►
A
B
C
C
A
A
C
A
Yeah,
okay,
so
this
yeah
I
I,
actually
I
had
a
conversation
with
Ankara
about
meeting
chaos
and
meeting
problems
as
when
he
joined
so
he's
it's
on
his
right.
This
is
not
this
particular
issue
is
not
around
radar,
but
meetings
in
general,
being
kind
of
a
pain
to
to
run
from
the
organized
organizer's
perspective
is
something
that
he's
aware
of
so
yeah.
A
C
A
C
A
So
Josh
you,
you
and
chrome-
do
not
have
not
seen
this.
This
is
well
Chrome.
You've
seen
a
form
of
this,
but
not
the
most
up-to-date
version
of
this.
This
is
the.
This
is
something
like
the
document
in
the
chat,
so
everybody
can
find
it
real,
fast
chat,
I
think
there
we
go
all
right,
so
eating
chat
and
there's
also
this
copy
link.
B
A
Okay,
so
so
to
refresh
everybody,
Yoda
Mew
and
I
worked
on
this
together,
but
Josh
you
missed.
You
were
not
here
in
the
last
one
and
neither
were
crop.
So,
let's
start
at
the
beginning,
and
let's
just
go
through
what
we
have
for
this
flow.
So
our
post
flow
as
it
stands
is
that
we
would
start
here
at
if
the
repository
host
supports
PM
PBR
right,
which
is
PBM.
Pvr
stands
for
private
means
of
private
means
of
private
vulnerability,
reporting.
A
No
sorry
pragmatic
means
of
private
vulnerability,
reporting,
so
pragmatic,
pragmatic
meaning
like
a
programmatic
or
I
guess.
Programmatic
is
a
better
term
than
pragmatic,
but
programmatic
programmatic
means
of
private
vulnerability
reporting.
If
they
do
support
that,
then,
if
the
repository
itself
has
PM
PVR
enabled,
then
you
just
generate
the
pull
request.
A
If
it's
not,
then
you,
if
you
check
to
see
if
the
repository
has
issues
enabled
you
know,
some
organizations
and
repositories
do
not
have
issues
enabled,
and
so
only
if
we
have
them
enabled,
then
we
check
to
see
if
there's
been
an
existing
issue
requesting
I
spelled
requesting
wrong
requesting
that
pmpvr
be
enabled.
If
there
is
not
an
existing
issue
requesting
pmpvr
be
enabled,
then
we
create
the
issue.
Otherwise
you
use
the
existing
issue
and
the
the
we
use
the
existing
issue
for
later
steps
in
this
flow
regardless.
A
So
you,
if
you,
if
they
don't,
have
an
issue
created,
then
you,
if
you
don't,
have
an
issue
credit.
Then
you
request
you
open
an
issue
saying:
hey,
please
open
pmpvr.
This
is
the
flow
we're
going
to
use
yada
yada
if
they've
enabled
P.
If
they
enable
pmpvr,
then
you
create
the
private
pull
request
via
p
and
PBR
if
they
don't
or
if
the
issue
is
closed
or
without
you
don't
get
no
response
right,
they
close
or
delete
it.
A
Without
without
a
response,
then
you
jump
immediately
to
creating
a
public
poll
request.
If
they
respond
with,
we
can't
or
won't
enable
pmpvr.
Then
you
follow
this
flow
down
here,
which
we
haven't
discussed
yet
or
if
the
issue
has
been
open
for
at
least
35
days,
if
any
of
those
three
are
Decay
so
for
for
this
flow,
this
loops
around
until
one
of
these
cases
is
true
and
at
that
point
for
these
two
they
can't
open,
pmpvr
or
the
issue
has
been
open
for
at
least
35
days.
A
We
look
for
an
email
to
send
an
email
via
the
disclose
check
that
Michael
scovetta
wrote
and
then
from
there
we
send
automated
emails
with
the
vulnerability
details
and
Patch
file.
If
all
the
emails
bounced,
then
you
just
create
a
public
pull
request.
