►
From YouTube: OpenSSF Vulnerability Disclosures WG (August 24, 2022)
A
All
right,
we
are
at
two
after
the
hour.
Let's
get
rollin,
I
don't
think
we
have
any
new
friends.
Can
I
get
somebody
to
volunteer
to
help
us
take
notes
today.
C
Yeah,
I
can
try
to
help
francis,
but
I'm
kind
of
multitasking
during
this
call
today.
So
I
apologize.
If
I
can't,
I
know
it's
the
worst
okay,
I
usually
do
try
to
give
you
my
full
attention.
C
B
Anyone
have,
I
know
if
my
keyboard
is
too
noisy,
though
oh,
I
hope
you
have
a
mechanical
one.
I
love
it.
I
do,
but
I
yeah
anyhow.
Let
me
know.
A
C
B
A
A
It
went
to
a
landfill,
I
think
so,
if
anyone
is
interested,
you
can
modify
your
attendance
to
provide
a
link
to
your
github
id.
A
If
you
do
that,
that
allows
me
to
contact
my
friends
up
at
the
foundation
to
make
sure
you
have
the
correct
permissions
to
be
able
to
interact
effectively
with
our
github
repo
we've
bumped
into
a
couple
situations
lately,
where
folks
have
had
some
opportunities
correctly
being
able
to
submit
prs
and
whatnot.
So
I
just
want
to
make
sure
I
get
permissions
set.
So
if
you
link
your
github
id
up
there
I'll
be
glad
to
make
sure.
A
And
then,
ideally,
I'm
talking
with
the
foundation
folks
and
ideally,
if
we
get
our
cbd
guide
closer
to
completion,
we
can
craft
a
short
blog
and
then
announce
it
at
open
source
europe,
which
will
be
happening
in
september
13th
through
the
16th.
Well,
we
would
like
to
announce
it
open
ssf
day
so,
provided
we
can
get
close
to
closure
and
get
1.0
uploaded
into
git.
I
think.
B
A
Two
two
concise
guides:
we
want
to
publish
so
ideally,
we
could
just
kind
of
write,
two
short
blogs
and
then
make
that
as
part
of
the
release.
B
A
And
then
I'll
notify
I'll
share
that
with
jennifer
bly
she's,
our
marketing
person
from
the
foundation
now
and
then
we'll
kind
of
share
it
with
attack
and
then
share
it
with
the
world.
B
If
you'd
like
I
can,
I
can
share
with
you
the
link
on
slack,
so
you
can
see
what
I
have
so
far
and
see
what
I
sure.
A
B
A
A
A
And
let
me
ask
a
question
before
we
get
too
far
francis,
I
saw
that
you
submitted
a
pr.
Was
that
against
this
document,
or
just
in
general,
we
should
have
those
two
requested
files
as
resources.
B
A
A
So
francis
has
filed
two
issues
for
us,
an
issue
for
us
to
keep
us
on
point
around
having
a
template
for
security
advisory
md,
which
we
I
think
we
have
as
part
of
the
maintainer
cbd
guide
and
then
a
vulnerability
report
md
file
as
a
template
to
share.
I
would
like
to
make
sure
that
those
are
shared
as
part
of
this
finder
guide.
A
All
right,
so
let
us
take
a
look
at
the
guide.
A
Kayla
had
spent
a
bunch
of
time
adding
and
making
some
edits.
I
went
through
and
approved
into
the
document
I
see
she
didn't
show
up
today
versus
I
would
love
to
have
her
summary.
B
B
A
Got
rid
of
the
duplicative,
vp
and
bug
bounty
language,
because
it's
already
incorporated
into
the
body
of
the
document.
A
And
then
I'd
like
to
talk
about
the
appendices
on
page
11.,
so
let's.
B
A
To
page
seven,
where
we
had
started
our
table
of
disclosure
actions,
let's
see
if
we
can
get
this
table
hashed
out
and
approved
as
a
group,
then
let's
talk
about
our
assorted
things.
We
need
for
the
appendix
appendices.
A
So
we
have
listed,
we
have
disclosure
options
of
no.
B
A
C
According
to
some
of
the
comments,
there
are
already
definitions
for
some
of
these
standards.
For
some
of
these,
and
I
don't
know
looking
at
the
document
whether
those
have
already
been
incorporated
or
not.
Does
anyone
know
that.
A
Do
we
want
to
how
do
we
want
to
present
this
data?
