►
From YouTube: OpenSSF Vulnerability Disclosures (May 17, 2023)
B
C
A
D
A
C
A
Yes,
she
is
no
longer
with
Wii.
Pro
is
I,
don't
know
kind
of
doing
the
independent
author
gig,
not
fun.
I
have
her
book.
C
A
F
C
D
C
H
C
Yeah
those
were
this
is
yeah.
D
C
G
D
C
A
All
right,
friends,
I
posted
a
link
to
our
agenda.
Now
that
we're
done
with
Reading
Rainbow,
let
us
move
on
to
more
serious
matters.
A
Appreciate
it
all
right,
do
we
have
any
new
friends
that
this
is
your
first
time
showing
up
to
the
group
you
wanted
to
introduce
yourself.
D
D
I
Yeah,
this
is
my
first
time
as
well
just
joining
to
get
a
sense
of
what
the
group
does
and
see
if
I
can
potentially
contribute.
E
And
I'm
John
I'm
also
I
work
with
Crow
at
Intel
and
yeah
I.
Do
software
security,
stuff
supply
chain
security,
stuff,
so
I'm
excited
to
get
involved
here.
C
C
A
Okie
dokie,
just
as
a
note
for
the
group
before
we
move
into
new
business
I,
have
received
a
lofty
new
role
within
the
open.
Ssf
I
have
been
elected
chairperson
of
the
TAC,
the
technical
advisory
committee.
So
I
don't
know
precisely
what
that
means.
Yet,
but
I
do
know,
it
means
more
meetings.
A
I
wanted
to
check
with
the
group
and
see
if
there's
anyone
interested
in
helping
kind
of
serve
as
a
co-lead.
Our
friend
Anne
from
Google
has
abandon
us
and
that
she's
a
very
busy
lady,
but
I,
wanted
to
see
if
there
was
someone
to
help
provide
backup
for
me
in
case
I
do
have
another
conflict
with
this
call
shouldn't
happen
very
often.
A
If
I
can
do
it,
anybody
can
do
it.
It's
pretty
easy
to
kind
of
herd
the
cats
around
during
the
call,
but
please
consider
that,
as
we
move
forward
we're
looking
for
an
active
member
to
help
us
there.
C
I
don't
mind,
but
I
would
love
if
there
was
like
a
Coco
lead.
Madison
can
I
can
I
can
I
co-opt
you
to
be
my
my
Coco
collaborator
on
this
endeavor
I'm
gonna
double
team.
This.
C
C
E
C
D
A
A
Good
Lord,
the
open
source
cert,
is
currently
still
under
consideration
by
the
governing
board
for
funding.
I
talked
with
omkar
the
new
managing
director
last
week
about
the
matter
and
he's
trying
to
strategize
how
he
wants
to
work
with
the
people
that
have
the
companies
have
provided,
pledges
and
just
kind
of
overall
how
the
mobilization
plan
and
other
efforts
fit
within
the
larger
strategy
of
the
organization.
A
So
I
don't
have
any
other
updates
and
we're
going
to
put
those
calls
on
hold
for
now,
just
to
stop
kind
of
wasting
people's
hour
logging
in
and
having
nothing
to
do,
but
ideally
we'll
get
some
direction
from
the
governing
board.
And
if
anybody
has
any
ideas
or
proposals
for
that,
Sig
feel
free
to
file
an
issue
or
PR
against
our
plan.
A
J
A
C
Yes,
kind
of
sort
of
the
autofix
Sig
has
been
meeting.
We
didn't
meet
last
week
because
Vancouver.
C
Two
weeks
ago,
the
meeting
didn't
get
added
properly,
so
we
ended
up
with
one
person
joining
the
meeting,
but
we
did
work
on
the
document.
There
is
also
going
to
be
a
meeting
this
afternoon
at
it's
not
on
the
calendar,
but
I
have
emailed
kaheel
to
say:
hey.
Can
you
please
re-add
it
nope?
It's
back?
No,
it's
not
there!
No!
It's
there!
Okay,
yeah
we're
good.
Okay.
C
Let
me
reload,
yes,
there's
a
there's
a
meeting
on
the
calendar
for
the
open,
SF
autofix
Sig
at
4
pm
to
5
PM
Eastern,
to
discuss
the
document
that
is
currently
under
review
regarding
how
we
will
be
fixing
vulnerabilities
at
scale
across
open
source
yeah.
