►
From YouTube: OpenSSF Vulnerability Disclosures WG (February 8, 2023)
A
Hey
Chrome,
hello,
hi,
I,
don't
know
if
you
saw
this,
but
when
I
joined
this
call
just
now,
I
didn't
get
the
standard.
This
call
is
being
recorded.
So
I
don't
know
if
the
auto
recording
is
not
working
anymore.
B
I
didn't
get
alone.
C
B
A
Randall,
did
you
get
a?
Did
you
get
the
prompt
that
says
this
call
is
being
recorded.
C
A
B
A
B
F
A
B
There's
a
difference
in
philosophy
that
my
leadership
does
feels
that
they
will
go.
Provide
me
Hardware
from
other.
B
C
A
G
A
A
A
Because
some
of
us
didn't
I,
kroger
and
I
did
not,
and
we
should
have
I
presume
so.
H
Jonathan
and
Crowe
meet
you
guys,
might
be
admins
or
something
and
get
special
treatment.
I.
B
The
LF,
but
you
know
I-
do
log
in
with
power
user
credentials
from
time
to
time.
I,
don't
know
that
it
did
it
this
time.
A
A
It
should
have
so
it
seems
like
some
version
of
Zoomer,
but
I
just
sent
a
message
to
a
friend
of
mine
who
works
at
Zoom.
Saying,
hey,
some
versions
of
Zoom
are
not
getting
this
prompt
on
new
calls.
I.
A
I
A
I
I
Yeah
we
need
the
host
key
in
order
to
record
and.
I
C
B
B
Let's
see
anyone
with
a
link
can
view
yeah.
I
We
go
so
I've
been
asking
kaheel
to
do
a
little
bit
of
kind
of
an
audit
on
our
meeting
notes
to
try
to
keep
them.
I
mean
we
are
a
security
organization,
World
writable
meeting
notes,
as
our
decisional
framework
seems
a
little
bit
of
a
of
an
oversight.
So
I,
don't
I,
don't
know
if
he
made
a
change
related
to
that,
but
I
wouldn't
expect
him
to
make
a
change.
That
would
be
disruptive
like
this.
I
We
are
also
by
the
way
having
Jordan
harband,
do
an
audit
of
the
of
our
GitHub
permissioning
and
the
like.
So
we're
gonna
be
tightening
a
few
things
down,
which
will
mean
some
things
like
this,
but
I.
Don't
know
that
this
is
specifically
related
to
that.
B
That's
it's
sad
face
all
right.
Do
we
have
any
new
friends
today
that
wanted
to
introduce
themselves
and
say
hello
to
the
group.
A
G
Sure
am
I
audible,
you
are,
you
are
perfect,
so
hello,
I'm,
Noah,
I'm,
working
with
open
University
in
the
UK,
but
I'm
here
in
California,
yeah,
yeah
and
I'm,
working
on
a
software,
Evolution
maintenance
and
security
and
I
coordinated
with
another
researcher
from
Portugal
who
suggested
the
ossf
and
I'm
looking
forward
to
getting
to
be
a
part
of
this
I've
already
done.
I
think
I
could
pull
request,
but
I
realize
that
you
need
to
be
in
these
conversations
to
get
that
is
and
all
that.
G
B
B
If
not,
I'll
do
my
best,
but
it's
hard
to
talk
and
type
I'll
I'll
try
to
help
bro.
Thank
you.
Randall
all
right.
There
is
an
open,
ssf,
secure,
critical
projects,
virtual
maintainer
Summit,
going
on
in
a
little
bit
I'll
have
to
step
out
early,
so
I
don't
know
if
we'll
have
we'll
fill
up
the
full
hour
today,
but
I
gotta,
step
out
at
a
quarter
to
the
hour
to
go
help
moderate
over
there.
B
Just
so
everyone
is
aware
there
is
an
official
call
for
papers
open
for
open
ssf
day
North
America,
which
will
be
held
in
Vancouver,
British,
Columbia
and
I'll,
be
there
and
we'll
be
going
out
for
poutine
everybody.
So
anyone
that
wants
to
be
there
we'll
have
some
delicious
fries
but,
more
importantly,
there's
a
call
for
papers
for
the
working
groups
and
sigs
and
projects
so
we're
looking
for,
like
not
quite
a
lightning
talk
but
essentially
kind
of
a
short
presentations
from
the
different
members.
B
So
if
we
anyone
has
a
topic
of
around
15
minutes
or
so
that
they
wanted
to
share
with
the
open
ssf
membership,
I
think
this
is
really
important.
I'm
going
to
see
if
Madison
wants
to
streamline
we're
going
to
do
a,
we
were
going
to
do
a
cvd
talk.
It's
under
consideration
for
the
larger
conference.
The
way
we
might
be
able
to
streamline
that
down
to
focus
in
on
the
community
for
open
ssf
day,
but
if
anyone
has
any
other
ideas
for
talks,
please
consider
submitting
them.
