►
B
A
Give
it
another
couple
of
minutes
or
like
a
minute
or
two,
so
there
are
inside
of
the
open,
ssf
vulnerabilities
closures,
working
group
notes.
If
you
scroll
down
past
the
the
eighth
meeting,
there
is
commuting
notes
for
the
autofix
Sig,
please
mark
off
your
attendance
by
you
know
removing
the
formatting
for
your
name
so
that
it
will
show
up
as
you
having
been
having
attended
this.
This
sync
call.
A
Writing
I
think
we
should
just
get
started
and,
as
you
people
join
in
later,
we
can
add
them
in
yeah
all
right.
So
hi
everybody,
my
name
is
John
from
lights.
You
I
am
a
I'm.
The
senior
software
security
researcher
for
project
Alpha.
D
A
I
was
the
first
ever
Dan
Kaminsky
fellow
and
I
spent
a
bunch
of
time
the
past
year,
working
on
automating
fixing
vulnerabilities
at
scale
across
open
source
and
this
the
purpose
of
this
sig
is
to
discuss
the
topic
of
automated
vulnerability
disclosure
across
open
source
and
establish
some
best
practices
and
some
Norms
for
this
process,
which
can
be
very
contentious
across
open
source,
maintainers
and
I'm.
A
Happy
to
have
you
all
here,
since
we
are
all
new
to
this
particular
Sig
I'd
like
to
do
a
round
and
just
give
everybody
the
opportunity
to
introduce
themselves
and
who
they
are
and
where
they
work.
And
you
know
what
brings
you
to
this
particular
call.
So
yeah
is
anybody.
Anybody
want
to
jump
in
and
start
with
their
introduction.
C
I
can
go
ahead
and
go
first.
My
name
is
CJ
May
I'm
kind
of
new
to
the
ossf
I'm,
a
senior
I.T
security
Analyst
at
Vermeer
corporation,
which
is
a
Manufacturing
Company
I
I
do
a
lot
with
devsecops
in
my
role
but
I'm
overall
I'm
kind
of
relatively
new
to
appsec,
so
I'm
here
to
learn
and
contribute
where
I
can
I
do
have
a
little
bit
of
experience,
automating
a
lot
of
stuff
around
GitHub
within
my
own
organization,
so
yeah.
E
Sure
hi
I'm
kasmir
I'm
a
vulnerability
researcher
at
trellix
I'm
here,
just
because
I
just
did
a
good
bit
of
automated
bone
disclosure
and
patching
with
the
python.
The
tar
file,
vulnerability.
A
D
F
D
B
All
right
yeah
the
picked
up
my
webcam
mic
yeah,
so
I'm
Matt,
Smith
I'm,
a
product
manager
at
Google,
working
specifically
in
Google
Cloud.
B
Some
other
colleagues
are
much
more
involved
in
the
open
source,
I'm
more
on
the
product
side,
but
understanding
how
to
do
automated
vulnerability.
Remediation
as
it
relates
to
open
source
as
well
and
I'm,
also
new
to
open
ssf.
So
just
looking
to
listen
and
learn,
what's
happening,
more
Squad.
F
Hi
I'm
olor
office
I'm,
the
CEO
of
openly
Factory
I've,
been
working
on
refactoring
for
all
my
life,
so
I'm
here
to
remind
everybody
how
difficult
this
actoring
is,
as
we
are
cooking
embarking
upon
this
glorious
Journey.
So
thank
you.
E
Hi
everyone
I'm.
Can
you
hear
me?
Yes,
yes,
I
see
her
avoidance.
Yes,
just
like
Chrome
I
Jonathan
also
asked
me
to
joined
so
I'm
kind
of
just
following
his
lead
on
this
one.
I'm.
F
B
A
You
all
right
and
the
folks
that
I
are
also
one
of
the
groups
that
I
invited
two
groups
that
I
also
invited
to
this
modern
I.
Think
they,
the
two
that
we're
going
to
join
for
this
are
currently
on
a
customer
call
and
I
also
reached
out
to.
A
Yes,
men,
men
that
I've
also
reached
out
to
and
I
don't
think
they
are
going
to,
but
they
may
they
may
end
up
joining
eventually,
so
we'll
see
how
that
goes
so
anyways.
A
So
at
a
high
level.
