►
A
B
C
C
A
A
C
A
Yeah,
okay,
so
this
yeah
I
I,
actually
I
had
a
conversation
with
Ankara
about
meeting
chaos
and
meeting
problems
as
when
he
joined
so
he's
it's
on
his
right.
This
is
not
this
particular
issue
is
not
around
radar,
but
meetings
in
general,
being
kind
of
a
pain
to
to
run
from
the
organized
organizer's
perspective
is
something
that
he's
aware
of
so
yeah.
C
And
typically
I
have
so
the
back
door
in,
but
today
they
two-factored
me.
A
That's
fun,
so
you
have
to
use
a
burnt.
Do
you
burn
a
code
to
get
in
yeah.
A
C
A
C
If
there's
any
decisions
yeah,
we
should
write
those
down
or
any
kind
of
action
items.
We
should
do
that,
but
I
think
you're
fine,
if
we're
just
editing
just
for
good
for
that
right.
That
piece
yeah.
A
So
Josh
you,
you
and
chrome-
do
not
have
not
seen
this.
This
is
well
Chrome.
You've
seen
a
form
of
this,
but
not
the
most
up-to-date
version
of
this.
This
is
the.
This
is
something
like
the
document
in
the
chat,
so
everybody
can
find
it
real,
fast
chat,
I
think
there
we
go
all
right,
so
eating
chat
and
there's
also
this
copy
link.
B
A
Okay,
so
so
to
refresh
everybody,
Yoda
Mew
and
I
worked
on
this
together,
but
Josh
you
missed.
You
were
not
here
in
the
last
one
and
neither
were
crop.
So,
let's
start
at
the
beginning,
and
let's
just
go
through
what
we
have
for
this
flow.
So
our
post
flow
as
it
stands
is
that
we
would
start
here
at
if
the
repository
host
supports
PM
PBR
right,
which
is
PBM.
Pvr
stands
for
private
means
of
private
means
of
private
vulnerability,
reporting.
A
No
sorry
pragmatic
means
of
private
vulnerability,
reporting,
so
pragmatic,
pragmatic
meaning
like
a
programmatic
or
I
guess.
Programmatic
is
a
better
term
than
pragmatic,
but
programmatic
programmatic
means
of
private
vulnerability
reporting.
If
they
do
support
that,
then,
if
the
repository
itself
has
PM
PVR
enabled,
then
you
just
generate
the
pull
request.
A
If
it's
not,
then
you,
if
you
check
to
see
if
the
repository
has
issues
enabled
you
know,
some
organizations
and
repositories
do
not
have
issues
enabled,
and
so
only
if
we
have
them
enabled,
then
we
check
to
see
if
there's
been
an
existing
issue
requesting
I
spelled
requesting
wrong
requesting
that
pmpvr
be
enabled.
If
there
is
not
an
existing
issue
requesting
pmpvr
be
enabled,
then
we
create
the
issue.
Otherwise
you
use
the
existing
issue
and
the
the
we
use
the
existing
issue
for
later
steps
in
this
flow
regardless.
A
So
you,
if
you,
if
they
don't,
have
an
issue
created,
then
you,
if
you
don't,
have
an
issue
credit.
Then
you
request
you
open
an
issue
saying:
hey,
please
open
pmpvr.
This
is
the
flow
we're
going
to
use
yada
yada
if
they've
enabled
P.
If
they
enable
pmpvr,
then
you
create
the
private
pull
request
via
p
and
PBR
if
they
don't
or
if
the
issue
is
closed
or
without
you
don't
get
no
response
right,
they
close
or
delete
it.
A
Without
without
a
response,
then
you
jump
immediately
to
creating
a
public
poll
request.
If
they
respond
with,
we
can't
or
won't
enable
pmpvr.
Then
you
follow
this
flow
down
here,
which
we
haven't
discussed
yet
or
if
the
issue
has
been
open
for
at
least
35
days,
if
any
of
those
three
are
Decay
so
for
for
this
flow,
this
loops
around
until
one
of
these
cases
is
true
and
at
that
point
for
these
two
they
can't
open,
pmpvr
or
the
issue
has
been
open
for
at
least
35
days.
A
We
look
for
an
email
to
send
an
email
via
the
disclose
check
that
Michael
scovetta
wrote
and
then
from
there
we
send
automated
emails
with
the
vulnerability
details
and
Patch
file.
If
all
the
emails
bounced,
then
you
just
create
a
public
pull
request.
