►
From YouTube: OpenSSF Vulnerability Disclosures APAC (May 25, 2023)
B
A
Yeah,
it's
oh
it's
up
in
the
60s
right
here
now,
but
it
was
cold.
I.
E
A
All
right:
well,
we
will
get
rolling,
I
guess
not
everyone's
as
excited
to
be
here,
as
the
three
of
us
are.
What
would
we
like
to
talk
about
today?.
E
A
A
A
E
E
I
I,
so
we
could
have
Jonathan
continue
or
Jonathan
pick
it
up.
Just
as
part
of
his
role
in
in
AO.
I
would
love
to
have
like
what
I'm
concerned
about
now
is
like
it's
like
bus
factor
of
one
moving
to
Jonathan
makes
it
like,
basically
still
one
one
and
a
half.
You
know
if
someone
else
from
this
working
group
could
like
partner
or
even
secondary
it
or
just
be
a
active
contributor,
I
think
that
would
that
would
solve.
It
would
get
us
a
higher
scorecard
score
and
everything
so.
A
Again,
the
tool
is
great,
and
you
know
if,
like
the
the
P,
the
cert
Sig
ever
gets
funded
I,
think
that
would
be
a
tool
that
that
piece
or
potentially
would
adopt
as
part
of
their
tool
set
and
then
I
think
we
definitely
would
have
some
developers
because
we
actually
had.
We
had
asked
for
some
development
assistance,
so
we
would
be
able
to
whether
it's
a
contractor
or
trying
to
get
a
volunteer
so
I
think
there's
definitely
lots
of
opportunity
and
it's
a
very.
A
A
Back
today
and
then
tomorrow
is
a
rest
day
for
my
part
of
the
org,
so
I
get
tomorrow
off,
but.
E
I
I,
don't
know
like
I,
think
I'm,
just
gonna
beg
forgiveness,
but
right
now
it's
in
my
personal
GitHub
account.
That's
that's
terrible.
I
created
a
private
repo
in
ossf
the
code's.
Now
there
we
don't
have
like
Advanced,
security
and
stuff
like
that
turned
on
so
like
everything
is
breaking.
Don't
flip.
The
bit
to
public
I'll
include
in
the
readme
that
this
is
preview,
and
it's
already
called
a
proof
of
concept
and
stuff
like
that.
A
Then,
in
parallel,
if
you
want
to
send
an
email
to
the
Vol
mailing
list,
asking
you
saying
hey,
we
would
like
this
group.
If
you
adopt
us
and
hey,
if
you
had
anyone
that
was
interested
you
know,
patches
are
welcome.
We'd,
like
to
some
development
assistance
that
way
it's
queued
up
for
the
next
call
and
I
can
say:
let's
Let's
decide
if
we
want
this.
Oh
man,
speaking
of
developers,
I,
know
I,
do
know
one
developer.
E
Perfect,
all
right
cool,
so
I'm
gonna
flip
the
bit
on
it
right
now
as
we're
talking
so
because
otherwise
I'll
forget
and
we'll
never
actually
do
it
wait
change
your
house
for
visibility,
organization
members
can't
change
retail
disability.
A
A
G
We
reared
the
the
some
Jordan
Mrs
Mrs
Jordan.
There
was
a
bunch
of
changes
that
were
made
to
permissions
on
the
repository
recently,
including
now.
Members
cannot
create
new
repositories
under
the
open,
ssf.
A
So
we
were
talking
about
disclosure
check.
Does
anyone
have
any
feedback
or
questions
or
comments
about
it?.
B
Just
positive
feedback
I
think
it
looks
great
awesome.
I
love
the
idea,
others
within
GitHub
that
have
taken
a
look
at
it
have
like
also
given
thumbs
up.
So
just
lots
of
positive
feedback
love
it.
Thank
you.
Yay.
A
Well
and
potentially,
if
we
can
get
again
those
additional
contributors,
maybe
it's
something
we
even
potentially
modify
like
one
of
the
main
one
of
our
CBD
guides
for
to
kind
of
highlight
air.
Here's
a
way
if
you
don't
know
how
to
contact
somebody,
here's
a
great
tool
to
go
in
and
check
yeah.
C
G
Yes,
can
you
give
me,
can
you
go
to
another
topic
and
come
back
to
me.
A
F
No
but
I
do
have
a
another
request
if
you
could
add
a
chirping
crickets
to
your
sound
bar.
That
will
also
come
in
handy
I'm,
sure.
D
A
All
right
so
I
guess
we'll
have
to
wait
for
the
full
meeting
to
understand
what
Ollie
was
looking
at.
I
know
that
he
is
very
involved
in
matters
within
the
EU
and
I.