B
Roger
dodger:
let's
do
let's
skip
a
second
tomorrow,
we're
having
our
second
APAC
focused
vulnerability,
disclosure
meeting,
so
anyone
that
is
in
particularly
like
west
coast
of
the
states.
Anyone.
E
B
Europe
I
don't
expect
you
to
stay
up,
but
anyone
in
the
states
that,
if
you
are
interested
and
available,
please
show
up
to
help
us
engage
with
our
new
friends
from
around
the
world
I'm
expecting
to
get
a
handful
of
folks
from
Australia
our
there's
a
member
project
osv
that
they're
kind
of
the
engineers
are
out
of
Australia,
so
they
were
excited
to
have
some
time
a
time
to
collaborate
better
with
the
group.
So
please
join
us
at
6,
PM
Eastern,
2300
UTC,
for
that
call
should
be
interesting.
B
B
Anyone
that
showed
up
today
to
talk
about
open,
vex.
Unfortunately,
Dan
two
is
on
vacation
and
Dan.
One
is
obligated
elsewhere,
but
they
committed
to
be
back
to
talk
with
us
about
the
Upstream
open
Vex
project
and
about
how
we
potentially
can
collaborate
together.
They'll
be
back
on
March,
8th,
so
I'll
make
sure
to
make
a
bunch
of
noise
on
the
mailing
list
and
slack.
So
we
get
good
participation
for
open,
Vex,
Day,
art.
H
Yeah
I
will
not
get
into
the
steal
any
of
that
presentation,
but
I
have
seen
it
recently.
I've
been
talking
to
those
folks.
I
am
the
lead
editor
of
the
sisa
community
minimum
requirements
for
vex
document.
It
is
almost
almost
ready
to
come
out
and
I
believe
with
some
of
the
motivation
for
those
guys
to
go
off
and
create
a
lean,
clean,
new,
open,
reference-ish,
Dex
implementation,
which
is
a
great
idea.
H
Despite
the
grumbling
that
now,
we
have
one
more
way
to
do:
Vex,
Vex
being
as
new
as
it
is
in
the
world.
H
I,
don't
see
a
problem,
in
fact,
I
think
it's
a
benefit
to
have
open
Vex,
but
I'll,
just
sort
of
save
for
the
group
here,
sisa
Community,
not
just
a
proper
doc
almost
out,
it
looks
like
a
specification,
but
it's
not
kind
of
because
people
didn't
want
one
long
story:
the
joys
of
community
developed
documents
when
people
don't
agree
and
they're
not
working
in
a
standards
process,
so
that
was
fun.
H
There's
a
bit
of
grumbling
about
one
more
yeah
one
get
another
Vex
format
which
again
I
think
is
a
good
good
thing
in
this
case,
but
just
to
give
everyone
the
heads
up.
That's
some
of
the
backstory
we'll
see
how
the
world
you
know
likes
Vex
at
all
and
which
flavor
of
it,
but
that's
just
some
background
and
I'll.
You
know:
leave
the
open
Vex
details
to
the
the
guys
that.
B
Wrote
it
yep,
cool
and
and
they'll
be
here
to
talk
about
that
their
project,
their
software
and
then
to
see,
if
there's
any
interest
in
this
group
to
collaborate
and
kind
of
help
see
if
we
can
get
Upstream
open
source
to
start
to
publish
Vex
information
and
I
know
that
Jay
and
I
in
particular,
are
very
excited
about
the
possibility
of
joining
forces
to
help
out
so
I
think
it's
going
to
be
a
good
conversation.
B
H
I
didn't
think
so,
but
I
sorry
I
was
I
was
hoping.
I
I
was
not
I
may
have
met
you
before
and
I
was
ignoring
you
and
I
was
going
to
be
a
jerk,
so
I
was
just
checking
in
case
I.
Don't
think
I
mentioned
before
in
person.
So
anyway,
yeah.
J
H
I
H
I
would
say
the
simplest
thing
is
there
are
a
lot
of
factors
and
yeah
so
making
making
it
up
as
we
go.
Yes,
but
you
know
I'll,
some
of
the
folks
involved
and
myself
included
partly
do
have
experience
in
actual
standards,
body,
development
and
things.
So
we
tried
to
bring
in
you
know
towards
the
end
as
we
weren't
agreeing
we're
like
look.
Let's
look.
Itf
has
some
stuff:
let's
follow
what
they
say
and
there's
discussion.
H
If
this
Vex
thing
you
know
works
out
that
the
specs
should
probably
live
somewhere,
real
right,
a
standards
organization
where
you
can
track
changes
and
there's
an
official
process
and
if
somebody
gets
disagreed
with
it's
on
record
and
it's
all
on
above
board
and
there's
no
money
involved
for
members
yeah
anyway,
and.