C
No,
no
major
updates
in
that,
but
now
that
the
outgoing
vulnerability
disclosure
policy
document
has
been
published
or
has
been
approved
by
the
tack
and
needs
to
get
published,
we
can
probably
incorporate
that
as
a
part
of
this
this
this
policy,
that
is
a
follow-on
question
curve
that
I
think
I
asked
in
the
slack
but
and
I
got
a
response
from
you,
but
I,
don't
know
if
I
ever
I
think
I
just
need
to
I
need
to
talk
to
the
tech
or
somebody
I
know.
C
I
think,
let
me
look
at
the
tag
messages.
They
said
they
suggested
that
we
put
it.
C
A
The
technical
advisory
committee
would
be
a
fine
place
to
have
a
policy
for
the
foundation
as
a
landing
spot.
Interesting.
C
I
saw
it
in
the
slab
I,
don't
remember
where
the
suggestion
was
all
right:
I
will
Jacob
root
around
and
I
will
interrupt
later.
If
I
find
that
place,
that
I
got
the
response
from
I
think
it
was
from
the
former
Tech
lead
that
he
suggested
like
there
was
Bob
yeah
he
suggested
somewhere.
You.
A
D
A
C
I
I
agree,
I,
definitely
agree,
I
know,
okay,
let
me
yeah,
but
I
will
I
will
send
it
to
Tech
and
if
they
have
I'll
send
that
in
an
email
and
then
see
what
they
have
to
say.
Perfect.
Okay,.
A
C
There's
another
thing
that
I
wanted
to
talk
to:
I:
don't
have
that
DVD
I
have
can
I
jump
onto
another
topic.
Is
it
open?
But
if.
E
A
Great
go
ahead
and
put
that
under
opens
we'll
get
to
opens
in
a
second
perfect
for
the
open,
Vex
Sig.
We
had
a
great
call
this
last
Monday
and
starting
with
our
next
meeting,
going
forward,
we're
going
to
be
alternating
between
a
technical
call
for
developers
to
talk
about
the
tooling
and
the
spec,
and
then
an
evangelism
call
where
we
will
talk
about
how
we
engage
with
industry.
A
Other
standards
like
like
Oasis
and
csaf
Cyclone
DX
spdx,
to
start
to
figure
out
how
we
can
get
more
people
using
Vex,
we're
very
excited
about
that.
We
have
an
exciting
Goose
logo
that
will
be
unveiled
in
our
GitHub
repo.
Once
I
get
someone
to
update
that
readme
file
and
if
anyone's
and
we
are
planning
on,
we
have
a
Australia
focused
long
disclosure
working
group
meeting
the
last
Thursday
of
each
month
and
that's
predominantly
where
the
osv
team
lurks
they're
based
out
of
Australia.
A
So
it's
convenient
for
them
to
engage
with
us,
then.
So
we're
going
to
see
if
we
can
get
open,
Vex
and
osv
talking
to
see
if
there's
any
Synergy
there
between
the
two
tools
to
see.
If
we
might
be
able
to
see
if
there's
some
joint
collab
there
so
more
news
to
come
on
openvx
any
any
questions
about
Jonathan's
autofix
update
or
my
open
Vex
update.
A
I
believe
there
is
I
will
track
that
down
for
you,
while
we
have
someone
talk
about,
opens
I
think
Jonathan
had
an
open.
A
A
All
right
Jonathan,
why
don't
you
do
your
open
and
then
I'll
talk
about
the
vex
issue.
C
D
C
The
great
repository
audit-
and
so
this
idea
is
that
we
would,
as
the
open,
SF,
probably
funded
by
the
alpha
omega
project,
engage
in
pen
testing,
slash
auditing
of
the
major
artifact
servers
in
the
industry.
My
the
the
pretense
that
I'm
positing
this
under
is
when
you
purchase
software
as
a
company.
C
Usually
it
goes
through
a
Security
review
right,
like
you
know,
if
you
buy
software,
so
Securities
involved,
they
say
we're
gonna,
we're
gonna
need,
like
you
know,
to
show
either
you
need
to
have
saw
compliance
or
you
know
you
need
to
have.
You
know
a
pen
test
report
that
you
can
show
us
recently
and
I
pause
it
that
the
major
artifact
servers,
Maven,
Central,
Gradle,
plug-in
portal,
pip,
ruby,
gems.
