar,
but
I
have
emailed
kaheel
to
say:
hey.
Can
you
please
re-add
it
nope?
It's
back?
No,
it's
not
there!
No!
It's
there!
Okay,
yeah
we're
good.
Okay.
C
A
C
A
D
A
C
A
C
E
A
Great
go
ahead
and
put
that
under
opens
we'll
get
to
opens
in
a
second
perfect
for
the
open,
Vex
Sig.
We
had
a
great
call
this
last
Monday
and
starting
with
our
next
meeting,
going
forward,
we're
going
to
be
alternating
between
a
technical
call
for
developers
to
talk
about
the
tooling
and
the
spec,
and
then
an
evangelism
call
where
we
will
talk
about
how
we
engage
with
industry.
A
Other
standards
like
like
Oasis
and
csaf
Cyclone
DX
spdx,
to
start
to
figure
out
how
we
can
get
more
people
using
Vex,
we're
very
excited
about
that.
We
have
an
exciting
Goose
logo
that
will
be
unveiled
in
our
GitHub
repo.
Once
I
get
someone
to
update
that
readme
file
and
if
anyone's
and
we
are
planning
on,
we
have
a
Australia
focused
long
disclosure
working
group
meeting
the
last
Thursday
of
each
month
and
that's
predominantly
where
the
osv
team
lurks
they're
based
out
of
Australia.
A
So
it's
convenient
for
them
to
engage
with
us,
then.
So
we're
going
to
see
if
we
can
get
open,
Vex
and
osv
talking
to
see
if
there's
any
Synergy
there
between
the
two
tools
to
see.
If
we
might
be
able
to
see
if
there's
some
joint
collab
there
so
more
news
to
come
on
openvx
any
any
questions
about
Jonathan's
autofix
update
or
my
open
Vex
update.
A
D
C
The
great
repository
audit-
and
so
this
idea
is
that
we
would,
as
the
open,
SF,
probably
funded
by
the
alpha
omega
project,
engage
in
pen
testing,
slash
auditing
of
the
major
artifact
servers
in
the
industry.
My
the
the
pretense
that
I'm
positing
this
under
is
when
you
purchase
software
as
a
company.
C
Usually
it
goes
through
a
Security
review
right,
like
you
know,
if
you
buy
software,
so
Securities
involved,
they
say
we're
gonna,
we're
gonna
need,
like
you
know,
to
show
either
you
need
to
have
saw
compliance
or
you
know
you
need
to
have.
You
know
a
pen
test
report
that
you
can
show
us
recently
and
I
pause
it
that
the
major
artifact
servers,
Maven,
Central,
Gradle,
plug-in
portal,
pip,
ruby,
gems.
C
Right,
we
need
to
like
think
about
the
basics
first,
and
so
The
Proposal.
That
I
have
is
that
I'm
working
on
is
that
we
would
engage
with
a
firm
to
have
them
begin
or
perform
audits
like
this.
The
the
thing
that
I
have
gotten
from
the
artifact
host
that
I've
spoken
to
the
thing
that
they
that
they've
kind
of
balked
at
is
I've
also
proposed
that
with
that
work,
because
it's
work
founded
under
the
open
source
security
Foundation
that
any
of
that
work.
C
That's
funded
on
the
open,
Star
Security
foundation
will
also
have
the
vulnerability
disclosure
policy
that
the
open
source
security
Foundation
has
authored,
apply
to
any
of
the
disclosures
that
come
out
of
that
work
so
that
the
90
day
plus
14
day
policy
applies
the
some
of
the
feedback
that
that
I've
gotten
is.
You
may
have
organizations
and
vendors
that
are
less
willing
to
collaborate
with
you
if
you
are
also
coming
at
it
with
the
and
this
also,
this
work
has
an
Associated
disclosure
deadline
to
it.
C
C
One
of
the
concerns
is,
you
know,
they're
less.
They
maybe
will
less
willing
to
work
with
us.
The
other
concern
that
I've
had
posed
is
with
a
pen
test
report.