If
it
doesn't
bounce,
then
you
wait
90
days
and
then,
if
the
vulnerability
is
fixed
you,
if
it's
not,
then
you
create
a
public
pull
request.
Otherwise,
you're
done
foreign.
D
So
I'm
just
looking
through
this
last
stage
at
the
process
and
I'm,
not
seeing
so,
let's
say
this
one
yeah
yeah,
so
you
send
the
patch
files
and
phone
details
wait
90
days
not
fixed.
Okay,.
D
Create
a
public
pool
request,
never
mind
I
missed
the
the
part
where
the
vulnerability
doesn't
get
fixed.
You
just
create
a
public
PR,
because
I
was
thinking.
What
was
missing
is
informing
the
public
that
hey
this
thing's
a
thing.
E
D
Been
fixed
yet,
but
that
would
cover
it
so
seems
insane.
B
A
C
A
Yeah
I
know
I,
just
figured
I'd
ask
the
person
who's
part
of
the
per
the
the
the
the
diagrammer
society.
What's.
C
A
C
A
C
C
D
Maybe
argue
yeah
and
the
other
thing
too
is
it's
not
super
clear
that
creating
the
public
pull
request
is
a
Terminator.
A
It's
it
describes
so
those
these
this
box
means
process
defined
in
another
document
or
another
flow.
B
A
A
A
So
this
is
this:
is
the
high
level
flow?
Does
anybody
have
any
disagreements
about
the
flow
or
the
proposed
ideas
in
in
it?
Encoded
and,
like
you
know
in
particular
like
this
is
there's
like
I
mean
you
can
run
this
as
fast
as
you
want
right,
like
you
can
run
this
like
minute
by
minute,
but,
like
I,
think
this
is
you
know
this
could
theoretically
run
like
once
a
day
or
whatever
you
know,
I
don't
care,
but
at
least
it
gives
you
the
opportunity
like
there's
no
like
waiting.
A
E
B
A
So
this
this
I
I
guess
the
high
level
question
we
have
here
is:
is
there
anything
that
anybody
you
think
will
bite
us
on
or
like
complain
about?
If
we
try
to
move
like,
let's
assume
that
we
move
forward
with
this
flow,
we
write
it
down
into
the
policy
I.
My
intention
was
we'd.
Leave
this
flow
in
the
policy
document
as
a
visual
description
of
the
flow.
A
Do
you
see
any
points
in
here
where
people
will
be
like
I
mean
this
is
the
okay.
This
is
the
one
that
I
can
see
potential
conflict
with
like
if
somebody
closes
the
issue
without
response
right
like
either
close
the
issue
or
delete
the
issue
without
response
that
immediately
triggers
a
public
pull
request.
D
Because
the
two
things
that
I'm
seeing
that
aren't
covered,
that
does
seem
reasonable
to
me
one
is
there
isn't
any
mention
of
the
like
critical
project
stuff?
We
talked
about
which
I
don't
know.
If
we
want
that
in
here
or
not,
but
that's
one
thing
I
noticed
and
then
the
other
thing
is
the
bone.
Ladies,
that
isn't
mentioned
at
all
in
any
part
of
this,
which
might
be
fine.
B
A
I,
don't
think
so
I'm
wondering
whether
or
not
we
want
to
require
vulnerability.
Id
assignment
as
a
part
of
anybody
implementing
this
flow
I
think
that
the
open,
SF
I
think
that
the
the
alpha
omega
project
will
maybe
involve
us.
The
the
GSD
database
right,
but
that's
I,
don't
know
if
we
want
to
make
that
a
requirement.
D
Whatever
we
use
the
one
spot
that
I
would
kind
of
push
back,
there
would
be
if
we're
making
the
public
pull
request.
That's
kind
of
the
we're
pulling
the
parachute
scenario
right
where
hey
the
public
should
be
aware
of
this
and
I
think
that's
where
having
an
ID,
no
matter
which
database
it's
in
would
help
Downstream
consumers
because
hey
now,
this
shows
up
in
your
scanners.
You
know:
hey,
there's
something
going
on
here.
C
D
A
C
Not
according
to
how
I've
practiced,
so
you
would
have
I
would
put
a
little
box
down
here
and
say
and
or
even
refer
to
a
diamond
or
whatever
down
here.
L
is
a
little
different
than
the
flow
chart
right.
C
A
C
But
just
because
it's
a
private
pull
request
doesn't
mean
anything
happens.
Well,.