C
There's
never
been
that
forcing
function
to
require
them
to
have
a
pen
test
performed
against
them
and,
as
such,
I'm
I
posit
that
most
of
them
have
never
had
a
pen
test
done,
because
it's
expensive
and
resource
intensive
and
time
intensive
and
so
I
I
know
that
we're
working
on
a
lot
of
these
initiatives
like
Sig
store
and
like
all
that
other
stuff,
but
I
I
I,
think
that
fundamentally,
this
idea
of
like
we're,
maybe
we're
running
before
we're
walking
sort
of
like
we
haven't
focused
on
the
infrastructure
that
actually
is
hosting
these
artifacts
before
we
focus
on
the
security
of
the
like
the
supply
chain.
C
Right,
we
need
to
like
think
about
the
basics
first,
and
so
The
Proposal.
That
I
have
is
that
I'm
working
on
is
that
we
would
engage
with
a
firm
to
have
them
begin
or
perform
audits
like
this.
The
the
thing
that
I
have
gotten
from
the
artifact
host
that
I've
spoken
to
the
thing
that
they
that
they've
kind
of
balked
at
is
I've
also
proposed
that
with
that
work,
because
it's
work
founded
under
the
open
source
security
Foundation
that
any
of
that
work.
C
That's
funded
on
the
open,
Star
Security
foundation
will
also
have
the
vulnerability
disclosure
policy
that
the
open
source
security
Foundation
has
authored,
apply
to
any
of
the
disclosures
that
come
out
of
that
work
so
that
the
90
day
plus
14
day
policy
applies
the
some
of
the
feedback
that
that
I've
gotten
is.
You
may
have
organizations
and
vendors
that
are
less
willing
to
collaborate
with
you
if
you
are
also
coming
at
it
with
the
and
this
also,
this
work
has
an
Associated
disclosure
deadline
to
it.
C
So
I'm
of
the
opinion
personally
that
I
think
that
the
disclosure
deadline
that
we've
established
in
the
policy
should
stand,
but
I
I
wanted
to
pose
it
to
this
working
group,
as
this
is
some
of
the
feedback
that
I've
gotten
there's
like
concerns
about
that.
There's
concerns
about
so.
C
One
of
the
concerns
is,
you
know,
they're
less.
They
maybe
will
less
willing
to
work
with
us.
The
other
concern
that
I've
had
posed
is
with
a
pen
test
report.
You
may
be
dumping
a
large
number
of
vulnerability
reports
on
an
organization
all
at
once,
because
it's
you
know
you're
doing
a
scan
all
like
you're
doing
a
massive.
You
know
bunch
of
work,
and
so
suddenly
they've
got
a
bunch
of
work
dumped
into
the
lab.
C
That
would
not
be
normally
contributed
all
at
once,
because
most
disclosure
policies
are
coming
in
at
a
much
slower
rate,
so
I
I
I
have
heard
these
things
and
I
wanted
to
pose
to
the
group
of
like
what
does
everybody
think
if,
if
the
open
SF
were
to
engage
in
hiring
a
pen
test
firm
to
engage
in
trying
to
audit
some
of
these
artifact
servers
in
the
industry,
would
we
still
want
to
try
to
push
forward
with
this
open
SF
disclosure
policy
that
we
established?
J
C
So
I
would
not
be
focused
on
that.
I
would
be
focused
on
because
it's
like
that's
that's
implementation.
Detail
of
the
corporates
end
users
right
if
they're
responsible
for
their
own
infrastructure
I
would
be
focusing
this.
The
scope
of
this
work
currently
as
proposed,
which
is
not
entirely
written
down
but
mostly
kicking
around
my
head,
which
will
get
written
down
and
submitted
to
alpha
omega
as
a
proposal
for
funding,
would
be
that
the
scope
of
the
audit
would
include
both
the
hosting
infrastructure
for
the
packages,
the
upload
infrastructure
right.
C
So
you
are
a
pi.
So
everything
from
the
developer
publishes
a
package
that
package
gets
hosted
the
hosted
information
like
the
information.
That's
rendered
right
so
both
like
making
sure
the
information
is
correct,
but
also
making
sure
that
those
packages
can't
get
hijacked
by
another
malicious
user
that
the
artifacts
can't
be.
You
know
like
we
don't
have
open
S3
buckets
that
anybody
can
write
to
without
permissions
and
overwrite
other
packages
right
all
of
that
infrastructure.