You
may
be
dumping
a
large
number
of
vulnerability
reports
on
an
organization
all
at
once,
because
it's
you
know
you're
doing
a
scan
all
like
you're
doing
a
massive.
You
know
bunch
of
work,
and
so
suddenly
they've
got
a
bunch
of
work
dumped
into
the
lab.
J
C
So
I
would
not
be
focused
on
that.
I
would
be
focused
on
because
it's
like
that's
that's
implementation.
Detail
of
the
corporates
end
users
right
if
they're
responsible
for
their
own
infrastructure
I
would
be
focusing
this.
The
scope
of
this
work
currently
as
proposed,
which
is
not
entirely
written
down
but
mostly
kicking
around
my
head,
which
will
get
written
down
and
submitted
to
alpha
omega
as
a
proposal
for
funding,
would
be
that
the
scope
of
the
audit
would
include
both
the
hosting
infrastructure
for
the
packages,
the
upload
infrastructure
right.
C
So
you
are
a
pi.
So
everything
from
the
developer
publishes
a
package
that
package
gets
hosted
the
hosted
information
like
the
information.
That's
rendered
right
so
both
like
making
sure
the
information
is
correct,
but
also
making
sure
that
those
packages
can't
get
hijacked
by
another
malicious
user
that
the
artifacts
can't
be.
You
know
like
we
don't
have
open
S3
buckets
that
anybody
can
write
to
without
permissions
and
overwrite
other
packages
right
all
of
that
infrastructure.
C
All
the
way
to
potentially
including
the
consuming
infrastructure
right
so
you've
got
Pi
Pi,
that's
actually
pulling
the
artifacts
down
and
making
sure
that
there's
you
know
it's
not,
for
example,
like
Pi
Pi,
hasn't
accidentally
disabled,
cert
verification
on
the
https
download
right
like
they're
like
they.
They
can't
like
sure
we're
using
https,
but
like
that,
the
search
tab
like
check
has
been
just
completely
disabled,
like
that
sort
of
scope
like
from
the
publishing
to
the
consumption
side
and
in
that
entire
pipeline
in
between
including
the
artifact
server
in
the
middle.
F
But,
but
as
a
consumer
of
these
Services
I
I
applaud
effort
to
secure
this
part
to
My
supply
chain,
but
if
I
was
working,
there
underfunded
very
very
little
time
properly.
Helping
spare
time
I
would
be
I
would
want
to
be
involved
in
the
process
and
be
able
to
consume.
The
changes
proposed
bit
by
bit,
which
means
that
giving
me
a
timeline
in
that
case
of
90
days
would
be
disastrous
right.
F
C
Does
your
answer
change
based
upon
whether
or
not
the
so
for
some
of
the
artifact
servers
right,
they're
hosted
by
corporations
right
so
Maven
Central
is
hosted
by
sonotype
Gradle
plugin
portal
is
open,
hosted
by
Gradle
Inc
Pi,
Pi
and
rubygems
are
Community
run
right.
Does
your
answer
change
when
the
artifact
server
is
hosted
by
a
company
versus
it
being
hosted
by
a
community
or
does
your
answer
stay
the
same.
C
K
F
C
E
E
F
C
E
B
E
D
A
I
would
suggest,
with
some
of
these
repositories
where
there
is
more
mature
or
at
least
a
more
funded
organization
behind
it,
and
odds
are
very
good
that
they
are
members
of
the
foundation
and
odds
are
also
that
there
are
some
really
awesome
security
people
that
might
contribute
to
or
be
Affiliated
to
that
Community
or
be
affiliated
with
that
organization.
I
think
as
part
of
your
process,
you
could
potentially
lean
into
and
notify
those
organizations
in
advance
and
all
throughout
the
process
to
ensure
saying
we
would.