If
it
doesn't
bounce,
then
you
wait
90
days
and
then,
if
the
vulnerability
is
fixed
you,
if
it's
not,
then
you
create
a
public
pull
request.
Otherwise,
you're
done
foreign.
D
D
E
B
A
C
A
C
A
C
A
C
C
A
B
A
A
A
A
So
this
is
this:
is
the
high
level
flow?
Does
anybody
have
any
disagreements
about
the
flow
or
the
proposed
ideas
in
in
it?
Encoded
and,
like
you
know
in
particular
like
this
is
there's
like
I
mean
you
can
run
this
as
fast
as
you
want
right,
like
you
can
run
this
like
minute
by
minute,
but,
like
I,
think
this
is
you
know
this
could
theoretically
run
like
once
a
day
or
whatever
you
know,
I
don't
care,
but
at
least
it
gives
you
the
opportunity
like
there's
no
like
waiting.
A
E
B
A
So
this
this
I
I
guess
the
high
level
question
we
have
here
is:
is
there
anything
that
anybody
you
think
will
bite
us
on
or
like
complain
about?
If
we
try
to
move
like,
let's
assume
that
we
move
forward
with
this
flow,
we
write
it
down
into
the
policy
I.
My
intention
was
we'd.
Leave
this
flow
in
the
policy
document
as
a
visual
description
of
the
flow.
A
Do
you
see
any
points
in
here
where
people
will
be
like
I
mean
this
is
the
okay.
This
is
the
one
that
I
can
see
potential
conflict
with
like
if
somebody
closes
the
issue
without
response
right
like
either
close
the
issue
or
delete
the
issue
without
response
that
immediately
triggers
a
public
pull
request.
D
Because
the
two
things
that
I'm
seeing
that
aren't
covered,
that
does
seem
reasonable
to
me
one
is
there
isn't
any
mention
of
the
like
critical
project
stuff?
We
talked
about
which
I
don't
know.
If
we
want
that
in
here
or
not,
but
that's
one
thing
I
noticed
and
then
the
other
thing
is
the
bone.
Ladies,
that
isn't
mentioned
at
all
in
any
part
of
this,
which
might
be
fine.
B
A
I,
don't
think
so
I'm
wondering
whether
or
not
we
want
to
require
vulnerability.
Id
assignment
as
a
part
of
anybody
implementing
this
flow
I
think
that
the
open,
SF
I
think
that
the
the
alpha
omega
project
will
maybe
involve
us.
The
the
GSD
database
right,
but
that's
I,
don't
know
if
we
want
to
make
that
a
requirement.
D
Whatever
we
use
the
one
spot
that
I
would
kind
of
push
back,
there
would
be
if
we're
making
the
public
pull
request.
That's
kind
of
the
we're
pulling
the
parachute
scenario
right
where
hey
the
public
should
be
aware
of
this
and
I
think
that's
where
having
an
ID,
no
matter
which
database
it's
in
would
help
Downstream
consumers
because
hey
now,
this
shows
up
in
your
scanners.
You
know:
hey,
there's
something
going
on
here.
C
D
A
C
C
A
C
A
Call
request
can
turn
into
a
public
pull
request
if
they
don't,
if
they
don't
like,
if
they
have
pmpvr
enabled,
but
they
don't
like
respond
within
35
days
affirming
or
they
don't
they
don't
fix
it
within
90
days,
hi
Michael,
you
have
not
seen.
This
is
the
first
time
you're
seeing
this
document
right.
C
B
C
B
A
A
B
A
C
So
if
you're,
following
your
workflow
and
the
product,
the
repo
doesn't
have
private
reporting,
there
are
issues.
So
that's
your
first
escalation.
Your
second
escalation
is
you're
checking
with
the
mail
list,
and
that's
it
after
that
you're
going
through.
That
said,
you're
going
full
full
out,
there's
no
other
escalation
or
other
checks.
This.