C
A
Call
request
can
turn
into
a
public
pull
request
if
they
don't,
if
they
don't
like,
if
they
have
pmpvr
enabled,
but
they
don't
like
respond
within
35
days
affirming
or
they
don't
they
don't
fix
it
within
90
days,
hi
Michael,
you
have
not
seen.
This
is
the
first
time
you're
seeing
this
document
right.
C
B
C
A
Let's
do
that
hang
on
a
second,
let
me
delete
you
go
away.
Okay,
me.
B
A
This
is
the:
what
is
the
name
of
this
talking?
This
is
the
okay.
This
is
the
campaign.
This
is
the
rename
report,
vulnerability
well,.
A
Create
another
document
we
arrive
at.
A
C
I
would
undo.
B
A
B
Just
need
to
put
a
title
on
it:
there
we
go.
C
So
if
you're,
following
your
workflow
and
the
product,
the
repo
doesn't
have
private
reporting,
there
are
issues.
So
that's
your
first
escalation.
Your
second
escalation
is
you're
checking
with
the
mail
list,
and
that's
it
after
that
you're
going
through.
That
said,
you're
going
full
full
out,
there's
no
other
escalation
or
other
checks.
This.
A
G
C
G
So
here's
the
thing
so
so
and
I
don't
need
to
hijack
that,
because
it
is
on
point
that
that
what's
the
stuff
disclosure
check
is
not
just
finding
emails,
it
is
coming
out
with
an
ordered
list
right
of
including
cert
CC,
and
get
up
security,
Labs,
Nick
tied,
lift
or
whatnot.
So
every
project
will
have
at
least
three
options
which
is
search:
CC,
GitHub
security,
lab
and
snack.
Okay.
They
all
have
a
public
like
give
us
your
bugs
repository.
So,
oh
sorry
give
us
your
bugs,
like
link.
A
Email,
you
mean
also
so
I
don't
so.
The
idea
is,
this
is
only
gonna
happen
by
email
right,
we're
not
going
to
try
to
do
form
filling
out
we're
not
going
to
try
to
do
jira
issues,
rationale
being
like,
for
example,
right.
The
Jenkins
team
has
a
jira
instance
right.
The
Apache
software
Foundation
has
their
own
jira
instance
there.
We
we
don't
want
to
expect
either
us
or
other
campaign
operators
to
have
to
go
automate.
The
account
creation
process
for
every
single
jira
instance.
A
G
So
I
I
agree
that
it
shouldn't
that
I,
don't
I,
don't
think
it.
It's
reasonable
to
include
arbitrary
jira
instances.
So
cert
cc
is
a.
It
is
a
you
need
a
Vince
account.
A
G
I
mean
well
so
as
the
lowest
one
on
the
list,
so
the
idea
would
be
that
you
would
that
I
I
don't
option.
A
would
be
you.
You
have
the
list
of
seven
potential
contacts,
you
take
all
the
email
ones,
you
blast
out
an
email,
you
wait
and
if
they
at
some
point
you
decide
to
go
to
the
fallback
ones,
which
is
cert
CC
and
get
up
security
level,
one
of
those
another
one
would
be.
G
G
Yeah
and
that
that
should
be
easy,
even
if
we
have
to
like
script
a
headless
browser
and
then
security
lab
is
just
GitHub
is
just
security.
Lab
at
github.com.
A
So
security
lab,
doesn't
security
lab,
doesn't
handle
vulnerability,
reports
for
maintaining
like
they
they
do
their
own
research.
They
don't
handle
coordination
for
out
incoming
reports.
A
G
Oh
okay,
I
I'm,
pretty
sure
that
I
S.
All
of
that,
although
I
could
have
just
completely
snake.
G
A
Yes,
the
original
intention
of
this
document
to
answer
your
original
question
was
yes,
that
the
the
Line
in
the
Sand
was
email
for
automation.
Right,
if
you,
if,
if
you
know
we
tried
pmpvr,
we
give
that
a
shot.
We
give
email
a
shot
if
email
doesn't
work,
we're
not
We're,
not
gonna
like
it's
unreasonable
to
try
to
report
via
hacker,
one
through
automation
or
bug
crowd,
or
all
these
different
channels.
Right
like
what.
A
We
try
to
find
an
email
to
send
the
report
to
in
the
maintainer,
using
Michael
scovato's
tool
that
he
wrote
to
find
a
disclosure
Channel
via
email.
C
C
B
A
Mean
I've
been
using
floor,
Quest
generation
and
you
know
the
only
people
that
have
gotten
pissed
at
me
is
the
open
source
security
Foundation
Michael.
You
asked
for
the
issue
closed
deleted
without
response
shouldn't.