C
All
the
way
to
potentially
including
the
consuming
infrastructure
right
so
you've
got
Pi
Pi,
that's
actually
pulling
the
artifacts
down
and
making
sure
that
there's
you
know
it's
not,
for
example,
like
Pi
Pi,
hasn't
accidentally
disabled,
cert
verification
on
the
https
download
right
like
they're
like
they.
They
can't
like
sure
we're
using
https,
but
like
that,
the
search
tab
like
check
has
been
just
completely
disabled,
like
that
sort
of
scope
like
from
the
publishing
to
the
consumption
side
and
in
that
entire
pipeline
in
between
including
the
artifact
server
in
the
middle.
F
But,
but
as
a
consumer
of
these
Services
I
I
applaud
effort
to
secure
this
part
to
My
supply
chain,
but
if
I
was
working,
there
underfunded
very
very
little
time
properly.
Helping
spare
time
I
would
be
I
would
want
to
be
involved
in
the
process
and
be
able
to
consume.
The
changes
proposed
bit
by
bit,
which
means
that
giving
me
a
timeline
in
that
case
of
90
days
would
be
disastrous
right.
F
So
it
it's
a
very
tough
situation
to
be
in.
We
don't
want
to
scare
them.
We
want
to
help
them
really
with
infrastructure
and
getting
a
free
pen
test.
That's
amazing,
but
we
want
to
be
to
have
them
on
our
side
and
not
force
a
lot
of
stuff
upon
them.
Does
that
just
sound
kind
of
tricky.
C
Does
your
answer
change
based
upon
whether
or
not
the
so
for
some
of
the
artifact
servers
right,
they're
hosted
by
corporations
right
so
Maven
Central
is
hosted
by
sonotype
Gradle
plugin
portal
is
open,
hosted
by
Gradle
Inc
Pi,
Pi
and
rubygems
are
Community
run
right.
Does
your
answer
change
when
the
artifact
server
is
hosted
by
a
company
versus
it
being
hosted
by
a
community
or
does
your
answer
stay
the
same.
C
K
F
C
E
I
think
corporations
can
be
even
big.
Corporations
can
be
more
disorganized
than
people
think
and.
E
F
C
E
B
E
D
A
I
would
suggest,
with
some
of
these
repositories
where
there
is
more
mature
or
at
least
a
more
funded
organization
behind
it,
and
odds
are
very
good
that
they
are
members
of
the
foundation
and
odds
are
also
that
there
are
some
really
awesome
security
people
that
might
contribute
to
or
be
Affiliated
to
that
Community
or
be
affiliated
with
that
organization.
I
think
as
part
of
your
process,
you
could
potentially
lean
into
and
notify
those
organizations
in
advance
and
all
throughout
the
process
to
ensure
saying
we
would.
A
A
Dear
sonotype,
do
you
have
anyone
on
your
side
that
you
could
help
make
available
around
that
time
frame
to
work
with
us,
or
do
we
have
any
community
members
to
try
to
be
prepared
for
that
influx
and
I
think
that
we
could
be
flexible
with
potentially
the
timeline,
maybe
criticals
or
highs
need
to
follow
that
time
frame,
but
lows
and
moderates,
maybe
something
that
we
get
commitment
that
those
get
put
into
a
backlog
and
they
can
commitment
that
they'll
be
worked
on
within
some
time
frame.
Potentially.
C
C
If
we
do
it
we're
going
to
have
the
90-day
policy
apply.
If
you
can
fund
it
and
you
do
it,
we
just
want
to
see
a
pen
test
report
within
180
days
or
something
like
that
right.
We
want
to
see
a
pen
test
Report
with
the
included
like
retest
report
right.
So
then,
so
then
corporate
entities
can
can
see
like
okay,
we're
gonna.
Have
this
done
one
way
or
another?
C
C
Is
it
okay
to
write
a
proposal
such
that
it
states
if
this
entity,
if
this
hosting
provider
is
backed
by
a
company
Microsoft
which
hosts
you
know,
Microsoft
runs
nougat
and
npm
by
GitHub,
like
all
those
other
ones
right
this
this
this
policy
of
this
way
applies,
but
if
it's
core,
if
it's
funded,
you
know
if
it's,
if
it's
not
funded
or
if
it's
supported
just
by
the
community,
Pi
Pi,
ruby
gems.
F
To
be
picky
hosted
by
I
think
you.
F
A
A
You
could
donate
some
people
to
help
conduct
it.
Maybe
you
can
donate
some
people
that
are
part
of
that
Community
to
help
respond
to
the
findings.