A
Don't
know
if
this
is
related
to
Amisa
had
suggested
they
might
like
to
make
their
own
nvd
I
know
that
some
of
the
nvd
folks
had
expressed
interest
in
engaging
community
and
Private
Industry
to
assist
with
improving
nvd,
so
I'm,
not
certain
specifically
what
Ollie
was
looking
for,
but
maybe
I'll
watch
this
video
and
we
could
talk
about
it.
The
next
call.
A
Do
we
have
any
additional
topics
we
would
like
to
discuss?
I
will
say
with
Adolfo
here
our
next
open,
Vex
call
which
will
be
on
this
up.
It
will
not
be
on
Monday,
I,
guess,
well,
I!
Guess,
if
you
wanted
to
meet
Monday,
you
can
meet,
but
I'll
be
on
holiday,
enjoying
some
delightful
barbecue.
A
We
are
I
was
going
to
mention
to
the
group
we're
going
to
be
alternating,
open
Vex
calls
where
we
will
have
one
call
be
focused
on
development
and
actually
maintaining
the
spec
and
the
software.
So
it's
a
technical
call
and
then
the
alternate
calls
will
be
focused
on
evangelism
engaging
how
we
can
engage
with
larger
industry
groups.
How
we
can
work
with.
You
know,
tools
like
spdx
or
Cyclone
DX
to
help
further
Vex
in
general
and
then
to
try
to
evangelize
using
the
awesome
little
tool
that
the
team
put
together.
G
G
Okay,
so
Michael
was
up
at
6am
this
morning,
his
time
to
to
join
for
a
conversation
about
the
great
repository
out.
G
At
a
high
level
is
a
proposal
for
funding
and
effort
and
energy
step
back.
Okay,
I
presume
that
or
I
I
posit
that
a
majority
of
the
major
artifact
servers
made
in
central
Gradle
plug
import
npm.
Those
sorts
of
artifact
servers
have
never
had
a
pen
test
performed
against
them
for
determining
you
know.
Have
they
been
odd?
You
know
how
what.
G
G
The
scope
of
it
includes
a
pen
test
of
the
firm
and
then
a
red
team
engagement
against
the
organization
where
we,
you
know,
hire
a
firm
to
do
a
live,
attacker
sort
of
simulation.
The
proposition
is
that
the
vulnerabilities
just
found
in
the
technical
part,
the
pen
test
would
be
publicly
disclosed.
The
part
in
the
pen
in
the
red
team
engagement
would
not
be
publicly
disclosed.
G
The
the
result
like
we
were
able
to
achieve
this
and
like
that
it
happened,
would
be
public,
but
not
the
methodology
under
which
that
was
her,
that
that
was
able
to
be
achieved
because
that's
a
lot
more
sensitive
as
a
as
a
methodology,
and
we
don't
want
to
you
know-
that's
that's
not
I,
don't
think
is
useful.
C
G
At
a
high
level,
if
you
are
a
non-for-profit,
you
would
have
your
audit
paid
for
and
also
we
would
hire
a
a
contractor
for
you
or
allocate
money
to
you
to
actually
help
fix.
Those
vulnerabilities
not-for-profits
are
only
non-profits
if
they're
repository,
artifact
server
is
open
source.
If
it's
not
open
source,
then
it's
corporate
just
because
you
can't
it's
harder
to
hire
a
contractor
to
fix
something:
that's
not
open
source
and
then
for
the
pen
test.
G
We
offer
corporations,
which
are
you
know,
either
the
option
of
we
can
fund
the
pen
test,
but
the
disclosures
will
come
with
a
90-day
deadline
or
they
fund
this.
They
fund
the
pen
test
and
the
disclosures
will
come
with
a
like.
We
just
want
to
see.
We
want
to
see
their
reports
after
180
days
with
a
with
a
retest
report.
G
Something
I
haven't
written
to
this
Paul
into
the
policy,
but
something
that
I
want
to
toss
in
there
is
that
it
will
also
include
in
scope.
Theoretically,
the
idea
is,
after
the
first
wave
of
all
the
audits,
we
would
stand
up.
A
pen
we'd
stand
up
a
bug,
Bounty
program
for
enabling
you
know
paying
researchers
to
look
at
this
infrastructure
in
writ
large
and
Reporting
things.
A
I
think
it's
a
good
idea.
I
am
concerned
with
the
current
Financial
climate
and
the
track
record.
The
foundation
has
reviewing
funding
requests,
how
this
would
go
about
being
funded,
Alpha.
G
Omega,
so
so
that's
the
idea
primarily
and
then
ostiff
and
then
maybe
open,
SF,
yeah
and
then
also
I
would
want
there
to
be
one
staff
member.
So
one
of
the
things
let's
do
in
there
is
to
run
this.
There
would
be
one
staff,
that's
not
full-time,
dedicated
but
part-time,
dedicated
to
running
this
whole
thing
from.