Do
we
like
the
table?
Do
you
want
to
revert
it
to
text
or
a
bulleted
list?
A
C
A
So
again,
we're
on
page
seven
of
the
disclosure
guide
for
finders
looking
at
our
table
options,
so
we're.
B
C
I
mean,
aside
from
the
existing
comments
that
we
will
need
to
deal
with.
I
think
the
list
looks
good,
but
I
don't
spend
quite
as
much
of
my
time
in
this
space.
I
know
good.
C
Yeah-
I
yes,
let's
just
put
it
that
way.
Yes,
so
I
think
that,
like
you
crystal
jay
and
francis
people,
who
spend
a
lot
of
time
in
this
space,
if
you
think
this
is
a
good
list,
I
am
very
happy
to
go
forward,
as
is.
B
C
I
think
I
can
tell
on
my
camera
too.
I
think
it
might
not
be
such
a
bad
thing
to
just
say.
While
there
might
be
others,
these
are
the
ones
we
recommend,
because
as
authors
we
have
authority.
So
it's
good
to
just
sort
of
take
a
stand
on
that.
Try
and
keep
things
relatively
less
complicated,
acknowledge
that
there
might
be
other
types,
but
these
are
the
ones
that
we
think
make
the
most
sense.
B
A
B
A
All
right,
let's
see
up
here.
A
Up
in
the
text,
francis
notes
that
these
aren't
exclusive
so
again
that
ties
into
my
little
red
and
yellow
statement,
I'll
figure
out
a
way
to
word
this.
This
is
a
non-exhaustive
list.
These
are
the
most
commonly
ones,
are
the
ones
in
the
networks
vicky.
C
Well,
there's
a
difference
between
exclusive
and
exhausted,
like
there
can
be
overlap
for
these,
I
think,
is
what
francis
was
saying.
Wasn't
it
like
you
can
have
something
that
is
disclosed
in
multiple
different
ways,
or
was
I
misunderstanding,
what
you
meant
by
exclusive
there.
D
A
Some
suggest
some
flavor
text
and
I'll
have
the
group
kind
of
chew
on
that.
Once
I
get
that
in
there
and
we
can
kind
of
see
if
I
meet
both
the
these
are
whatever
you're
endorsing,
and
this
is
also
not
the
only
way
multiple
methods
could
be
used
so
keep.
A
To
vicky's
next
comment:
don't
forget
to
write
the
disclosure
for
the
public.
Can
we
refine
that
sentence,
so
it
does
provides
more
explanation
for
folks.
A
C
Can
give
some
context
on
that?
I
I
think
this
may
have
been
in
a
call
that
you
weren't
able
to
make
you
is
that
does
that
sound
familiar?
I
don't
know
because
time
has
no
meaning
for
me
anymore,
so
part
of
the
process
of
writing
your
disclosure.
You
know
you're
you're,
writing
it
for
different
audiences,
and
if
you
write
your
disclosure
with
the
intent
that
that
disclosure
will
be
made
public,
then
you
don't
have
to
rewrite
it,
and
so
that
was
kind
of
the
point
of
this.
C
This
this
comment
was
letting
people
know
that
not
sure
that
that
belongs
in
this
space,
though.
C
Let
me
see,
did
you
scroll,
oh
okay?
No,
it
does
belong
in
this
space.
I
think
now
I
don't
see
that
comment.
A
Looking
at
that
comment,
so
if
anyone's
interested
in
providing
some
additional
words
there,
we
can
to
help
reflect.
A
A
And
then
randall
will
help
us
with
some
review
from
crystal
and
everyone
to
get
to
integrate
these
cert
definitions
for
the
disclosure
types.
A
And
I
don't
I
I
would
like
to
if
we
go
like
if
you
look
at
full
wherever
possible,
if
we
could.
A
Word
the
document
in
a
consistent
way,
a
little
bit
professional.
We
can
certainly
kind
of
speak
off
the
hip,
but
going
full
tlp
white.
I
think
we
could
phrase
that
a
little
better,
that's
again
grabbing
the
the
definition
will
help
us
maintain
consistent
voice
and
kind
of
a
professional
outlook.
Here.
A
A
Awesome,
thank
you
and
then
we
want
to
consider
kayla
notes.
She
wasn't
sure
if
bug
bounty
is
a
disclosure
option
so
as
as
a
group.