I
C
I
K
So
yeah
yeah
sorry
I
just
wanted
to
make
a
comment.
I
was
gonna.
You
know,
since
krobe
said
that
this
is
going
to
be
next
week,
I
was
going
to
hold
the
comments.
K
No
yeah
I
mean
so
since
you
brought
it
up
right
right.
The
the
concern
I
have
so
I
get
your
point.
Vex
is
very
new.
It's
expected
to
me.
That's
actually
the
very
reason
that
we
as
a
community
should
be
trying
to
limit
the
number
of
competing
implementations.
The
biggest
problem
we
have
in
the
space
right
now
is
the
confusion
around
what
am
I
supposed
to
go.
K
If
the
idea
is
that
this
project
and
another
competing
Vex
implementation
would
all
of
a
sudden
come
in
as
an
openness
project,
I
would
actually
be
quite
concerned
about
that
at
this
point,
because
it's
like
it's
basically
giving
a
a
round
of
endorsement
to
this
brand
new
thing.
When
there's
these
other
brand
new
things
that
I
haven't
even
had
any
chance
to
do
anything
yet
really
and
to
me
it's
just
creating
mess,
it's
just
really
creating
mess
in
in
the
space.
B
J
Yeah
so
well,
this
is
a
in
response
to
Jason,
but
also
then
to
create
kind
of
a
separate,
dare
I,
say,
separation
of
church
and
stay
with
it
right.
So
so,
Jason
just
offhanded
that
there's
a
couple
of
communities
that
are
working
on
spec
type
stuff
like,
for
instance,
what
art
just
mentioned,
which
is
minimum
requirements
which
in
itself,
could
be
a
a
speck
of
sorts
right
that
not
going
to
adjudicate
that
there
could
be
another
organization
creating,
maybe
a
larger,
more
detailed
definition
of
of
what
it
is.
J
Those
things
can
often
compete
one
another,
but
I
think
what
we're
talking
about
here
when
it
comes
to
open
Vex
is
the
tooling
around
Vex
document
creation,
and
then
what
probe
is
talking
about
the
stuff
that
he
and
I
are
talking
about
is
kind
of
like
a
Vex
advisory,
so
so
to
pass
just
the
tooling
that
creates
a
Vex
document.
How
does
that
doc?
J
How
does
that
tool
receive
the
information
it
needs
in
an
open
environment
to
properly
under
to
get
that
information
in
these
in
an
open
environment,
to
create
that
documentation
for
open
source
components
and
repos
that
might
have
vulnerabilities
that
maybe
perhaps
a
consumer
of
Open
Source
components
could
better
understand
like
hey
these
components?
Have
vulnerabilities
are
identified,
they've
been
identified,
Vex
documentation?
So
if
you,
if
you
take
the
ball
and
you
and
you
follow
the
bouncing
ball,
there's
room
to
play
for
everyone
in
this,
and
everyone
has
the
right
idea.
K
Yeah
and
and
Jade
to
be
clear.
I
am
extremely
arduous
supporter
of
tools
and
we
have
a
desperate
need
for
more
Tools
in
this
space
that
my
my
issue
isn't
with
the
openvex
tools.
It's
that
they
created
a
new
format
to
go
with
the
tool.
That's
that's
my
primary
concern.
So
I'll
tell
you.
J
The
same
people
that
are
in
open
Vex
around
the
the
formatting
around
that
are
some
of
the
same
people
that
are
in
the
sisa
a
working
group,
so
so
so
so
so
there's
so
the
the
difference
in
the
separation,
you
think
that's.
There
is
not
necessarily
there
these
these
I.
These
are
communities,
are
working
in
concert
with
one
another
and
where
we're
sitting
with
it
is
saying
excellent.
You
guys
do
that.
We're
not
going
to
do
that!
You
do
that.
J
What
we're
gonna
do
here
is
maybe
bring
the
tooling
here,
so
we
can
work
on
it
as
a
community
and
then
at
the
same
time,
work
on
Vex
advisory
that
could
go
into
the
tooling
to
produce
better
results.
On
behalf
of
Open
Source
of
of
you
guys
know
what
the
hell
I'm
talking
about
software
creators
who
are
or
and
maintainers
who
may
want
that
Vex
documentation
created
in
a
centralized
location
and
not
have
to
go
reach
or
anything
hell.
J
We
could
even
be
partnering
with
someone
like
with
like
a
project
like
Alpha
and
Omega,
who
does
stuff
on
the
other
side
of
that
too.
Right,
there's
a
plethora
way
to
go,
but
we
can
do
that
right
here
in
the
openness
and
stuff,
because
that's
what
this
is
set
up
to
do
right,
I
mean
so
so
I
I
would
I
would
say,
mindset,
expand
the
mind
and
get
creative.
We
can
get
creative
as
hell
with
this
and
that
and
I
think
that's
the
that.
K
Yeah
I
mean
I've
been
extremely
deeply
involved
in
that's
this.