You
know
just
to
try
to
get
that
collaboration
seed
that
now,
before
the
wheels
of
progress,
start
rolling,
yeah.
J
No
I
was
just
gonna,
ask
another
question
about
scope
right
and
so
because
I'm
thinking
through
it's
also
potentially
not
necessarily
your
your
regular
old
pen
test,
because
you'd
probably
want
the
scope
to
actually
focus
on
compromising
the
packages.
As.
J
A
K
So
I
agree
that
the
process
is
kind
of
the
important
part
of
these
many
artifact
repositories,
and
they
do
have
like
these
kind
of
ways
to
have
like
official
packages
and
verified
packages.
Each
package
manager
and
each
hosting
Services
has
all
these
kind
of
tricks
to
like
give
like
trust
to
their
packages
and
the
process
that
they
they
sometimes
it's.
Basically,
humans
that
verified
the
company.
That's
providing
the
package.
Those
processes
differ
very
very
between
all
these
look
at
doco
HUB
and
you
look
at
like
bit
packet
what
they
do.
C
K
F
As
a
scam,
that's
kind
of
going
into
writing
a
best
current
practice
for
package
distribution
or
something
artifact
distribution,
I
mean
I,
I,
think
Alpha
Omega
you,
you
worked
with
two-factor
authentication
for
some
of
these
right.
F
A
A
B
So
yeah
just
to
chime
in
on
that
point,
so
I
think
it's
really
a
matter
of
scope
because
you,
you
do
have
currently
a
very
big
variance
in
the
way
that
these
package,
managers
or
or
hosting
service
choose
to
behave
like,
for
example,
from
the
last
week.
B
If
you
have
an
npm
a
package
that
is
up
a
combination
of
lowercase
in
uppercase
and
then
that
gets
redacted
for
some
reason
and
then
you
add
another
package
with
all
lowercase,
so
on
npm
you'll
be
able
to
do
the
typo
squatting
using
that
method,
but
Pi
Pi,
for
example,
doesn't
allow
it
because
they
verify
like
anyway,
so
they
address
it.
So
so
I
guess
like
we
need
to
define
the
scope.
B
If
we're
getting
to
that
point,
maybe
it's
kind
of
Define
English
practices
or
guidelines
that
we
want
to
make
sure
that
all
those
different
Services
adhere
to
so
I
think
it's
one
outside
the
scope
of
what
Jonathan
original.
F
C
Chrome
you
mentioned
yeah
they're
talking
about
this
is
this
is
a
conversation.
That's
already
come
out
of
that
working
group.
That's
this
is
I'm.
Just
and
I.
This
I
I
presume
that
this
whole
thing
will
be
a
Stig
under
the
that
working
group
under
the
phone.
The
security
securing
repositories
working
group
but
I
see
that
yeah
yeah
it
it.
It
touches
on
other
components
in
particular:
vulnerability
disclosure,
so
I
figured.
A
Yeah
I've
placed
it
yeah
yeah
there's
a
lot
of
amazing
work.
I
want
to
make
sure
we
get
yeah
the
right
people
connected
and
those
people
have
better
connections.
Oh.
C
C
Will
be
working
with
Amit
who,
as
a
part
of
oh,
what
is
he?
What
is
he?
Where
does
he
work?
What
does
the
group
he's
in
the
openness,
the
open.
C
Open
source
technology
time
so
so
Amir
has
done
these
sort
of
audits
for
other
Cloud
providers.
Right,
including,
like
you
know,
containerization
stuff
like
that
like
this-
is
something
that
and
so
I'm
working
with
Amir
on
this,
because
he's
already
gone
down
the
route
of
funding,
these
sort
of
audits.
Doing
these
audits-
you
know
yada
yada,
so
I
want
to
make
I
want
to
I
want
to
go
I,
wanna
I,
don't
want
to
reinvent
the
wheel,
he's
already
done
it
so
we're
going
to
collaborate
on
that
too,
and
he's
awesome.
C
Yes,
there's
one
other
thing
that.
A
B
A
Like
generally,
the
group
seems
behind
the
idea
we'd
like
to
see
something
written
down,
that
we
could
provide
more
substantive
feedback
on,
but
any
other
thoughts
for
Jonathan
on
the
effort.
H
I
think
involving
the
communities
from
the
start
is
Paramount.