A
G
C
G
So
here's
the
thing
so
so
and
I
don't
need
to
hijack
that,
because
it
is
on
point
that
that
what's
the
stuff
disclosure
check
is
not
just
finding
emails,
it
is
coming
out
with
an
ordered
list
right
of
including
cert
CC,
and
get
up
security,
Labs,
Nick
tied,
lift
or
whatnot.
So
every
project
will
have
at
least
three
options
which
is
search:
CC,
GitHub
security,
lab
and
snack.
Okay.
They
all
have
a
public
like
give
us
your
bugs
repository.
So,
oh
sorry
give
us
your
bugs,
like
link.
A
Email,
you
mean
also
so
I
don't
so.
The
idea
is,
this
is
only
gonna
happen
by
email
right,
we're
not
going
to
try
to
do
form
filling
out
we're
not
going
to
try
to
do
jira
issues,
rationale
being
like,
for
example,
right.
The
Jenkins
team
has
a
jira
instance
right.
The
Apache
software
Foundation
has
their
own
jira
instance
there.
We
we
don't
want
to
expect
either
us
or
other
campaign
operators
to
have
to
go
automate.
The
account
creation
process
for
every
single
jira
instance.
A
G
A
G
I
mean
well
so
as
the
lowest
one
on
the
list,
so
the
idea
would
be
that
you
would
that
I
I
don't
option.
A
would
be
you.
You
have
the
list
of
seven
potential
contacts,
you
take
all
the
email
ones,
you
blast
out
an
email,
you
wait
and
if
they
at
some
point
you
decide
to
go
to
the
fallback
ones,
which
is
cert
CC
and
get
up
security
level,
one
of
those
another
one
would
be.
G
G
A
A
G
A
Yes,
the
original
intention
of
this
document
to
answer
your
original
question
was
yes,
that
the
the
Line
in
the
Sand
was
email
for
automation.
Right,
if
you,
if,
if
you
know
we
tried
pmpvr,
we
give
that
a
shot.
We
give
email
a
shot
if
email
doesn't
work,
we're
not
We're,
not
gonna
like
it's
unreasonable
to
try
to
report
via
hacker,
one
through
automation
or
bug
crowd,
or
all
these
different
channels.
Right
like
what.
C
C
B
A
Mean
I've
been
using
floor,
Quest
generation
and
you
know
the
only
people
that
have
gotten
pissed
at
me
is
the
open
source
security
Foundation
Michael.
You
asked
for
the
issue
closed
deleted
without
response
shouldn't.
It
go
to
the
disclose
check
my
so
this
only
happens
if
the
issue
gets
closed
or
deleted
without
a
response
right.
So
if
they
just
if
you
say
hey,
please
open
pmpvr,
we
have
a
vulnerability
report
for
you.
We
want
to
work
with
you.
You
know
help
us
out.
A
A
A
G
Yeah
I
would
still
say
like
either
of
those
cases
like
you,
you
don't
lose
very
much
by
routing
those
last
two
diamonds
over
to
the
to
disclosure
check
and
then
just
routing
it
that
way,
because
then
they
you
know
it
it
avoid.
It
also
avoids
things
where,
like
oh
I,
didn't
understand
this
I
closed
it
by
accident.
My
like
my
co-maintainers
and
you
know
they
closed
it
and
they
didn't
know
what
they
were.
F
E
B
A
B
G
I'm
not
saying
that
these
things
don't
don't
occur
like
and
clearly
after
90
days
like
like
the
way
that
I
see
it
is
like
before
90
days.
These
things
are,
are
it's
it's
it's
dangerous
to
push
too
fast
after
90
days.
It's
all
public.
Full
disclosure
go
for
it.
So
my
my
suggestion
here
might
I
think
what
if
you
did
so
exist,
so
wait.
Let
me
move
my
mouse
in
the
right
window,
so
you
can
see
it
so
yeah.
G
I
guess
somewhere
somewhere
in
here
somewhere
in
these
three
you
in
parallel.
Do
this
thing
to
do:
do
the
disclosure
check,
so
you
open
up
an
issue,
say:
hey
I,
really,
you
know
we
we
have.