This
is
a
working
group.
I've
been
in
a
couple
of
the
meetings
and
I've
been
following
this
for
literally
two
years,
so
I
guess
all
I'm
saying
is
when
we
as
communities
create
tools
that
do
not
interoperate
out
of
the
box
in
these
brand
new
efforts,
it
is
not
helping
anything
so
there
there
is
something
to
be
said.
I
agree.
K
You
know
there
is
something
to
be
said
with
the
idea
of
you
know,
let
you
know
let
let's
plant
many
seeds
and
and
may
the
best
one
grow
largest
or
whatever
the
heck.
The
analogy
is
I'm
losing
my
mind
right
now,
but
there's
also
something
to
be
said
for
interoperability,
especially
in
a
space
that
we're
trying
to
make
any
kind
of
Headway
at
all
and
the
more
confusion.
K
K
I
Yeah
I,
I,
really
sympathize,
Jason
and
and
I
think
the
tone
that
you're
gonna
find
set
inside
the
open
ssf
across
a
lot
of
different
efforts.
Increasingly
this
year
is
going
to
be
kind
of
the
opposite
of
what
you
find
at
some
projects
like
cncf
or
or
Apache,
or
others
where
it's
like.
Hey.
Let
a
thousand
flowers
bloom,
where
there's
really
a
desire
to
figure
out
what
is
the
best
answer
to
a
given
problem
and
then
how
do
these
best
answers
fit
together
to
create
kind
of
the
best?
I
So
we
are
I'll
just
be
wearing
my
general
manager
head
of
open
ssf,
very
interested
in
in
trying
to
reduce
the
amount
of
confusion
in
the
market,
reduce
the
amount
of
duplication
of
effort
and
and
drive
for
convergence
and
I'll
play
a
little
bit
of
a
geezer
card
for
a
moment
which
is
back
in
1995
as
we
were
working
on
the
Apache
web
server.
You
know,
there's
a
tremendous
amount
of
overlap
between
the
people
working
on
that
code
and
the
HTTP
code
and
those
writing.
I
The
HTTP
specification
of
the
ietf
right
Fielding
was
a
core
maintainer
and
the
chief
editor
right
and
this
resonance
and
this
type
iteration
Loop
type
Innovation
Loop
between
the
standards
development
process,
which
it
should
be
slow.
You
know
you
should
write
a
document
that
can
last
for
the
ages
right
and
update
it
with
most
once
every
couple
of
Gears
or
or
whatever,
and
the
the
the
tighter
kind
of
frequent
release.
I
Let's
try
some
things:
let's,
let's
mark
things
x,
dash
whatever
you
know
that
you
get
with
software,
but
you
want
to
really
connect
the
communities
and
both
those
communities
need
to
be
as
open
and
inclusive
and
bringing
in
people
with
different
views
and
try
to
find
the
kind
of
greatest
common
denominator
to
get
to
something
that
actually
will
get.
I
The
greatest
adoption,
like
HTTP,
arguably
did
Over
Gopher
or
FTP
or
whatever,
and
so
I
I
really
hope
here
and
by
the
way
I
I
do
not
want
to
pressure
you
or
anyone
else
to
say
that
standards
process
has
to
happen
at
open
ssf.
We
really
do
have
to
be
driven
by
what
what
the
folks
involved
in
those.
I
Feel
is
the
best
Direction
you
know,
which
sometimes
is
in
conflict
with
that
first
goal
of
convergence
right,
but
I,
I
I.
You
know
I
I'll,
just
speak
up
at
the
end
for
two
things.
One
is
we
have
a
pretty
lightweight
process
to
manage
the
IP
that
is
very
kind
of
GitHub
centered
that
I
I
forget
the
URL.
I
That
goes
and
describes
that,
but
it's
it's
basically
what
it
makes
sure
that
all
the
stuff
that
standards
bodies
like
to
see
around
IEP,
which
is
different
from
what
open
source
requires,
are
taken
care
of,
so
that
you
can
actually
take
that
standard
and
take
it
to
a
place
like
ISO.
Now,
I'm,
not
a
big
fan
of
iso
you
there
is
paywalls
for
some
of
the
standards
there,
the
stuff
that
we
pushed
I.
So
as
I
understood
it
does
not
require
them
payment
at
any
point,
even
through
ISO,
but
the
cool
thing
about
it.
I
So
sometimes
some
of
the
things
we're
coming
up
with
we're
gonna
want
it's
just
another
bodies
to
adopt,
as
as,
as
you
know,
recommended
or
required
standards,
even
in
the
long
term
right
when
they
get
settled
when
everyone
agrees
that
they're
they're
a
good
thing,
and
so
that's
that
would
be
my
pitch
for
any
process
that
ultimately
can
lead
to
something
with
the
reference
ability
of
an
ISO
standard.
