►
From YouTube: OpenSSF Vulnerability Disclosures WG (August 24, 2022)
A
C
B
C
B
A
C
B
A
A
If
you
do
that,
that
allows
me
to
contact
my
friends
up
at
the
foundation
to
make
sure
you
have
the
correct
permissions
to
be
able
to
interact
effectively
with
our
github
repo
we've
bumped
into
a
couple
situations
lately,
where
folks
have
had
some
opportunities
correctly
being
able
to
submit
prs
and
whatnot.
So
I
just
want
to
make
sure
I
get
permissions
set.
So
if
you
link
your
github
id
up
there
I'll
be
glad
to
make
sure.
A
And
then,
ideally,
I'm
talking
with
the
foundation
folks
and
ideally,
if
we
get
our
cbd
guide
closer
to
completion,
we
can
craft
a
short
blog
and
then
announce
it
at
open
source
europe,
which
will
be
happening
in
september
13th
through
the
16th.
Well,
we
would
like
to
announce
it
open
ssf
day
so,
provided
we
can
get
close
to
closure
and
get
1.0
uploaded
into
git.
I
think.
B
B
A
B
A
A
A
B
A
A
So
francis
has
filed
two
issues
for
us,
an
issue
for
us
to
keep
us
on
point
around
having
a
template
for
security
advisory
md,
which
we
I
think
we
have
as
part
of
the
maintainer
cbd
guide
and
then
a
vulnerability
report
md
file
as
a
template
to
share.
I
would
like
to
make
sure
that
those
are
shared
as
part
of
this
finder
guide.
A
B
B
B
A
B
A
C
A
A
C
B
C
C
B
C
I
think
I
can
tell
on
my
camera
too.
I
think
it
might
not
be
such
a
bad
thing
to
just
say.
While
there
might
be
others,
these
are
the
ones
we
recommend,
because
as
authors
we
have
authority.
So
it's
good
to
just
sort
of
take
a
stand
on
that.
Try
and
keep
things
relatively
less
complicated,
acknowledge
that
there
might
be
other
types,
but
these
are
the
ones
that
we
think
make
the
most
sense.
B
A
B
A
C
D
A
A
A
C
Can
give
some
context
on
that?
I
I
think
this
may
have
been
in
a
call
that
you
weren't
able
to
make
you
is
that
does
that
sound
familiar?
I
don't
know
because
time
has
no
meaning
for
me
anymore,
so
part
of
the
process
of
writing
your
disclosure.
You
know
you're
you're,
writing
it
for
different
audiences,
and
if
you
write
your
disclosure
with
the
intent
that
that
disclosure
will
be
made
public,
then
you
don't
have
to
rewrite
it,
and
so
that
was
kind
of
the
point
of
this.
C
A
A
Word
the
document
in
a
consistent
way,
a
little
bit
professional.
We
can
certainly
kind
of
speak
off
the
hip,
but
going
full
tlp
white.
I
think
we
could
phrase
that
a
little
better,
that's
again
grabbing
the
the
definition
will
help
us
maintain
consistent
voice
and
kind
of
a
professional
outlook.
Here.
A
A
A
C
C
D
Is
you
can
have
any
form
of
disclosure
of
the
vulnerability
at
the
end,
once
you've
submitted
it
through
either
a
vdp
or
a
bug,
bounty
or
directly
to
who
you
know
whatever
process
you
whatever
channel
you
took,
but
then
the
actual?
How
you're
disclosing
this
vulnerability?
At
the
end?
That's
why
I
was
questioning
it.
Does
bug
bounty
count
as
a
disclosure
option,
or
is
it
more
of
a
vehicle
for
this
coordinated
vulnerability
disclosure
process?
D
A
B
A
B
B
A
A
D
I'm
happy
to
take
a
stab
at
it,
I'm
happy
to
take
a
stab
at
it
and
I
think
what
what
maybe?
What
could
work
is,
because
we
do
talk
about
disclose,
io
and
bug
bounty
and
vdp.
In
some
other
sections,
we
might
even
be
able
to
include
it
in
like
some
like
table
or
other,
like
almost
as
part
of
the
glossary
or
definition
additional.
A
B
A
B
D
Yeah
like
when
I
was
going
through
this,
the
cert
guide
to
kind
of
compare
definitions
on
things
and
looking
at
that,
and
the
circuit
is
very
clear
that
it's
not
going
to
dig
into
zero
day
definition
of
zero
day.
Anything
like
that
and
also
the
this
was
another
kind
of
conflicting
section
when
it
comes
to
public
full
disclosure.
Just
looking
purely
from
a
definition
perspective.
D
A
A
B
A
B
D
B
A
B
This
this
this
strikes
to
me
like
is
there.
I
think
that
a
lot
of
these
things,
we
might
need
to
have
alignment
openness
set
wide
about
definitions
for
these
things.