A
C
C
Possibly,
isn't
there
a,
I
thought
there
was
a
section
in
here
on
that
it
might
make
sense
to
have
a
another
section
below
saying-
and
here
are
some
of
the
possibilities
here,
but
do
your
research
and
look
for
the
one.
That's
right
for
you,
sort
of
blah
blah
blah.
D
Is
you
can
have
any
form
of
disclosure
of
the
vulnerability
at
the
end,
once
you've
submitted
it
through
either
a
vdp
or
a
bug,
bounty
or
directly
to
who
you
know
whatever
process
you
whatever
channel
you
took,
but
then
the
actual?
How
you're
disclosing
this
vulnerability?
At
the
end?
That's
why
I
was
questioning
it.
Does
bug
bounty
count
as
a
disclosure
option,
or
is
it
more
of
a
vehicle
for
this
coordinated
vulnerability
disclosure
process?
D
C
I
mean
I
am
aware
that
we
want
to
get
this
out
asap,
and
so
this
is
moderately
scope
creep
to
some
extent,
but
it's
still,
I
think,
about
maybe
not
scope
creep,
but
it's
adding
and
therefore
adding
a
little
complexity.
A
B
A
B
B
Sorry
before
before,
moving
on,
we
didn't
really
get
agreement.
Do
we
want
to
have
like
a
different
section
for
non-specifically
disclosure
options
or
not,
and
who
wants
to
volunteer
to
write
that
down.
A
A
D
I'm
happy
to
take
a
stab
at
it,
I'm
happy
to
take
a
stab
at
it
and
I
think
what
what
maybe?
What
could
work
is,
because
we
do
talk
about
disclose,
io
and
bug
bounty
and
vdp.
In
some
other
sections,
we
might
even
be
able
to
include
it
in
like
some
like
table
or
other,
like
almost
as
part
of
the
glossary
or
definition
additional.
A
All
right
before
we
move
on
to
page
11,
I
see
this
whole
section
covered
in
yellow
I'm
a
cna
of
last
resort
have
have
we
already
covered
this,
and
can
we
remove
this
piece.
A
A
And
we
also
specifically
state
on
page
eight,
the
cna
of
last
resort
link.
B
A
All
right,
the
before
we
move
on
again
page
nine,
when
all
else
fails
dropping
a
zero
day.
A
A
B
D
Yeah
like
when
I
was
going
through
this,
the
cert
guide
to
kind
of
compare
definitions
on
things
and
looking
at
that,
and
the
circuit
is
very
clear
that
it's
not
going
to
dig
into
zero
day
definition
of
zero
day.
Anything
like
that
and
also
the
this
was
another
kind
of
conflicting
section
when
it
comes
to
public
full
disclosure.
Just
looking
purely
from
a
definition
perspective.
D
A
Down
on
page
nine,
to
dropping
a
zero
day.
A
A
I
think
we
agree
we
want
to
acknowledge,
it
is
a
thing
and
we
want
to
re-phrase
it
to
help
coach.
If
that's
not
a
desired
outcome,
and
then
it
is
a
failure.
The
process
broke
down
somehow.
B
A
Do
we
even
move
it
like
the
section
below
is
troubleshooting
common
challenges?
Do
we
even
move
that
below
down
to
that
section
and
talk
about
it.
B
D
I'm
happy
to
go
all
suggest
mode
and
take
a
stab
I'm
happy
to.
You
can
put
my
name
there
on
that
and
I'm
sure
I'll
drag
crystal
into
it,
because
that's
what
I
do
yes
yeah.
So
we
can.
B
A
All
righty
now
I'm
moving
down
to
page
11
and
the
appendix
we'll
start
off
dependencies,
we'll
start
off
with
the
glossary.
A
B
This
this
this
strikes
to
me
like
is
there.
I
think
that
a
lot
of
these
things,
we
might
need
to
have
alignment
openness
set
wide
about
definitions
for
these
things.
I'm
just
wondering
if
there's,
if
there's
even
if
there's
not
existing
work,
is
this-
maybe
something
that
even
has
scope
outside
this
document?
B
I
I
don't
know
because
I
know
there's
been
discussion
in
some
of
the
slack
channels
about
you
know.
You
know
coming
to
alignment
on
some
of
the
terminology,
because
some
of
the
terminologies
used
slightly
differently
in
different
working
groups.
Just
a
thought
here.