It
go
to
the
disclose
check
my
so
this
only
happens
if
the
issue
gets
closed
or
deleted
without
a
response
right.
So
if
they
just
if
you
say
hey,
please
open
pmpvr,
we
have
a
vulnerability
report
for
you.
We
want
to
work
with
you.
You
know
help
us
out.
G
To
differentiate
between
that
one
and
the
one
below
it,
though,
if
they
close
the
issue,
or
they
say
no
and
close,
the
issue
like.
G
Case
but
but
I
mean
it,
it
feels
like
it.
It's
going
right
from
there
to
to
public
pull
requests.
A
A
A
A
G
Yeah
I
would
still
say
like
either
of
those
cases
like
you,
you
don't
lose
very
much
by
routing
those
last
two
diamonds
over
to
the
to
disclosure
check
and
then
just
routing
it
that
way,
because
then
they
you
know
it
it
avoid.
It
also
avoids
things
where,
like
oh
I,
didn't
understand
this
I
closed
it
by
accident.
My
like
my
co-maintainers
and
you
know
they
closed
it
and
they
didn't
know
what
they
were.
G
They
were
doing
sorry
like,
but
now
you've
now
you've,
you
know
released
the
zero
day,
whereas,
if,
if
you,
if
you
route
it
to
disclosure
check,
then
you
always
have
that
90-day
buffer,
where
it's
defensible
that
you
were
you,
you
made
every
best
effort
to
report
it
and
you
waited
90
days
and
then
disclosed
like.
F
So
Jonathan
was
mentioning
the
other
day
when,
when
we
were
working
is
that
he
has
seen
that
the
vulnerabilities,
like
reports
are
like
closed
without
any
response,
typically
like
he
has
seen
that
in
in
when
he
was
reporting
to
like
non-us-speaking
countries,
when
maybe
they
don't
understand
Etc,
but
I
I
see
the
point
and
I
I
think
like
I.
F
Also,
second,
what
you
were
saying
is,
which
is
like
it
just
adds
an
another
90-day
buffer,
I
guess
like
what
what
Jonathan-
and
we
also
seconded
this
thing
last
week
or
the
week
before,
but
yeah
not
last
week
the
week
before,
which
was
like
going
to
the
vulnerability
report
as
soon
as
we
can
or
like
so
so.
F
The
pull
request
like
instead
of
waiting
90
days,
you
just
make
expedites
the
whole
thing,
but
in
the
big
picture,
I
think
maybe
Expedition
is
not
necessary
and
rather
than
like
following
a
process
which
is
more
favorable
for
the
maintenance.
All
all
the
time
is
is
a
better
option.
E
B
A
B
G
I'm
not
saying
that
these
things
don't
don't
occur
like
and
clearly
after
90
days
like
like
the
way
that
I
see
it
is
like
before
90
days.
These
things
are,
are
it's
it's
it's
dangerous
to
push
too
fast
after
90
days.
It's
all
public.
Full
disclosure
go
for
it.
So
my
my
suggestion
here
might
I
think
what
if
you
did
so
exist,
so
wait.
Let
me
move
my
mouse
in
the
right
window,
so
you
can
see
it
so
yeah.
G
You
start
here,
exists,
issue,
exists.
G
I
guess
somewhere
somewhere
in
here
somewhere
in
these
three
you
in
parallel.
Do
this
thing
to
do:
do
the
disclosure
check,
so
you
open
up
an
issue,
say:
hey
I,
really,
you
know
we
we
have.
We
found
a
report,
we're
gonna,
send
it
to
you
privately
for
the
future.
Please
open
up
private
vulnerability
reporting,
so
we
don't
have
to
do
this.
G
This
weird
dance
thing
for
the
next
time
and
that
way
it
doesn't
actually
matter
how
long
if
they
enable
it
how
long
it
takes
them,
whether
they
close
the
issue
or
open
the
issue.
It
doesn't
matter
because
you've
already,
the
clock
is
like
immediately
starts,
which
actually
means
that
there's
no
delay
between
that
initial
start
condition
and
running
disclosure
check,
sending
the
vulnerability
or
opening
up
a
private
vulnerability
report.
So
90
days
starts
like
essentially
immediately
at
that
point,
and
you
actually
don't
need
the
35
day
cut
off
at
all.
G
A
So
I
I
was
okay.
That
was
a
thought
process
that
I
had
earlier
was
like
some
sort
of
caching
mechanism
such
that,
like
you
know
you,
you
reuse,
the
least
you
know
the
whatever.