Nobody
likes
to
have
a
ton
of
vulnerabilities
dumped
on
them
when
they
could
have
been
brought
in
earlier
in
the
process
right
so
I
think.
As
long
as
we
involve
the
right
people
as
early
as
possible,
that'll
help
ensure
that
this
stays
collaborative
and
doesn't
doesn't
devolve.
C
A
lot
of
moving
people,
a
lot
of
moving
organizations,
a
lot
of
ecosystems,
so
yeah
I,
agree
hope
for
the
best
plan
for
the
worst
expect
nothing.
C
It's
the
line
my
mother
used
to
use
so
yeah
thanks,
that's
it!
I'll
have
I'll
have
stuff.
Hopefully
the
next
meeting
to
share
awesome.
A
Cool
cool
cool
and
then
the
last
item
I
had
this
is
from
the
open,
Vex
crew
and
then
some
of
my
involvement
with
s-bomb
and
sisa
as
some
of
these
Technologies
are
starting
to
see
some
use
or
like
s-bomb
you're.
Seeing
that
the
deadline
for
providing
them
is
looming,
people
are
starting
to
think
about
actual
s-bombs
and
VEC
and
Vex
and
then
like
advisories
in
use.
A
So
there
is
an
issue
underneath
the
openvex
spec,
where
we
are
trying
to
figure
out
how
better
to
broadcast
changes
or
notifications
through
the
system.
So
if
anyone
has
any
feedback,
that's
a
great
place
to
comment
on
issue
9
under
the
openvex
spec
repo.
We
will
have
another
call
on
the
29th
of
May
and,
as
Ollie
mentioned,
it'll
be
kind
of
late
in
the
day
for
Europe,
but
those
are
recorded
and
if
you
have,
the
agenda
is
open.
A
So
if
you
wanted
to
put
talking
points
and
there's
an
open,
Slack
channel
that
you
can
engage
with
the
team
directly,
then
so,
if
you
have
thoughts
about
how
some
of
this
might
come
to
fruition
and
how
we
can
start
to
get
more
folks,
Upstream
thinking
about
and
using
Technologies
like
software
Bill
materials
and
the
vulnerability
exchange
formats
just
so,
we
can
start
to
see.
Do
all
these
theories
work.
It's
a
lot
of
great
ideas.
How
do
they
work
in
practical
application?
And
how
does
you
know
each
layer
of
the
supply
chain.
A
All
right
did
I
just
get
really
slow.
You
froze,
oh
dear,
that's
terrible,
but
basically
just
try
to
how
do
we
help
signals
propagate
up
and
down
the
stack
here
throughout
the
supply
chain?.
A
Yeah
I
think
people,
one
of
the
biggest
challenges
for
consumers
of
these
things
is
going
to
be
kind
of
filtering
and
prioritizing,
because
you're
potentially
going
to
get
thousands
of
signals
a
day
through
s-bombs,
advisories
and
vexes.
It's
going
to
be
very
challenging
for
Downstream
consumers
to
understand
and
take
action.
D
F
I
added
something
to
that
again,
please,
sir,
take
it
away.
This
is
storytelling
I'm
a
Storyteller.
Once
upon
a
time
there
was
this
man
in
a
university
in
California
who
managed
the
DNS
route,
John
posto,
and
he
formed
a
small
by
the
US
and
when
the
world
discovered
the
importance
of
the
internet
and
the
importance
of
the
DNS
names
they
found.
John
postel
working
in
sandals
right
and
the
U.S
suddenly
claimed
the
internet
is
a
U.S
thing
only
because
we
pay
the
salary
of
these
guys,
especially
young
postal.
F
You
heard
a
story
right
so
what's
happening
today.
Well
we're
building
all
these
s-bombs
we're
using
the
s-bombs
to
verify.
If
we
have
any
vulnerabilities,
we
match
them
with
MVD
forget
CVSs
course,
and
we've
used
AC
versus
course
to
add
our
own
Environmental
things
and
discover
our
own
risks.
Right
now,
there's
a
group
called
The
s-bomb
Forum,
which
I
Got
Hijacked
into
that
are
meetings
Friday
evening
late
Swedish
time.
F
So
it's
very
good
to
join
with
a
glass
of
wine.
Not
everyone
does
because
it's
other
time
zones
for
them,
but
this
group
has
been
in
contact
with
the
MVD
team
and
turns
out
there's
a
small
team.
They
got
a
budget
set
in
November
still
haven't
seen.