A
A
Dear
sonotype,
do
you
have
anyone
on
your
side
that
you
could
help
make
available
around
that
time
frame
to
work
with
us,
or
do
we
have
any
community
members
to
try
to
be
prepared
for
that
influx
and
I
think
that
we
could
be
flexible
with
potentially
the
timeline,
maybe
criticals
or
highs
need
to
follow
that
time
frame,
but
lows
and
moderates,
maybe
something
that
we
get
commitment
that
those
get
put
into
a
backlog
and
they
can
commitment
that
they'll
be
worked
on
within
some
time
frame.
Potentially.
C
C
If
we
do
it
we're
going
to
have
the
90-day
policy
apply.
If
you
can
fund
it
and
you
do
it,
we
just
want
to
see
a
pen
test
report
within
180
days
or
something
like
that
right.
We
want
to
see
a
pen
test
Report
with
the
included
like
retest
report
right.
So
then,
so
then
corporate
entities
can
can
see
like
okay,
we're
gonna.
Have
this
done
one
way
or
another?
C
F
C
A
A
J
J
A
K
So
I
agree
that
the
process
is
kind
of
the
important
part
of
these
many
artifact
repositories,
and
they
do
have
like
these
kind
of
ways
to
have
like
official
packages
and
verified
packages.
Each
package
manager
and
each
hosting
Services
has
all
these
kind
of
tricks
to
like
give
like
trust
to
their
packages
and
the
process
that
they
they
sometimes
it's.
Basically,
humans
that
verified
the
company.
That's
providing
the
package.
Those
processes
differ
very
very
between
all
these
look
at
doco
HUB
and
you
look
at
like
bit
packet
what
they
do.
C
K
D
F
A
A
B
If
you
have
an
npm
a
package
that
is
up
a
combination
of
lowercase
in
uppercase
and
then
that
gets
redacted
for
some
reason
and
then
you
add
another
package
with
all
lowercase,
so
on
npm
you'll
be
able
to
do
the
typo
squatting
using
that
method,
but
Pi
Pi,
for
example,
doesn't
allow
it
because
they
verify
like
anyway,
so
they
address
it.
So
so
I
guess
like
we
need
to
define
the
scope.
F
C
Chrome
you
mentioned
yeah
they're
talking
about
this
is
this
is
a
conversation.
That's
already
come
out
of
that
working
group.
That's
this
is
I'm.
Just
and
I.
This
I
I
presume
that
this
whole
thing
will
be
a
Stig
under
the
that
working
group
under
the
phone.
The
security
securing
repositories
working
group
but
I
see
that
yeah
yeah
it
it.
It
touches
on
other
components
in
particular:
vulnerability
disclosure,
so
I
figured.
A
C
C
C
Open
source
technology
time
so
so
Amir
has
done
these
sort
of
audits
for
other
Cloud
providers.
Right,
including,
like
you
know,
containerization
stuff
like
that
like
this-
is
something
that
and
so
I'm
working
with
Amir
on
this,
because
he's
already
gone
down
the
route
of
funding,
these
sort
of
audits.
Doing
these
audits-
you
know
yada
yada,
so
I
want
to
make
I
want
to
I
want
to
go
I,
wanna
I,
don't
want
to
reinvent
the
wheel,
he's
already
done
it
so
we're
going
to
collaborate
on
that
too,
and
he's
awesome.
A
B
H
I
think
involving
the
communities
from
the
start
is
Paramount.
Nobody
likes
to
have
a
ton
of
vulnerabilities
dumped
on
them
when
they
could
have
been
brought
in
earlier
in
the
process
right
so
I
think.
As
long
as
we
involve
the
right
people
as
early
as
possible,
that'll
help
ensure
that
this
stays
collaborative
and
doesn't
doesn't
devolve.
C
A
Cool
cool
cool
and
then
the
last
item
I
had
this
is
from
the
open,
Vex
crew
and
then
some
of
my
involvement
with
s-bomb
and
sisa
as
some
of
these
Technologies
are
starting
to
see
some
use
or
like
s-bomb
you're.
Seeing
that
the
deadline
for
providing
them
is
looming,
people
are
starting
to
think
about
actual
s-bombs
and
VEC
and
Vex
and
then
like
advisories
in
use.