B
We
have
a
lot
of
open
source
and
security
expertise
here
and
I
think
we
could
definitely
help
collaborate
to
be
involved
in
that
standards
process
and
be
helped
to
broker
some
conversations
and
try
to
make
make
some
positive
moves
forward
and
actually
do
something
and
help
add
some
value
to
the
security
community
and
potentially
the
open
Vex
implementation
may
not
be
exactly
the
best
way.
H
No
no
yeah,
just
kind
of
so
looping
back
on
the
last
couple
of
comments
and
speakers.
You
know
if
I
had
to
pick
I
remain
sort
of
pro
open,
Vex
and
but
I
I
want
to
be
clear.
You
know
it's
also,
not
great.
Of
course,
there's
not
it's
not
black
and
white.
That's
that's
awesome
and
the
perfect
thing,
and
we
absolutely
need
that
it's
got
downside.
H
Obviously
right,
confusion,
interop,
standardization
right,
my
sort
of
big
picture
view
is
it's
really
just
so
early
in
the
Vex
I
forget
the
name
of
the
idea
cycle
right.
We
have
here
I'll
just
spell
it
out
right,
csaf,
a
advisory
format,
sort
of
has
Vex
added
into
that
Cyclone
DX
does
vex
in
a
sort
of
a
different
way
and
I've
not
sorted
this
out.
Cyclone
DX
has
it's
a
bit
of
a
commercial
interest
thing
going
on
that
I
haven't
quite
I,
don't
quite
understand,
but
there's
something
going
on
there.
H
No
judgment
I'm
just
saying
these
are
some
of
the
factors
involved.
Right
I
was
I
heard
from
a
prominent
spdx
developer.
That
spdx
was
sort
of
going
to
wait
for
the
sysidoc
to
come
out
before
running
off
and
doing
anything
and
then
open
Vex.
You
know
came
along
and
again
I
I
fully
agree.
There
are
issues
with
multiple
standards
intera
all
that
stuff.
It's
not
a
pleasant
situation
to
be
in,
but
you
know
we're
sort
of
writing
something
down
before
it's
even
in
widespread
use.
H
Right
and
I'm,
aware
of
some
of
the
csap
implementations
out
there
I
don't
know
how
much
Vex
is
in
CDX,
but
it's
not
a
lot.
It's
not
widely
adopted.
Yet
it's
not
widely
in
use
and
I.
Think,
as
many
of
us
probably
have
experienced
right,
actual
use
is
going
to
then
inform
what's
actually
working
and
then
you
go
write
or
rewrite
the
spec
to
match.
H
What's
actually
working
in
the
real
world,
so
I
think
we're
just
a
little
early
and
that's
why
all
this
sort
of
confusion
and
contention
is
going
on
and
again
my
what
puts
me
over
the
line
on
being
pro
open.
Vex
is
the
other
implementations
are
bulkier
and
bigger
and
do
more
things
and
having
a
clean
reference.
Implementation
is
I.
Think
will
be
beneficial
in
the
long
run.
I'm
not
saying
it's
not
a
you
know
it's
a
perfect
solution
and
it's
not
adding
confusion
but
having
the
reference
one.
H
If
that's
where
they're
going
I
think
will
be
helpful
and
yeah
a
standards
home
absolutely
at
an
appropriate
time
and
yeah
Brian
thanks
I
hadn't,
really
thought
of
Ella
for
openssf,
but
that's
a
great
option
as
well
and
I'll
make
sure
that
gets
into
the
mix
and
the
assistant
discussion
out
right.
B
Before
I
turn
it
over
to
Jonathan
a
quick
update
at
the
attack
yesterday,
we
had
four
members
that
expressed
a
desire
to
recommend
moving
the
OSS
cert
plan
forward
to
the
governing
board
so
yay
they
liked
our
stuff.
B
B
So
ideally
we'll
get
some
instruction
about
what
next
steps
will
be
I
think
it's
definitely
going
to
need
to
be
some
type
of
executive
style
presentation
to
present
to
the
GB
members,
we'll
we'll
suss
all
that
out
in
the
coming
days
and
weeks.
So
I
will
probably
be
coming
back
to
this
group
for
some
assistance
in
developing
a
delightful
presentation
like
four
slides,
that
kind
of
distills
down
the
key
points
of
what
we
want
to
do
and
costs
and
again
summarizes
the
plan
a
little
bit
for
kind
of
an
executive
set
of
eyes.
B
So
stay
tuned
and
you
know
initially
be
a
good
support.
We'll
see
how
this
progresses
and
I'll.
Let
everybody
know
as
that
moves
forward
and
then,
if
you
have
we'll
be
setting
up
calls
for
the
CBD
guide
for
consumers
soon.
So
if
you
want
to
pre-stage
information
from
like
the
table
of
contents,
we're
taking
suggestions
on
our
Toc
For
Thought
topics
that
should
be
covered
under
such
a
document
and
I
will
send
out
a
cattle
call
to
get
everybody
participating
in
writing.
