►
From YouTube: OpenSSF Vulnerability Disclosures APAC (May 25, 2023)
B
E
A
E
A
A
A
E
E
I
I,
so
we
could
have
Jonathan
continue
or
Jonathan
pick
it
up.
Just
as
part
of
his
role
in
in
AO.
I
would
love
to
have
like
what
I'm
concerned
about
now
is
like
it's
like
bus
factor
of
one
moving
to
Jonathan
makes
it
like,
basically
still
one
one
and
a
half.
You
know
if
someone
else
from
this
working
group
could
like
partner
or
even
secondary
it
or
just
be
a
active
contributor,
I
think
that
would
that
would
solve.
It
would
get
us
a
higher
scorecard
score
and
everything
so.
A
Again,
the
tool
is
great,
and
you
know
if,
like
the
the
P,
the
cert
Sig
ever
gets
funded
I,
think
that
would
be
a
tool
that
that
piece
or
potentially
would
adopt
as
part
of
their
tool
set
and
then
I
think
we
definitely
would
have
some
developers
because
we
actually
had.
We
had
asked
for
some
development
assistance,
so
we
would
be
able
to
whether
it's
a
contractor
or
trying
to
get
a
volunteer
so
I
think
there's
definitely
lots
of
opportunity
and
it's
a
very.
A
E
I
I,
don't
know
like
I,
think
I'm,
just
gonna
beg
forgiveness,
but
right
now
it's
in
my
personal
GitHub
account.
That's
that's
terrible.
I
created
a
private
repo
in
ossf
the
code's.
Now
there
we
don't
have
like
Advanced,
security
and
stuff
like
that
turned
on
so
like
everything
is
breaking.
Don't
flip.
The
bit
to
public
I'll
include
in
the
readme
that
this
is
preview,
and
it's
already
called
a
proof
of
concept
and
stuff
like
that.
A
Then,
in
parallel,
if
you
want
to
send
an
email
to
the
Vol
mailing
list,
asking
you
saying
hey,
we
would
like
this
group.
If
you
adopt
us
and
hey,
if
you
had
anyone
that
was
interested
you
know,
patches
are
welcome.
We'd,
like
to
some
development
assistance
that
way
it's
queued
up
for
the
next
call
and
I
can
say:
let's
Let's
decide
if
we
want
this.
Oh
man,
speaking
of
developers,
I,
know
I,
do
know
one
developer.
A
A
G
A
B
A
C
A
F
D
A
A
Don't
know
if
this
is
related
to
Amisa
had
suggested
they
might
like
to
make
their
own
nvd
I
know
that
some
of
the
nvd
folks
had
expressed
interest
in
engaging
community
and
Private
Industry
to
assist
with
improving
nvd,
so
I'm,
not
certain
specifically
what
Ollie
was
looking
for,
but
maybe
I'll
watch
this
video
and
we
could
talk
about
it.
The
next
call.
A
A
We
are
I
was
going
to
mention
to
the
group
we're
going
to
be
alternating,
open
Vex
calls
where
we
will
have
one
call
be
focused
on
development
and
actually
maintaining
the
spec
and
the
software.
So
it's
a
technical
call
and
then
the
alternate
calls
will
be
focused
on
evangelism
engaging
how
we
can
engage
with
larger
industry
groups.
How
we
can
work
with.
You
know,
tools
like
spdx
or
Cyclone
DX
to
help
further
Vex
in
general
and
then
to
try
to
evangelize
using
the
awesome
little
tool
that
the
team
put
together.
G
G
At
a
high
level
is
a
proposal
for
funding
and
effort
and
energy
step
back.
Okay,
I
presume
that
or
I
I
posit
that
a
majority
of
the
major
artifact
servers
made
in
central
Gradle
plug
import
npm.
Those
sorts
of
artifact
servers
have
never
had
a
pen
test
performed
against
them
for
determining
you
know.
Have
they
been
odd?
You
know
how
what.
G
The
scope
of
it
includes
a
pen
test
of
the
firm
and
then
a
red
team
engagement
against
the
organization
where
we,
you
know,
hire
a
firm
to
do
a
live,
attacker
sort
of
simulation.
The
proposition
is
that
the
vulnerabilities
just
found
in
the
technical
part,
the
pen
test
would
be
publicly
disclosed.
The
part
in
the
pen
in
the
red
team
engagement
would
not
be
publicly
disclosed.
C
G
At
a
high
level,
if
you
are
a
non-for-profit,
you
would
have
your
audit
paid
for
and
also
we
would
hire
a
a
contractor
for
you
or
allocate
money
to
you
to
actually
help
fix.
Those
vulnerabilities
not-for-profits
are
only
non-profits
if
they're
repository,
artifact
server
is
open
source.
If
it's
not
open
source,
then
it's
corporate
just
because
you
can't
it's
harder
to
hire
a
contractor
to
fix
something:
that's
not
open
source
and
then
for
the
pen
test.
G
We
offer
corporations,
which
are
you
know,
either
the
option
of
we
can
fund
the
pen
test,
but
the
disclosures
will
come
with
a
90-day
deadline
or
they
fund
this.
They
fund
the
pen
test
and
the
disclosures
will
come
with
a
like.
We
just
want
to
see.
We
want
to
see
their
reports
after
180
days
with
a
with
a
retest
report.
G
Something
I
haven't
written
to
this
Paul
into
the
policy,
but
something
that
I
want
to
toss
in
there
is
that
it
will
also
include
in
scope.