A
So
there
is
an
issue
underneath
the
openvex
spec,
where
we
are
trying
to
figure
out
how
better
to
broadcast
changes
or
notifications
through
the
system.
So
if
anyone
has
any
feedback,
that's
a
great
place
to
comment
on
issue
9
under
the
openvex
spec
repo.
We
will
have
another
call
on
the
29th
of
May
and,
as
Ollie
mentioned,
it'll
be
kind
of
late
in
the
day
for
Europe,
but
those
are
recorded
and
if
you
have,
the
agenda
is
open.
A
So
if
you
wanted
to
put
talking
points
and
there's
an
open,
Slack
channel
that
you
can
engage
with
the
team
directly,
then
so,
if
you
have
thoughts
about
how
some
of
this
might
come
to
fruition
and
how
we
can
start
to
get
more
folks,
Upstream
thinking
about
and
using
Technologies
like
software
Bill
materials
and
the
vulnerability
exchange
formats
just
so,
we
can
start
to
see.
Do
all
these
theories
work.
It's
a
lot
of
great
ideas.
How
do
they
work
in
practical
application?
And
how
does
you
know
each
layer
of
the
supply
chain.
A
A
Yeah
I
think
people,
one
of
the
biggest
challenges
for
consumers
of
these
things
is
going
to
be
kind
of
filtering
and
prioritizing,
because
you're
potentially
going
to
get
thousands
of
signals
a
day
through
s-bombs,
advisories
and
vexes.
It's
going
to
be
very
challenging
for
Downstream
consumers
to
understand
and
take
action.
D
F
I
added
something
to
that
again,
please,
sir,
take
it
away.
This
is
storytelling
I'm
a
Storyteller.
Once
upon
a
time
there
was
this
man
in
a
university
in
California
who
managed
the
DNS
route,
John
posto,
and
he
formed
a
small
by
the
US
and
when
the
world
discovered
the
importance
of
the
internet
and
the
importance
of
the
DNS
names
they
found.
John
postel
working
in
sandals
right
and
the
U.S
suddenly
claimed
the
internet
is
a
U.S
thing
only
because
we
pay
the
salary
of
these
guys,
especially
young
postal.
F
You
heard
a
story
right
so
what's
happening
today.
Well
we're
building
all
these
s-bombs
we're
using
the
s-bombs
to
verify.
If
we
have
any
vulnerabilities,
we
match
them
with
MVD
forget
CVSs
course,
and
we've
used
AC
versus
course
to
add
our
own
Environmental
things
and
discover
our
own
risks.
Right
now,
there's
a
group
called
The
s-bomb
Forum,
which
I
Got
Hijacked
into
that
are
meetings
Friday
evening
late
Swedish
time.
F
So
it's
very
good
to
join
with
a
glass
of
wine.
Not
everyone
does
because
it's
other
time
zones
for
them,
but
this
group
has
been
in
contact
with
the
MVD
team
and
turns
out
there's
a
small
team.
They
got
a
budget
set
in
November
still
haven't
seen.
The
money
says
unclear
whether
they
get
funding
for
the
rest
of
the
year.
It's
19
person
manage
all
of
this
and
they
haven't
been
in
contact
with
anyone,
so
they
were
sitting
there
saying
that.
F
Well,
we're
gonna
disallow
all
the
mirroring
of
the
MD
database,
because
we
have
this
shiny
new
API,
but
they
had
no
content
delivery
Network.
They
have
no
scalability.
Nothing
and
I
see
that
everyone
here
and
millions
of
others
will
start
using
scans
directly
joke
to
just
added
a
scan
directly
to
them
with
the
API
Soldier
Developers
Runners.
So
this
is
the
little
organization
funded
by
the
US
that
manage
our
vulnerability
flow
unfunded.
F
F
Just
a
single
little
API
I
know
discussion.
So
we'll
see
what
happens,
but
I
think
we
need
to
get
more
funding
from
other
places
than
the
US
and
need
to
discuss
how
to
migrate
this,
to
something
Community
maintained
and
maybe
open
ssf
has
a
working
group
or
some
interest
in
helping
out
here,
because
we're
a
community
I
mean
mirroring
the
MD
and
every
server
that
mirrors
Linux
or
Debian
that
that's
a
piece
of
cake.