Whatever
flow
you
flowed
down
before,
hopefully
you
can
reuse
it
against,
like,
for
example,
pmpvr
is
enabled
just
use
that,
but
like
it
was
not
enabled.
This
is
where
this
came
in
right.
This
existing
issue
is
requesting.
Pmpvr
wasn't
like
so.
Let's
say
you
had
two
different
issues
right,
you've
already
requested
pmpvr
be
enabled.
A
This
flow
is
cached
right
so
or
like
if
you
requested
it
Beyond
35
days
right.
This
flow
would
still
go
this
way
right,
like
you're,
you're,
great,
so
you're
just
saying
move
this
up
into
like
if
they
don't
have
pmpvr
enabled
you
in
parallel.
You
do
this
at
in
parallel.
You
also
send
the
report,
via
this
disclose
check.
G
Yeah
yeah,
so
so
it's
and
it's
actually
even
simpler
than
that
so
start
run.
Disclosure
check
is
PM,
PBR
enabled
yes
send
it.
That
way
else.
G
You
still
have
to
at
some
point
that
wait
90
days,
I,
don't
know
how
to
automate
that
because,
like
what's
the
signal
back,
that
a
thing
has
been
fixed,
but
you
have
that
problem
anyway
with
anything
that
doesn't
go
through
PBR,
so
it
doesn't
make
it
worse,
but
it
does
make
it
better.
But
at
that
point
then,
at
90
days
after
that
initial
action,
90
days
has
passed
and
public
disclosure
is
fine.
If,
if
it
hasn't
been
fixed
or
public,
disclosure
is
fine
period.
A
I
mean
yeah
yeah.
Do
we
so
originally
this
I?
This
idea
floated
so
okay
coming
from
wrong
one
all
right
so
from.
B
A
This
is
the
policy
that's
approved
by
the
attack.
We
expect
maintainers
to
respond
within
21
days
of
the
notice
date
to
let
us
know
the
issues
being
mitigated
to
protect
impacted,
end
users
if
we
do
not
receive
engagement
from
maintainers
from
30
to
five
days
of
the
notice
date
that
affirms
their
intention
to
fix
this
vulnerability.
Within
the
time
limit,
we
reserve
the
right
to
fully
publicly
disclose
the
vulnerability
at
that
point,
so
the
policy
that
we
have
is
actually
35
days.
If
they
don't
respond
at
all.
A
Do
we
want
for
both
of
these
right
if
we
don't
receive
either
an
issue
response
or
an
email
response
within
35
days
that
we
go
the
PM?
We
go
the
public
disclosure
route,
but
we,
but
we
give
if
they
respond
at
least
to
the
email
saying
yes
like
we're,
we're
going
to
or
like
they
don't
have
to
like.
They
just
have
to
respond
to
the
email
right.
We
have
to
confirm.
A
B
G
You
know
if
it
would
be
helpful,
I'm
happy
to
to
I
I
I'm
happy
to
just
to
sketch
out.
What's
in
my
brain,
because
I
don't
think
I
described
it
well,.
G
C
C
A
E
All
right,
I
will,
but
that's
that's
a
nice
threshold
setting
from
the
lucidchart
team
or
that.
B
C
In
the
chat
Jonathan
I
gave
you
two
suggestions,
not
about
the
aquarium
itself.
Yeah.
C
C
No
there
is
that,
but
I
don't
know
that
this
would
qualify
for
that,
but
I'm
just
saying
that
the
OSS
Security
list
on
this
day
this
project,
our
scanning
project,
found
this
vulnerable.
This
vulnerability
in
these
projects
and
we're
notifying
this
list,
so
the
downstream
can
see
that,
because
more
people
will
watch
that
than
they
would
potentially
monitor
an
individual,
GitHub
or
gitlab
repo,
but
ask
him
first
yeah.
Oh.
C
A
C
C
A
A
C
C
F
A
F
I
think
it's
in
the
uml
state
activity
and
then
there's
this
like
like
solid
yeah
like
that
one
that
one
yeah
this
one:
no,
no,
not
the
object.
There's
the
solid,
like
minor
Dash,
sign.
E
All
right
just
Jonathan
we're
at
times
you
said
you
had
an
interview,
so
I
do.
A
Meant
ease,
yeah
I,
know
all
right.
Let's
chew
on
this
next
week,
we're
doing
I
just
to
remind
everybody,
we're
meeting
we're
doing
this
meeting
every
week,
because
at
bi-weekly
was
not
enough.
All
right
cool
all
right
thanks.