B
That
document,
and
hopefully
we
can
get
that
delivered
by
my
target
would
be
like
some
in
the
summer.
Maybe
we'll
see
so
now.
I
will
any
questions
on
either
of
those
two.
H
A
Yeah
perfect,
so
I
wrote
up
a
document.
Mostly
I
mean
it
started
it
as
a
copy
paste
from
Google's
policy,
around
vulnerability
disclosure,
but
has
been
heavily
modified.
Since
then,
it
is
the
own
source
security
Foundation.
It
is
a
proposal
and
a
proposed
policy
for
the
open
source
security,
Foundation
vulnerability,
disclosure
policy.
A
So
the
policy
for
how
we
will
disclose
vulnerabilities
outward
out
outgoing
vulnerabilities
to
maintainers
of
Open
Source
projects
and
if
we
ever
run
into
vulnerabilities
in
corporate
projects
that
are
closed
Source,
because
sometimes
that
happens
through
the
course
of
vulnerability
research,
how
we
will
reach
out
to
those
well,
no,
not
the
process.
This
is
specifically
this
is
the
policy
not
the
process
document,
so
it
describes
the
policy
under
which
we
will
disclose
vulnerabilities
I,
sent
it
to
the
slack
Channel
and
by
email
and
I
asked
you
all
to
take
a.
A
B
I
have
not
had
time
to
read
it.
My
real
job
is
bothering
me
so,
but
I
will
devote
some
time
tomorrow
morning
to
give
you
notes
right,
I
might
suggest.
Maybe
we
do
an
official
like
two-week
call
for
comments
and
then
send
that
out
to
the
mailing
list
and
the
slack
saying
this
is
official.
We
need
your
feedback,
you
have
a
deadline
of
X
or
Y
date,
and
then
we
will
move
adjudicate
things
afterwards.
I.
A
Did
send
it
out
to
the
slack
into
the
ever,
but
yes
yeah
sure,
and
that
makes
sense,
giving
it
giving
a
deadline
yeah.
There
are
there's
already
feedback
on
in
the
document.
A
A
Let's
see
a
couple
of
anonymous
Auditors
and
yada
yada
yeah.
So
at
a
high
level.
This
is
two
documents:
it's
the
it's
the
or
not
two
documents,
but
it's
got
two
subsections:
the
manual
disclosure
policy,
which
is
how
we
will
go
about
reporting
vulnerabilities
to
individual
projects
and
then
also
a
blurb,
basically
calling
out
that
there
will
be
a
policy
for
disclosing
vulnerabilities
at
scale
across
open
source
with
automation.
We
don't
really
have
those
policies
and
processes
in
place.
A
Those
policies
and
processes
will
be
established
under
a
Sig
that
I'm
standing
up,
but
those
will
be
handled
differently.
It's
a
call
out
too.
Those
things
will
be
handled
differently.
Yeah.
C
F
H
Since
Jonathan
wrote
it,
he
knows
what
the
f
he's
doing:
I'm
comfortable
adopting
it.
As
is
honestly,
you
know
if
we
get
a
couple
in
we'll
figure
out
any
any
changes
that
need
to
be
made
seriously.
I
I
a
handful
of
us
in
here
know
this
business
very
well,
I'm,
not
not
really
concerned
so
how's
that,
for
an
honest
answer,.
A
K
The
only
part
I
so
I
haven't
seen
Jonathan
if
you
made
any
updates
in
the
past
couple
of
days
or
not.
The
only
comment
that
I
had
at
all
was
the
part
around.
You
know
how
how
clear
we
were
going
to
be
around.
You
know
the
word
patch,
because
I
found
it
was
kind
of
overly
ambiguous
and
we
could
probably
make
it
a
lot
clearer,
given
what
we're
trying
to
do.
K
A
The
term
patch
you
mean
English
yeah,.
K
So
and
just
I'll
just
outline
here
in
case
people
didn't
read
my
thread
in
the
past,
so
my
my
my
only
concern
was
around.
Like
you
know,
when
we
say
when
we
say
in
the
policy,
we
can
disclose
the
vulnerability
after
a
patch
has
been
released.
To
me,
it
wasn't
clear
if
we're
talking
about
okay,
the
fix
is
available
in
open
source
repo
or
the
fix
has
been
Upstream
to
package
delivery
systems,
or
it's
now
available
in
the
software
like.
What
do
we
mean
by
patch?
K
Is
it
is
it
when
the
code
is
available
on
GitHub?
Is
it
when
it's
Downstream
in
and
red
hat
and
everyone
else
like
that?
That
was
my
main
question.
I
found
it
was
kind
of
ambiguous
and
I
think
in
in
some
other
ones
like
Google's,
it's
purposefully,
ambiguous,
but
I
I
would
kind
of
like
it
to
be
more
clear
myself,
but
yeah.