E
I
would
really
like
openssf
to
chip
in
something
on
this
yeah
I
I
like
so
because
this
is
being
recorded.
I'm
going
to
preface
this
with.
This
is
just
spitballing
ideas.
There's
no
promises
in
any
of
this,
but
if
openssf
were
to,
let's
say,
go
half
fees
in
with
AO
I
think
that
would
make
it
easier
for
us
to
out,
because
this
is
a
significant
I
mean
this
is
It's.
A
It's
not
insignificant,
but
and
not
what
I'm
afraid
of
is.
We
are
nearing
the
second
quarter,
and
so
this
is
an
unfunded
request
currently
for
the
foundation.
Yeah
yeah,
it's
coming.
A
A
We
could
they
all
work
with
you
to
put
together
a
funding
request
to
go
before
that.
But
having
done
three
of
them
and
having
zero
responses
in
six
months,
I
will
state
I,
don't
wouldn't
have
a
high.
If
so,.
G
Ever
happened
this
year,
I'm
curious.
Is
there
a
higher
likelihood
of
this
getting
funded
directly
from
organizations
when
I
support
this
project
or
getting
funded
through,
like.
E
I,
we
have
to
be
a
little
slightly
careful
about
that,
but
conceptually
I
think
that
that
that's
fine
I
mean
we
could
State
this
as
one
of
our
program
goals
for
the
second
half
of
the
calendar
year,
I
mean
if
it
would
help
I
would
be
very
happy
to
like
push
strongly
for
I
I,
don't
know
like
I,
don't
know
enough
to
know
about
to
know
how
to
get
it
done,
but
if
they're,
if,
if
my
voice
would
help
unlock
funds,
I
think
that
would
be.
That
would
be
awesome.
A
A
A
mid-year
unfunded
request
for
anyone
and
again
I
just
we
can
I'll
be
glad
to
work
with
you.
There
is
a
template,
that's
used
and
you
know
I
I
think
again,
Mission
wise.
It
feels
nice.
It
feels
good
that
this
is
the
type
of
thing
the
foundation
wants
to
see
happen.
It's.
G
A
A
But
no
I
I
will
I'll
shoot
you
over
a
copy
of
the
template
that
we've
used
for
the
couple
funding
requests.
I
would
give
the
chair
of
the
tax.
D
G
A
Again,
we
may
be
more
successful
if
we're
willing
to
delay
until
2024
and
get
it
part
of
omkar's
budget.
Ask
and
again
you
you,
we
have
a
brand
new
managing
director
he's
still
trying
to
figure
stuff
out
I
I.
E
G
G
A
And
then
you
know
like
Amanda
can
help
us
once
we
get
once
I
share
the
template
with
you,
she
can
help
us
get
staged,
but
just
just
have
measured
expectations
that
are
coming
in
the
middle.
The
economy,
sucks
yep,
you
know,
half
half
of
high
tech
got
laid
off.
People
aren't
really
interested
in
throwing
giant
bags
of
money
at
problems
right
now,.
G
C
G
A
And
just
give
me
technically
I'm
not
working
tomorrow,
but
I've
got
that
Atlantic
Council
thing,
but
I
will
track
down
the
template
and
scrub
it
and
send
it
over
to
you
guys.
C
A
We
can
get
that
started,
but
but
once
you
have
your
idea
kind
of
coalesced
on
paper,
then
we
would
want
to.
G
Yeah,
so
that
for
that,
the
problem
with
that
is
that
Amir
has
a
better
view
into
that
than
I
do
from
Austin,
because
he's
done
a
lot
more
of
these
things
and
I
I,
don't
know
what
it's
going
to
cost
I've
actually
I
like
I
would
probably
want
to
go.
Get
quotes
from
companies.
First.
C
A
G
Do
you
think
if
there
are
any
organizations
out
there,
that
would
want
to
do
this
sort
of
research
or
work
at
a
discount
because
of
its
public
good,
and
given
that
this
infrastructure
is
somewhat
given
away
for
free
and
it's
like
driving
all
of
Open
Source.
G
G
A
E
What
What
alternative
is
here
is
most
of
our
organizations,
have
internal
red
teams
and
Pen
testers
and,
like
yeah
folks,
that
do
this
regularly.
There's.
E
A
D
A
Yeah,
that's
also
something
and
again,
if
that's
what
you
want,
you
know,
let's
put
that
in
your
your
business
case,
your
request,
saying
that
you
know
money's
great,
but
you
know
people
are
better.
Potentially
we.
B
Had
talked
about
having
volunteers
for
the
open
source
cert
before
I,
stop
going
to
those
conversations
so
did.
Where
did
that
conversation
end
up
with
them,
since
I
imagined
that
right
there
was,
hopefully
some
research
or
thought
put
into
what
is
the
likelihood
that
we
would
actually
get
volunteers
from
these
organizations.