I'm
just
wondering
if
there's,
if
there's
even
if
there's
not
existing
work,
is
this-
maybe
something
that
even
has
scope
outside
this
document?
B
A
C
C
You
know
you
just
get
all
the
meatballs
yeah,
but
splitting
it
off
into
a
separate
project,
so
we
can
then
get
mother's
hell.
As
a
matter
of
fact,
if
people
are
so
keen
to
do
that,
let's
get
them
to
start
writing
them
now,
throw
them
a
file.
Put
it
in
general,
say
people
everyone
into
the
pool,
and
you
have
one
week
to
do
it,
go
or
you
do
that
and
you
exceed
it
with
incorrect
information,
and
then
people
are
going
to
feel
obligated
to
fix
it.
A
B
A
C
C
C
D
D
A
C
A
quick
note
on
the
bibliography,
so
I
absolutely
was
really
working
my
way
through
those
I'm
using
zotero
to
create
the
to
create
the
citations,
because
I'm
not
going
to
manually
do
all
that.
But
it
also
means
we're
going
to
end
up
with
a
zotero
collection
at
the
end
of
this
and
that
zodaro
collection,
we
can
add
just
a
single
link
and
it
will
have
snapshots
of
all
of
these
articles
and
the
like.
Okay,.
A
A
B
A
All
right
cool,
so
I
I
think
111
is
addressed
with
that
particular
yeah.
We're
taking
a
look
at
your
we're,
taking
a
look
at
the
templates
at
the
bottom
of
the
document
and
we've
just
looked
at
the
disclosure
template
which
right
now
links
to
our
template
for
a
security
advisor
from
the
original
disclosure
guide
and
the
team
so
far
agrees
that
that
seems
to
meet
the
intention
of
issue
111.
So
I
think
I
think
that
one
we
could
close
and
we
always
have
the.
A
A
A
Personal
vulnerability,
disclosure
policy
example.
This
is
something
I
know.
Jonathan
was
very
keen
on.
Is
anyone
aware
do
we
have
any?
Does
anyone
have
any
exemplars
of
that,
or
should
I
reach
out
to
jonathan
to
see
if
he
can
share
something
that
talk
a
template
with
us
or
you
know,
do
we
do
we
feel
that
we
do?
We
still
see
value
in
having
this
in
here
as
part
of
our
templates.
D
And
also
not
to
name
drop
folks
when
they're-
not
here,
I
don't
see
madison
here
today,
but
I
know
madison
had
also
talked
about
that.
She
might
have
a
good
example
of
some
basically
the
idea
of
setting
an
expectation
as
a
researcher
when
you
are
reporting
a
vulnerability,
not
necessarily
like
an
official.
This
is
my
formal
policy,
but
these
are
the
expectations
that
I
have
through
this
engagement,
because
I
think
she
had
said
like
like
in
her
work.
D
A
Well-
and
we
talked
about
the
the
word
use
of
the
word-
policy-
has
a
lot
of
implications
and
potential
legal
ramifications
we
wanted
to
avoid.
I
have
double
francis's,
that's
kind
of
cool
like
I
got
a
bad
vr
helmet,
so
I,
the
actual
expectations,
may
be
a
way.
We
would
like
to
phrase
this
that
the
researchers
should
come
in
and
help
have
this
expectation,
and
it
should
understand
what
the
expectations
and
kind
of
rules
of
the
project
are
as
well.
So
does
it
remember
her
email.
A
C
A
Okay,
so
I
I
might
have
one
so
I
will
participate
in
this
if
anyone
else
has
an
example
of
what
a
good
vulnerability
report
might
look
like,
please
feel
free
to
contribute
that,
but
I
will.
I
definitely
have
an
example,
because
I
did
a
presentation
at
derbycon
about
this,
so
I
have
somebody
just
grab
off
my
slide.
A
A
C
B
I
mean
I
would
oh
sorry,
I
should
use
the
hands,
then
sorry,
I
I
I
so
my
personal
opinion
I
would
stay
out
of
this.
I,
in
my
opinion
of
what
is
and
is
not
what
a
specific
project
once
in
a
bug
report
is
very
specific
to
the
given
open
source
project
they
have.
You
know
every
project
will
have
their
own
idea
of
what
they
want
in
their
bug
report.
A
B
A
A
A
A
B
A
A
All
right
team,
thank
you
for
participation,
we're
so
close,
I'm
so
happy
to
see
our
progress
so
we'll
talk
to
you
in
the
next
few
weeks
and
keep
up
chatting
chattering,
whether
you're,
adding
somebody
to
document
or
through
slack
or
through
our
mailing
list.
However,
you
want
to
engage
the
folks
and
I
will
be
following
up
on
my
ais,
so
thank
you.