A
There
so
I
think
that
the
the
term
patch
is
intentionally
ambiguous
because
it
can
mean
different
things
for
different
ecosystems
right
for
a
steep
package
right.
It
may
just
be
the
patches
available,
because
the
downstream
consumers
are
consuming
Source,
a
patch
being
available
for
a
Java
project.
Most
likely
means
that
a
new
release
of
that
jar
has
been
published
in
even
Central
right,
and
so
because
that
is
so
ecosystem
dependent
that
it
there.
A
C
K
When
lawyers,
when
lawyers
get
involved
in
these
things,
that's
what
I'm
worried
about
yeah
there's
there's.
A
The
I
mean
there
was
other
wording
that
I
saw
that
it's
not
in
here,
but
it
was
about
a
patch
being
made
widely
available,
and
so
that
would
be
or
it
was
available
to
to
consumers
or
something
like
that
and
that
would
imply
being
in
a
state
where
it
could
actually
be
consumed.
So
that
would
like
that
would
limit
the
scope
of
it
being
available
in
Source
repository
if,
if
in
the
source
repository,
if
that's
not
how
the
artifact
is
consumed
right
if
it's
consumed
that
way
for
go.
A
Reposites
like
go
for
ER,
for
example,
they're,
depending
upon
the
git
repository
as
the
source
right
and
compiling
against
that
that
may
be
sufficient,
but
for
a
project
that
sure
they've
put
the
patch
into
the
source
code,
but
they
and
they've
merged
that
change.
But
they
haven't
necessarily
published
a
release.
Yet
then,
that
that
wording
May
right
so
so
communicating
in
some
way,
like
a
patch
widely
available
to
to
Consumers
nope.
K
K
A
Problem
with
that
is
that
source
code,
like
the
the
problem
with
that
in
for
critical
security
vulnerabilities,
is
that
there
are
actors
scanning,
get
repository,
feeds
and
auditing
them
and
determining
whether
or
not
a
vulnerability
is
been
patched
but
not
announced
yet
right,
and
so,
if
you
give
that
week,
you're
giving
a
week
of
no
information
being
published
about
the
vulnerability,
but
the
the
actors
that
are
you
know,
Bad
actors
can
can
consume
that
knowledge
and
and
make
that
make
those
decisions.
A
A
I
mean
there
is
a
lead
time
between
identifying
vulnerability
and
creating
an
exploit
right.
That
being
said,
depending
upon
how
how
critical
the
vulnerability
is
that
lead
time
may
be
smaller
and
smaller
and
smaller.
So,
but
you're
right
that
out,
you
know,
even
an
hour
can
be
too
much
at
times
right
I
mean
I.
I,
don't
have
real
data
around
this
particular
question,
but
I
know
that
you
want
to
minimize
that
time
of
the
fix
is
public
to
it
actually
getting
out
to
consumers
in
a
way
that
they
can
actually
consume.
It.
B
So
Jonathan
I
would
now
the
alarm
goes
off.
I
would
suggest:
let's
do
a
formal
email
to
the
mailing
list
and
slack
formally
requesting
comments.
Let's
give
it
till
our
next
put
the
deadline
before
March
make
it
March
6th
so
that
in
our
that
gives
you
time
to
kind
of
review
it.
And
then
we
can
come
back
to
the
working
group
call
and
talk
about
it
and
then
you'll
probably
need
to
talk
to
Brian
or
David
wheeler
I.
B
We
want
to
make
sure
we
get
the
community.
You
know
the
the
capitalize
on
our
group's
expertise.
I'll
mention
this
in
the
APAC
call
tomorrow.
Maybe
we'll
get
some
additional
feedback
and
you
know,
as
you
know,
art
put
in
some
suggestions
on
wording.
You
know
Jason
talked
about
his
reservations
around
the
word
fix,
so
we
might
get
some
some
additional
good
nuggets
to
to
make
this
even
better,
but
that's
what
I
would
suggest
yeah.
K
And
I
wouldn't
say:
I
have
reservations.
I'm,
just
I
was
just
raising
it
as
a
comment.
I
wouldn't
hold
up
this
work
at
all.
Based
on
that
I
think
to
Art's
point.
You
know
it's
a
living
document
and
we
can
evolve
it.
If
learnings
show
that
hey,
we
need
to
put
more
scope
around
patch
that
we
could
do
that,
but
that,
because
that
was
literally
the
only
thing
that
jumped
out
at
me
right.
A
All
right,
you
used
to
work
for
cert
right,
so
Google's
policy
has
the.
If
deadline
is
due
to
expire
on
a
weekend
or
a
U.S
holiday,
the
deadline
will
be
moved
to
the
next
normal
work
day
and
I
got
a
bit
of
feedback
on
that
saying.
Well
what
about,
if
the
maintainers
in
a
different
country
and
they
have
their
own
set
of
holidays,
yeah
yeah.