Theoretically,
the
idea
is,
after
the
first
wave
of
all
the
audits,
we
would
stand
up.
A
pen
we'd
stand
up
a
bug,
Bounty
program
for
enabling
you
know
paying
researchers
to
look
at
this
infrastructure
in
writ
large
and
Reporting
things.
A
G
Omega,
so
so
that's
the
idea
primarily
and
then
ostiff
and
then
maybe
open,
SF,
yeah
and
then
also
I
would
want
there
to
be
one
staff
member.
So
one
of
the
things
let's
do
in
there
is
to
run
this.
There
would
be
one
staff,
that's
not
full-time,
dedicated
but
part-time,
dedicated
to
running
this
whole
thing
from.
E
I
would
really
like
openssf
to
chip
in
something
on
this
yeah
I
I
like
so
because
this
is
being
recorded.
I'm
going
to
preface
this
with.
This
is
just
spitballing
ideas.
There's
no
promises
in
any
of
this,
but
if
openssf
were
to,
let's
say,
go
half
fees
in
with
AO
I
think
that
would
make
it
easier
for
us
to
out,
because
this
is
a
significant
I
mean
this
is
It's.
A
A
A
G
E
I,
we
have
to
be
a
little
slightly
careful
about
that,
but
conceptually
I
think
that
that
that's
fine
I
mean
we
could
State
this
as
one
of
our
program
goals
for
the
second
half
of
the
calendar
year,
I
mean
if
it
would
help
I
would
be
very
happy
to
like
push
strongly
for
I
I,
don't
know
like
I,
don't
know
enough
to
know
about
to
know
how
to
get
it
done,
but
if
they're,
if,
if
my
voice
would
help
unlock
funds,
I
think
that
would
be.
That
would
be
awesome.
A
A
G
A
A
D
G
A
E
G
G
A
And
then
you
know
like
Amanda
can
help
us
once
we
get
once
I
share
the
template
with
you,
she
can
help
us
get
staged,
but
just
just
have
measured
expectations
that
are
coming
in
the
middle.
The
economy,
sucks
yep,
you
know,
half
half
of
high
tech
got
laid
off.
People
aren't
really
interested
in
throwing
giant
bags
of
money
at
problems
right
now,.
G
C
G
C
G
C
A
G
G
A
E
E
A
D
A
B
Had
talked
about
having
volunteers
for
the
open
source
cert
before
I,
stop
going
to
those
conversations
so
did.
Where
did
that
conversation
end
up
with
them,
since
I
imagined
that
right
there
was,
hopefully
some
research
or
thought
put
into
what
is
the
likelihood
that
we
would
actually
get
volunteers
from
these
organizations.
F
D
B
C
D
G
Actually,
instead
of
a
cert,
can
you
do
trainings
and
I'm,
like
they've,
never
been
in
an
incident
before?
Have
they
like
they?
They
you
don't
need
trainings
in
an
incident.
You
need
an
incident
responder
like
you
have
fire
departments
that
also
do
trainings,
but
they're
there
to
be
the
fire
department,
but.
E
E
C
B
There
was
a
particularly
interesting
presentation
at
the
open
source
Summit
a
couple
of
weeks
ago
from
the
folks
from
the
node.js
community,
where
they
discussed
some
of
the
difficulties
they
have
had
in
having
volunteers
be
responders,
and
so
that
is
that
is
a
volunteers
are
great,
but
that
is
a
very
difficult
thing
to
come
by
in
open
source
and
also
a
more
difficult
thing
to
keep
and
retain
so
for
for
a
service
like
this
I
think
longevity
is
also
pretty
important.
I'm.
F
B
A
A
A
We'll
prompt
that-
and
we
probably
I
would
say,
probably
will
not
get
an
answer
until
we
get
a
chance
to
finalize
to
refresh
the
immobilization
plan.
That's
there's
some
people
looking
at
that
kind
of
reviewing
where
we
are
or
what
we
did.
What
we
didn't
do
so
I
think
once
that's
done,
it
would
be
the
next
step
of
how
they
want
to
proceed
with
funding
or
what
gets
moved
forward.
B
I
had
one
more
question
about,
while
we're
still
talking
about
the
great
repository
audit,
so
there
are
I,
don't
how
much
have
we
already
engaged
package
managers
or
package
registry
maintainers
in
in
this
because
I
know
there
are?
There
are
some
some
that
have
lists
right
of
here's,
how
you
could
actually
fund
us
in
a
way
that
will
help
us?
Yes,.
G
G
Yeah
also
I
should
probably
send
this
to
yeah,
so
I
I,
don't
have
the
contacts
with
the
artifact
server
in
you
know,
artifact
servers
as
much
as
somebody
else
does.
So.
If
anybody
else
has
contacts
with
I
mean
I
can
only
just
do
security
at
but
like
if
I'd
rather
go
to
like
a
real
person,
because,
like
it's
more
respectful
than
going
through
the
security
Channel.
B
G
G
G
I
agree:
I
can
talk
to
them
and
see
what
yeah
it's
so.
The
meeting
currently
has
mostly
been
Brian,
Fox
kind
of
somewhat,
and
then
also
the
people
from
chain
guard
and
and
and
shock
like
it's
been
very
it's
like
definitely
shrunk
in
size
and
so
I'm,
hoping
that
this
will
rekindle
it,
and
hopefully
we
can
get
some
more
of
the
people
involved.