The
money
says
unclear
whether
they
get
funding
for
the
rest
of
the
year.
It's
19
person
manage
all
of
this
and
they
haven't
been
in
contact
with
anyone,
so
they
were
sitting
there
saying
that.
F
Well,
we're
gonna
disallow
all
the
mirroring
of
the
MD
database,
because
we
have
this
shiny
new
API,
but
they
had
no
content
delivery
Network.
They
have
no
scalability.
Nothing
and
I
see
that
everyone
here
and
millions
of
others
will
start
using
scans
directly
joke
to
just
added
a
scan
directly
to
them
with
the
API
Soldier
Developers
Runners.
So
this
is
the
little
organization
funded
by
the
US
that
manage
our
vulnerability
flow
unfunded.
F
F
Just
a
single
little
API
I
know
discussion.
So
we'll
see
what
happens,
but
I
think
we
need
to
get
more
funding
from
other
places
than
the
US
and
need
to
discuss
how
to
migrate
this,
to
something
Community
maintained
and
maybe
open
ssf
has
a
working
group
or
some
interest
in
helping
out
here,
because
we're
a
community
I
mean
mirroring
the
MD
and
every
server
that
mirrors
Linux
or
Debian
that
that's
a
piece
of
cake.
If
we
just
decide
to
do
it.
A
Well
and
I
had
heard
that
the
nvd
was
looking
for
both
Private
Industry
and
Community
feedback
on
how
they
might
be
able
to
update
and
scale
some
of
their
processes.
So
that's
kind
of
an
outstanding
AR
I
had
to
talk
with
the
osv
group.
That's.
F
F
F
A
L
If
my
connection
works,
it
does
hey
I've
had
one
art,
hi
Ali,
my
name
is
Art
Manion,
all
right,
I
think
what
I
I
think
what
I
heard
you
say,
partly
from
the
from
the
esbom
Quorum
group,
was
so
I
heard
a
couple
things.
Could
the
nvd
and
that
whole
that
whole
aspect
of
what
is
effectively
somewhat
Global
vulnerability
management?
L
In
my
experience,
nvd
will
receive.
Its
funding
is
very
likely.
I
wouldn't
be
too
concerned
about
that.
But
I
am
very
concerned.
I
do
I've
fought
for
many
years
about.
L
How
could
that
if,
if
there's
a
global
public,
you
know
Global
enough
public
vulnerability
management
system
of
systems
whatever
it
would
be.
That's
a
very
interesting
idea,
but
I
it
turns
out
to
be
pretty
tricky
to
pull
off,
but
a
great
idea,
I.
Think
anyway,
that's
it
yeah.
It's.
F
D
F
L
C
F
L
F
Cbd
yeah,
it's
a
combination
of
the
two
I
think,
but
we
yeah
I
think
a
reasonable
place
for
having
this
discussion
would
be
the
open,
ssf
and
I
I
kind
of
know
that
we
have
a
new
tax
share
or
something
that
could
point
us
to
the
right
direction.
L
L
F
Fully
agree,
but
the
response
from
the
mot
team
was
yeah.
Great
someone
is
talking
with
us
yay.
L
L
Yes,
so
I'd
be
concerned,
I
love,
the
open,
ssf
I.
Think
it's
a
great
place
to
talk
about
this.
Is
the
open
ssf
going
to
worry
about
a
proprietary,
Oracle
vulnerability.
L
I
F
L
A
A
Mentioned
we
there
is,
we
are
trying
to
connect
the
osv
folks
with
the
nvd
team.
Historically,
we
have
talked
with
the
cve
board
as
part
of
this
group,
so
I'd
like
to
see
what
we
can
do
to
positively
contribute
to
that
conversation,
but
yeah.
If
you
could
do
that
for
us,
so
we
don't
lose
track
of
it.
That
would
be
amazing.
F
Yeah,
it
also
comes
back
to
what
I
think
was
Dave
Keeler,
who
said
that
there
are
many
open
source
Linux
projects
in
the
in
the
foundation
that
doesn't
file
cves
and
I
I
never
got
any
response
when
I
asked
why
so
there
could
be
improvements
for
these
projects,
today's
top
filing
CVS
yep,
but
we
need
a
dialogue
here.
Yes,.
A
Agreed
and
then
on
a
as
we
get
close
to
time,
I'm
involved
in
another
organization
called
first
the
form
of
incident.
A
And
security
teams
and
that
group
helps
they're
the
stewards
of
the
CVSs
standard
and.