B
Since
that's
a
effort,
do
we
think
that's
actually
realistic.
F
D
B
C
D
G
Actually,
instead
of
a
cert,
can
you
do
trainings
and
I'm,
like
they've,
never
been
in
an
incident
before?
Have
they
like
they?
They
you
don't
need
trainings
in
an
incident.
You
need
an
incident
responder
like
you
have
fire
departments
that
also
do
trainings,
but
they're
there
to
be
the
fire
department,
but.
E
E
A
Don't
think
any
of
us
can
no
I
I
cannot,
unfortunately,
I
didn't
log.
C
F
B
There
was
a
particularly
interesting
presentation
at
the
open
source
Summit
a
couple
of
weeks
ago
from
the
folks
from
the
node.js
community,
where
they
discussed
some
of
the
difficulties
they
have
had
in
having
volunteers
be
responders,
and
so
that
is
that
is
a
volunteers
are
great,
but
that
is
a
very
difficult
thing
to
come
by
in
open
source
and
also
a
more
difficult
thing
to
keep
and
retain
so
for
for
a
service
like
this
I
think
longevity
is
also
pretty
important.
I'm.
F
B
I
should
say
when
things
become
urgent.
The
first
thing
that
is
dropped
is
volunteer
opportunities,
so.
A
A
A
We'll
prompt
that-
and
we
probably
I
would
say,
probably
will
not
get
an
answer
until
we
get
a
chance
to
finalize
to
refresh
the
immobilization
plan.
That's
there's
some
people
looking
at
that
kind
of
reviewing
where
we
are
or
what
we
did.
What
we
didn't
do
so
I
think
once
that's
done,
it
would
be
the
next
step
of
how
they
want
to
proceed
with
funding
or
what
gets
moved
forward.
A
All
right
anything
else
we
wanted
to
talk
about
today.
B
I
had
one
more
question
about,
while
we're
still
talking
about
the
great
repository
audit,
so
there
are
I,
don't
how
much
have
we
already
engaged
package
managers
or
package
registry
maintainers
in
in
this
because
I
know
there
are?
There
are
some
some
that
have
lists
right
of
here's,
how
you
could
actually
fund
us
in
a
way
that
will
help
us?
Yes,.
G
But
so
in
the
set
in
the
in
the
Sig
call
this
morning,
which
was
the
first
Sig
call
for
this
topic,
which
is
now
happening
every
Thursday
at
9am,
when
the
regular
working
group
meeting
isn't
happening,
we
had
Brian
Fox
from
Brian
Fox
from
sonotype.
G
G
Jacques
there
and
Michael
scoetta,
so
we
have
some
people
there.
I
have
also
spoken
to
the
head
of
security
at
Grail
and
he's
like
I
like
this
idea.
He
seems
reasonable.
So
three
so
far
that
are
like
yeah,
okay,
you
know
either
you
know
showing
up
to
meetings
or
seems
like
a
good
idea.
So
yeah.
G
Yeah
also
I
should
probably
send
this
to
yeah,
so
I
I,
don't
have
the
contacts
with
the
artifact
server
in
you
know,
artifact
servers
as
much
as
somebody
else
does.
So.
If
anybody
else
has
contacts
with
I
mean
I
can
only
just
do
security
at
but
like
if
I'd
rather
go
to
like
a
real
person,
because,
like
it's
more
respectful
than
going
through
the
security
Channel.
G
B
G
And
yes,
it
definitely
lost
some
momentum.
Part
of
the
goal
of
this
initiative
is
to
rekindle
that
initial,
that
that
momentum
behind
the
working
group,
yeah
so
yeah.
A
Well,
Dustin
is
the
lead
of
that
working
group
and
he
is
also
on
the
tack,
so
I
would
get
his
emphatic
support.
G
G
I
agree:
I
can
talk
to
them
and
see
what
yeah
it's
so.
The
meeting
currently
has
mostly
been
Brian,
Fox
kind
of
somewhat,
and
then
also
the
people
from
chain
guard
and
and
and
shock
like
it's
been
very
it's
like
definitely
shrunk
in
size
and
so
I'm,
hoping
that
this
will
rekindle
it,
and
hopefully
we
can
get
some
more
of
the
people
involved.
G
I
know
that
Sterling
has
started
showing
up
from
Gradle.
It
started
showing
up
at
the
eight
pack
call
just
because
it's
you
know
end
of
the
day.
Instead
of
the
beginning
of
the
day
when
people
are
working,
yeah.
A
I
I
would
personally
reach
out
to
Dustin
to
see
if
we
can
get
him
his
support.
G
G
G
D
A
Right
I
will
do
my
best
to
make
your
call
tomorrow.
Jeffrey
I've
been
invited
to.
F
A
But
I
they
came
in
first
and
I
will
do
my
best
to
extricate
myself
at
the
bottom.
It's
just.