A
C
C
We
essentially
people
are
going
to
get
this
document
as
a
standalone
thing
and
while
they
can
then
later
follow
links,
we
have
to
give
them
the
resources
to
be
successful
with
this
one
document,
so
I
would
suggest
going
through
these,
perhaps
splitting
them
off
into
like
you
take
five,
you
take
five,
you
take
fights
whatever
it
takes
to
make
progress
on
that,
but
then
once
we
get,
it
done
definitely
splitting
this
off
into
a
separate
project,
perhaps
under
the
education,
sig
or
best
practices
working
group,
sorry,
but
it
does
roll.
C
You
know
you
just
get
all
the
meatballs
yeah,
but
splitting
it
off
into
a
separate
project,
so
we
can
then
get
mother's
hell.
As
a
matter
of
fact,
if
people
are
so
keen
to
do
that,
let's
get
them
to
start
writing
them
now,
throw
them
a
file.
Put
it
in
general,
say
people
everyone
into
the
pool,
and
you
have
one
week
to
do
it,
go
or
you
do
that
and
you
exceed
it
with
incorrect
information,
and
then
people
are
going
to
feel
obligated
to
fix
it.
A
Is
a
method?
Yes,
definitely
the
the
grammarians
and
rules
lawyers
so
to
speak
would
definitely
jump
on
that.
A
Hi
francis,
do
you
have
anything
to
yeah
yeah.
B
A
Thank
you
and
I
will
make
that
happen,
so
the
education
sig
will
take
this
on
for
today
and
our
deadline.
Do
we
want
to.
C
C
Yeah
exactly
the
edgy
sig
is
is
doing
great
stuff,
but
it's
on
its
own
path
at
the
moment,
and
this
is
something
that
they
certainly
can
adopt
in
the
future.
But
it's
not
to
that
point
yet,
but
so,
unless
we
throw
it
to
the
wider
community
and
say
here's
what
we're
doing,
we
need
your
help.
C
A
What
I
could
do
is,
I
could
stage
the
file
in
education
sig,
and
we
can
send
a
note
out
to
the
group
lists
and
ask
for
quick
contributions
and
then
again
with
the
issue
long
term,
we
can
refine
that
and
make
it
an
official
open,
ssf
thing
so
I'll
take
the
ar
to
stage
the
file
I'll,
take
the
ar
to
copy
and
paste
this
into
a
file
and
provide
a
link.
D
I
am
happy
to
take
an
action
item
to
kind
of
go
through
and
look
for
all
of
these
acronyms,
the
acronyms
at
least,
and
ensure
that
the
first
time
we
use
them.
We,
at
least
maybe
we
don't
provide
like
a
full
crazy.
D
A
All
right
scrolling
down
further
page
12,
our
bibliography
I
see,
is
growing
and
I
love
that
so
I
would
ask
for,
as
anyone
has
any
additional
resources
or
links,
please
post
them
there
and
let's
go
to
the
last
little
bit
of
templates
and
examples.
C
A
quick
note
on
the
bibliography,
so
I
absolutely
was
really
working
my
way
through
those
I'm
using
zotero
to
create
the
to
create
the
citations,
because
I'm
not
going
to
manually
do
all
that.
But
it
also
means
we're
going
to
end
up
with
a
zotero
collection
at
the
end
of
this
and
that
zodaro
collection,
we
can
add
just
a
single
link
and
it
will
have
snapshots
of
all
of
these
articles
and
the
like.
Okay,.
A
All
right,
let
us
turn
our
last
few
minutes
together
to
templates
and
examples,
so
we
have
the
pr
that
francis
file,
let's
see
where
we
go
here,
so
we
have
the
in
the
original
open
source
vulnerability
guide.
The
first
link
there
for
a
disclosure
template.
A
We
have
our
template
here,
so
does
that
align
with
or
are
we
happy
with
that?
Do
we
need
to
make
any
updates
to
that.
A
The
desired
request
from
issue
110
and
111.
does
that.
B
A
All
right
cool,
so
I
I
think
111
is
addressed
with
that
particular
yeah.
We're
taking
a
look
at
your
we're,
taking
a
look
at
the
templates
at
the
bottom
of
the
document
and
we've
just
looked
at
the
disclosure
template
which
right
now
links
to
our
template
for
a
security
advisor
from
the
original
disclosure
guide
and
the
team
so
far
agrees
that
that
seems
to
meet
the
intention
of
issue
111.
So
I
think
I
think
that
one
we
could
close
and
we
always
have
the.
A
A
A
Personal
vulnerability,
disclosure
policy
example.