H
Yeah,
you
know
if
you
got
the
complete
Global
list,
there's
no
good
day
to
release
anything,
so
you
know
that
it
it
it's
it.
When
I
try
to
write
this
down,
it
looks
a
little
wishy-washy,
but
I'd
suggest
this
is
actually
a
good
place,
for
you
know
reasonable
attempt
to
hit
core.
You
know
core
working
times
and
hours
of
most
of
the
community
involved
with
most
of
the
user
base.
You
can't
do
better
than
that.
H
You're
always
going
to
get
someone's
holiday,
someone's
time
zone
problem,
but
you
know
do
the
best
you
can
and
we
can
write
it
better
than
do
the
best
you
can
but
make
reasonable
attempts
to
accommodate
the
majority
of
Downstream
concerned
stakeholders,
and
then
you
can
have
a
list
of
like
things
to
consider
time
zones,
holidays,
weekends.
You
know
and
Big
Blocks
matter
right.
You
can't
you
can't.
If
you've
got
right,
there
are.
There
are
blocks
where
entire
countries
are
out
of
business
for
a
couple
of
weeks.
B
Right,
you
need
to
bounce
Brian
and
then
Jonathan.
If
you
could
keep
an
eye
on
hands
up
and
close.
I
Thanks
all
right
thanks,
you
know
I
I
happy
to
also
get
legal
review
early
on
this
I.
Don't
know
that
LF
legal
really
has
folks
who've
been
a
part
of
reviewing
similar
vulnerability
disclosure
processes
in
the
past,
and
so,
if
anybody
has
a
recommendation
for
a
lawyer
that
they
have
worked
with
on
these
kinds
of
things
or
that
they
trust
to
understand
the
balance
of
interest
in
disclosure
and
how
to
minimize
liability
for
everybody,
I
think
it's
a
fairly
Niche
sector,
so
I'm
willing
to
pay
for.
For
that
amount
of
time.
I
I
A
a
lawyer,
credentialed
and
and
with
you
know,
hopefully
you
know
with
some
background
too
then
I
can
go
to
LF
legal
and
say
you
know:
here's
somebody
whose
opinions
that
I
think
you
can
trust
and
obviously
they
don't.
You
know,
be
able
to
make
that
independent
judgment
too,
but
because
ultimately
yeah
they
will.
They
will
want
to
weigh
in
on
this,
but
I'd
rather
have
them
Outsource
this
than
than
try
to
train
them
on
on
all
the
different
issues.
I.
A
H
H
H
I
I
was
going
to
say:
I
think
it
is
I'd,
be
happy,
I'm,
happy
to
be
involved
in
that
conversation.
I've
I've
gone
through
that
before
with
different
folks.
I
think
it
is
probably
you
know
they
get
the
anyway.
A
H
Yeah
I'm,
sorry
I,
don't
know
anyone,
but
if
you've
got
a
few
lawyers
that
have
like
understand,
you
know
internet
and
technical
stuff,
which
a
lot
do
these
days
and
I
bet
the
lfs
do
I
think
it's
probably
achievable,
but
that's
just
an
opinion,
so
yeah,
okay,
thanks
Eric,
aren't.
I
Yes,
I
am,
and
yes,
we
have
folks
like
Ava,
galperin
and
and
other
well
and
lawyers.
Actually
it
was
just
more
of
an
advocate,
but
yeah
certainly
have
other
other
means.
I
just
wanted
to
tap
the
expertise
of
the
folks
in
the
room,
yeah.
I
A
Okay,
were
there
any
other?
Oh
the
other
topic
that
was
listed,
oh
yeah,
so
before
before
we
move
on,
are
there
any
other
points.
C
A
Okay,
the
final
point
in
the
meeting
agenda
that
I
wanted
to
bring
up
real
fast
was
I,
am
establishing
a
Sig
around
Auto
fixing
vulnerabilities
across
open
source.
The
meeting
time
has
been
selected
I'm
about
to
send
an
email
to
operations
at
the
open
accessf.
To
add
that
to
the
calendar,
it's
going
to
be
from
Wednesday
from
Wednesdays
from
4
to
5
p.m.
A
Est
starting
next
week,
so
it'll
be
a
stake
underneath
the
vulnerability
disclosure
working
group
discussing
standards
and
policies
and
processes
around
automating
fixing
vulnerabilities
to
scale
across
open
source.
So
if
you
would
like
to
participate
and
join,
that's
one
of
the
league
and
it'll
be
a
bi-weekly
meeting,
so
that
is
issue
number
one.
Two
three
under
the
vulnerability
disclosures
working
group,
so
yeah
any
points.
Questions
concerns
issues
with
that.
A
Only
once
going
twice
sold
with
that
is
there
any
other
points
that
any
or
any
other
topics
that
anybody
wants
to
bring
up
before
we
close
out
the
meeting.