D
A
You
all
may
be
aware
they
are
getting
ready
to
release
an
updated
version
later
this
year,
CVSs
V4
and
if
it
is
of
interest
to
this
group,
I
can
petition
my
friend,
Dave
Dave,
who's
kind
of
leading
his
efforts
to
maybe
come
and
do
a
presentation
for
us
so
that
you
know
this
group
can
understand
some
of
the
changes
that
are
coming
down
the
pipe
with
CVSs
and
yet
not
that
all
absolutely
Upstream
maintainers
use
it.
But
it's
very
useful
and
used
in
a
lot
of
our
organizations.
A
So
Ali
says
yes,
any
other
thumb
gives
me
a
thumbs
up
all
right,
so
I'll
reach
out
to
Dave
Dougal
and
see
if
he
can
carve
out
some
time
to
come.
Do
a
little
shortened
presentation
to
kind
of
explain
the
the
changes
to
the
standard
and
kind
of
time
frames.
A
I
know
that
the
psert
Sig
is
discussing
kind
of
when
they
might
start
when
people
might
start
using
it,
and
it
looks
like
it's
going
to
be
towards
the
back
half
of
this
year,
but
at
least
you
know,
we
can
get
some
foreknowledge
of
what's
going
to
happen
and
what
we
might
want
to
do.
A
I
don't
know
if
it's
super
seeds,
epss
Jason
yeah.
They
are
different
efforts,
but
there's
some
actually
very
I
thought
very
good
changes
to
the
standard
to
make
it
like
they.
They
are
refining
the
dreaded,
always
confusing
scope
area,
so
they're
they're
fixing
some
things
they're,
adding
in
some
human
life
and
safety
considerations
as
optional
metrics
to
be
able
to
share
as
part
of
your
CVSs
evaluations.
So
there's.
A
Amount
of
changes-
and
ideally
it
streamlines
some
things,
clarify
some
stuff,
and
then
it
reminds
people
again
that
it's
honestly
the
end
consumer's
job
to
once
they
get
that
initial
metric,
it's
their
job,
to
reflect
upon
what
controls
and
processes
they
have
in
place
and
adjust
that
score
accordingly
via
temporal
type
stuff,
so
they're
revising.
All
of
that.
F
Yeah
that
that's
seriously
misunderstood
by
Tool
makers,
lots
of
discussions
with
black
animal
team
here
that
that
they
they
propose
a
process
just
for
based
on
CVS's
base,
Corps
and
I
said
that's
not
my
risk.
I
can't
prioritize
according
to
that
and
nice
stuff.
D
A
Right
so
I'll
see
what
I
can
do
so
look
for
a
future
meeting
to
talk
about
the
new
CVS,
sv4
and
I
had
interviewed
the
epss
guys
a
while
back
Jason
if
you'd
like
I
can
also
see
if
I
could
reach
out
to
them.
Maybe
they
wouldn't
be
willing
to
come
in
and
talk
about
their
efforts.
If
that
would
be
of
use.
J
I
think
it'd
be
useful,
like
you
know,
and
I
know
that
I
know
that
first
doesn't
necessarily
operate
this
way,
but,
like
I'm
kind
of
curious
about
like
the
overall,
you
know
strategy
to
architecture
of
how
you
know
how
do
they
work
together?
What
should
you
take
into
account?
How
do
you
because
everybody
just
wants
one
number
right?
Everyone
wants
their
magic
prioritization
number.
A
Yeah
I'll
look
back
through
my
notes
and
see
if
I
can
find
the
the
two
gents
that
we're
driving
epss
and
see
if
they
were
interested
in
coming
to
come.
Talk
to
us.
B
They
also
just
released
released
a
couple
months
ago,
the
version
three
of
the
of
the
the
underlying
model
so.
J
B
A
Yeah
I'll
see
about
reaching
out
to
them,
we'll
have
some
show
and
tells
in
the
coming
weeks
and
months
we
had
three
minutes
to
the
hour.
Any
last
minute
thoughts,
comments,
suggestions
before
we
adjourn.
A
Well,
thank
you,
everybody
for
your
time
and
participation.
I
appreciate
you
all
and
I
have
some
homework
to
do,
but
I'll
make
sure
I
get
some
some
guest
speakers
lined
up
for
us
to
talk
to.
Thank
you
all
I
look
forward
to
talking
to
you
in
the
future
cheers.