This
is
something
I
know.
Jonathan
was
very
keen
on.
Is
anyone
aware
do
we
have
any?
Does
anyone
have
any
exemplars
of
that,
or
should
I
reach
out
to
jonathan
to
see
if
he
can
share
something
that
talk
a
template
with
us
or
you
know,
do
we
do
we
feel
that
we
do?
We
still
see
value
in
having
this
in
here
as
part
of
our
templates.
A
D
And
also
not
to
name
drop
folks
when
they're-
not
here,
I
don't
see
madison
here
today,
but
I
know
madison
had
also
talked
about
that.
She
might
have
a
good
example
of
some
basically
the
idea
of
setting
an
expectation
as
a
researcher
when
you
are
reporting
a
vulnerability,
not
necessarily
like
an
official.
This
is
my
formal
policy,
but
these
are
the
expectations
that
I
have
through
this
engagement,
because
I
think
she
had
said
like
like
in
her
work.
D
A
Well-
and
we
talked
about
the
the
word
use
of
the
word-
policy-
has
a
lot
of
implications
and
potential
legal
ramifications
we
wanted
to
avoid.
I
have
double
francis's,
that's
kind
of
cool
like
I
got
a
bad
vr
helmet,
so
I,
the
actual
expectations,
may
be
a
way.
We
would
like
to
phrase
this
that
the
researchers
should
come
in
and
help
have
this
expectation,
and
it
should
understand
what
the
expectations
and
kind
of
rules
of
the
project
are
as
well.
So
does
it
remember
her
email.
A
No
all
right
I'll
I'll
I'll
reach
out
to
both
jonathan
and
madison
to
see
if
we
can
get
this
one
closed
out.
A
The
next
template
we
were
looking
for
is
a
vulnerability
report.
Submission
so
is
how.
A
C
A
Not
the
one
with
a
billion
comments
on
it.
A
I
saw
callaway
was
approving
merges,
so
we
were
close.
A
Okay,
so
I
I
might
have
one
so
I
will
participate
in
this
if
anyone
else
has
an
example
of
what
a
good
vulnerability
report
might
look
like,
please
feel
free
to
contribute
that,
but
I
will.
I
definitely
have
an
example,
because
I
did
a
presentation
at
derbycon
about
this,
so
I
have
somebody
just
grab
off
my
slide.
A
B
Yeah,
just
a
thought:
do
we
maybe
also
want
an
example
of
a
bad
report.
A
A
If
you
have
suggestions
around
that
jason,
once
I
get
the
stub
pushed
up
to
the
good
pr
112,
if
you
want
to
add
comments
to
that,
that
would
be
very
helpful.
A
To
a
developer,
a
bug
is
a
bug
as
a
bug
and
whether
it
has
security
implications
or
not.
I
didn't
put
this
in
here.
So
what
is
what
was
the
intent
of
having
a
vulnerability
and
then
a
bug
report
was?
Is
there
a
nuance,
I'm
unfamiliar
with?
Do
we
need
to
have
an
example
for.
C
I
don't
recall
exactly,
but
I
think
it
was
something
like
these
are
security
researchers,
not
necessarily
open
source
developers,
and
so
they
might
not
be
as
familiar
with
what
a
good
bug
report
looks
like
like.
Here's,
how
you
reproduce.
B
I
mean
I
would
oh
sorry,
I
should
use
the
hands,
then
sorry,
I
I
I
so
my
personal
opinion
I
would
stay
out
of
this.
I,
in
my
opinion
of
what
is
and
is
not
what
a
specific
project
once
in
a
bug
report
is
very
specific
to
the
given
open
source
project
they
have.
You
know
every
project
will
have
their
own
idea
of
what
they
want
in
their
bug
report.
A
So
perhaps
we
trim
this
out.
A
B
A
Yeah,
I
agree.
We
don't
want
to
be
in
the
business
of
explaining
person
explaining
to
projects
that
you
know.
This
is
how
you
should
do
except
bugs,
but
we
probably.
A
A
A
B
A
A
All
right
team,
thank
you
for
participation,
we're
so
close,
I'm
so
happy
to
see
our
progress
so
we'll
talk
to
you
in
the
next
few
weeks
and
keep
up
chatting
chattering,
whether
you're,
adding
somebody
to
document
or
through
slack
or
through
our
mailing
list.
However,
you
want
to
engage
the
folks
and
I
will
be
following
up
on
my
ais,
so
thank
you.