If
we
just
decide
to
do
it.
A
F
F
F
A
L
If
my
connection
works,
it
does
hey
I've
had
one
art,
hi
Ali,
my
name
is
Art
Manion,
all
right,
I
think
what
I
I
think
what
I
heard
you
say,
partly
from
the
from
the
esbom
Quorum
group,
was
so
I
heard
a
couple
things.
Could
the
nvd
and
that
whole
that
whole
aspect
of
what
is
effectively
somewhat
Global
vulnerability
management?
L
L
F
D
F
C
F
L
L
L
L
L
L
I
F
L
A
A
Mentioned
we
there
is,
we
are
trying
to
connect
the
osv
folks
with
the
nvd
team.
Historically,
we
have
talked
with
the
cve
board
as
part
of
this
group,
so
I'd
like
to
see
what
we
can
do
to
positively
contribute
to
that
conversation,
but
yeah.
If
you
could
do
that
for
us,
so
we
don't
lose
track
of
it.
That
would
be
amazing.
F
Yeah,
it
also
comes
back
to
what
I
think
was
Dave
Keeler,
who
said
that
there
are
many
open
source
Linux
projects
in
the
in
the
foundation
that
doesn't
file
cves
and
I
I
never
got
any
response
when
I
asked
why
so
there
could
be
improvements
for
these
projects,
today's
top
filing
CVS
yep,
but
we
need
a
dialogue
here.
Yes,.
D
A
You
all
may
be
aware
they
are
getting
ready
to
release
an
updated
version
later
this
year,
CVSs
V4
and
if
it
is
of
interest
to
this
group,
I
can
petition
my
friend,
Dave
Dave,
who's
kind
of
leading
his
efforts
to
maybe
come
and
do
a
presentation
for
us
so
that
you
know
this
group
can
understand
some
of
the
changes
that
are
coming
down
the
pipe
with
CVSs
and
yet
not
that
all
absolutely
Upstream
maintainers
use
it.
But
it's
very
useful
and
used
in
a
lot
of
our
organizations.
A
A
I
don't
know
if
it's
super
seeds,
epss
Jason
yeah.
They
are
different
efforts,
but
there's
some
actually
very
I
thought
very
good
changes
to
the
standard
to
make
it
like
they.
They
are
refining
the
dreaded,
always
confusing
scope
area,
so
they're
they're
fixing
some
things
they're,
adding
in
some
human
life
and
safety
considerations
as
optional
metrics
to
be
able
to
share
as
part
of
your
CVSs
evaluations.
So
there's.
A
Amount
of
changes-
and
ideally
it
streamlines
some
things,
clarify
some
stuff,
and
then
it
reminds
people
again
that
it's
honestly
the
end
consumer's
job
to
once
they
get
that
initial
metric,
it's
their
job,
to
reflect
upon
what
controls
and
processes
they
have
in
place
and
adjust
that
score
accordingly
via
temporal
type
stuff,
so
they're
revising.
All
of
that.
F
D
A
Right
so
I'll
see
what
I
can
do
so
look
for
a
future
meeting
to
talk
about
the
new
CVS,
sv4
and
I
had
interviewed
the
epss
guys
a
while
back
Jason
if
you'd
like
I
can
also
see
if
I
could
reach
out
to
them.
Maybe
they
wouldn't
be
willing
to
come
in
and
talk
about
their
efforts.
If
that
would
be
of
use.
J
I
think
it'd
be
useful,
like
you
know,
and
I
know
that
I
know
that
first
doesn't
necessarily
operate
this
way,
but,
like
I'm
kind
of
curious
about
like
the
overall,
you
know
strategy
to
architecture
of
how
you
know
how
do
they
work
together?
What
should
you
take
into
account?
How
do
you
because
everybody
just
wants
one
number
right?
Everyone
wants
their
magic
prioritization
number.