We
found
a
report,
we're
gonna,
send
it
to
you
privately
for
the
future.
Please
open
up
private
vulnerability
reporting,
so
we
don't
have
to
do
this.
G
This
weird
dance
thing
for
the
next
time
and
that
way
it
doesn't
actually
matter
how
long
if
they
enable
it
how
long
it
takes
them,
whether
they
close
the
issue
or
open
the
issue.
It
doesn't
matter
because
you've
already,
the
clock
is
like
immediately
starts,
which
actually
means
that
there's
no
delay
between
that
initial
start
condition
and
running
disclosure
check,
sending
the
vulnerability
or
opening
up
a
private
vulnerability
report.
So
90
days
starts
like
essentially
immediately
at
that
point,
and
you
actually
don't
need
the
35
day
cut
off
at
all.
G
A
So
I
I
was
okay.
That
was
a
thought
process
that
I
had
earlier
was
like
some
sort
of
caching
mechanism
such
that,
like
you
know
you,
you
reuse,
the
least
you
know
the
whatever.
Whatever
flow
you
flowed
down
before,
hopefully
you
can
reuse
it
against,
like,
for
example,
pmpvr
is
enabled
just
use
that,
but
like
it
was
not
enabled.
This
is
where
this
came
in
right.
This
existing
issue
is
requesting.
Pmpvr
wasn't
like
so.
Let's
say
you
had
two
different
issues
right,
you've
already
requested
pmpvr
be
enabled.
A
This
flow
is
cached
right
so
or
like
if
you
requested
it
Beyond
35
days
right.
This
flow
would
still
go
this
way
right,
like
you're,
you're,
great,
so
you're
just
saying
move
this
up
into
like
if
they
don't
have
pmpvr
enabled
you
in
parallel.
You
do
this
at
in
parallel.
You
also
send
the
report,
via
this
disclose
check.
G
G
You
still
have
to
at
some
point
that
wait
90
days,
I,
don't
know
how
to
automate
that
because,
like
what's
the
signal
back,
that
a
thing
has
been
fixed,
but
you
have
that
problem
anyway
with
anything
that
doesn't
go
through
PBR,
so
it
doesn't
make
it
worse,
but
it
does
make
it
better.
But
at
that
point
then,
at
90
days
after
that
initial
action,
90
days
has
passed
and
public
disclosure
is
fine.
If,
if
it
hasn't
been
fixed
or
public,
disclosure
is
fine
period.
A
B
A
This
is
the
policy
that's
approved
by
the
attack.
We
expect
maintainers
to
respond
within
21
days
of
the
notice
date
to
let
us
know
the
issues
being
mitigated
to
protect
impacted,
end
users
if
we
do
not
receive
engagement
from
maintainers
from
30
to
five
days
of
the
notice
date
that
affirms
their
intention
to
fix
this
vulnerability.
Within
the
time
limit,
we
reserve
the
right
to
fully
publicly
disclose
the
vulnerability
at
that
point,
so
the
policy
that
we
have
is
actually
35
days.
If
they
don't
respond
at
all.
A
Do
we
want
for
both
of
these
right
if
we
don't
receive
either
an
issue
response
or
an
email
response
within
35
days
that
we
go
the
PM?
We
go
the
public
disclosure
route,
but
we,
but
we
give
if
they
respond
at
least
to
the
email
saying
yes
like
we're,
we're
going
to
or
like
they
don't
have
to
like.
They
just
have
to
respond
to
the
email
right.
We
have
to
confirm.
B
G
G
C
C
G
B
B
C
C
No
there
is
that,
but
I
don't
know
that
this
would
qualify
for
that,
but
I'm
just
saying
that
the
OSS
Security
list
on
this
day
this
project,
our
scanning
project,
found
this
vulnerable.
This
vulnerability
in
these
projects
and
we're
notifying
this
list,
so
the
downstream
can
see
that,
because
more
people
will
watch
that
than
they
would
potentially
monitor
an
individual,
GitHub
or
gitlab
repo,
but
ask
him
first
yeah.
Oh.