One
of
the
reasons
that
I've
brought
people
together
for
this
particular
topic
is
I
the
open
the
project.
Alpha
Omega,
is
going
to
be
engaging
in
automated
vulnerability,
remediation
at
scale
across
open
source
as
a
part
of
the
the
purview
of
of
Alpha
Omega,
and
so
I
have
been
going
down
this
route
of
doing
this
work
kind
of
independently.
A
But
one
of
the
things
that
would
be
really
excellent
is
to
have
a
set
of
standards
and
best
practices
established
around
doing
engaging
in
this
work
to
minimize
the
likelihood
of
upsetting
or
upsetting
maintainers,
and
also
decreasing
the
risk
of
you
getting
banned
by
GitHub,
bitbucket
or
gitlab,
or
all
that
stuff
right
for
doing
this
stuff,
and
so
in
that
endeavor.
A
One
of
the
things
that
I
thought
through
and
have
written
up
a
draft
proposal
for
is
a
I
haven't
put
this
anywhere
yet.
But
it's
a
specification
document
that
describes
a
set
of
requirements
for
campaigns
to
be
the
title
of
this
stock.
I
also
actually
send
it
to
the
group
in
a
moment,
hang
on.
A
Use
the
Titan
re-enchain
the
title:
the
title
of
this
document
is
specification,
open,
ssf,
compliant
automated
vulnerabilities
fix
campaign
and
again
not
a
specification
that
is
in
any
way
endorsed
by
the
open
ssf.
Yet
it's.
A
A
You
know
automated
vulnerability,
fixed
campaign,
Banner
on
your
pull
request
and
link
to
this
specification
and
state
that
you're
compliant
with
these
set
of
requirements,
and
it
will,
you
know,
make
it
look
more
official
and
hopefully
make
it
look
like
you
know
you,
you
will
follow
those
set
of
best
practices
that
were
that
were
endorsed,
go
for
it.
Bro
do.
A
A
So
yes,
so
you
are
all
welcome
to
join.
You
should
be
able
to
access
that.
A
Perfect
would
love
it
if
you
could,
if
you
are
going
to
add
feedback
or
responses
on
this
document,
please
use
your
signed
in
GitHub
account
so
that
I
can
see
who
you
are,
and
you
know
we
can
have
a
dialogue
instead
of
it
being
anonymous,
Badger
and
Jonathan
chatting
back
and
forth
with
each
other,
but
yeah.
So
at
a
high
level,
I
I
can
go
through
the
bullets
of
the
things
that
I'm,
proposing
and
and
discuss
again
nobody's
reviewed.
A
This
document
nobody's
seen
this
document
until
you
just
I,
just
wrote
it
in
the
past.
You
know
three
hours
so,
but
at
a
high
level
expecting
that
any
vulnerability
that
you're
going
to
try
to
fix
at
scale.
You
first
try
to
report
it
Upstream.
So
if
you
can
get
it
fixed
in
the
Upstream
component,
the
standard
Library,
the
library
you're,
relying
upon
that's
the
best
thing
to
do,
because
it's
much
easier
to
fix
a
vulnerability
via
dependency
update
than
anything
else.
A
A
before
you
engage
in
automated
vulnerability
disclosure
in
this
manner
some
messaging
requirements
around
information.
You
must
include
in
the
pull
request
body
origin
requirement
that
the
the
polar
request
must
originate
with
a
real
person's
GitHub
account,
instead
of
a
bot
account
or
an
organization
account
requirements
around
communication
and
responsiveness
to
the
maintainers
when
you're
reporting,
when
you're
disposing
this
way
a
suggestion
around
targeting
specific
source
code.
A
So
if
you're
going
to
fix
vulnerabilities
at
scale,
don't
try
to
avoid
fixing
just
test
code,
you
can
fix
test
code
but
fix
test
code
only
if
you're
also
fixing
production
code
and
then
commit
message,
format,
specifications,
post
coordination
like
reaching
out
to
GitHub
or
gitlab
or
bitbucket
to
let
them
know
you're
going
to
do
this
work
beforehand
and
then
also
finally,
offering
disclosure
assistance
to
the
maintainer
after
the
pull
request
is
merged
in
some
manner.
A
To
help
get
a
CV
number
if
they
so
desire,
so
high
level
list
of
requirements,
and
given
this
yeah,
it's
all
it's
all
in
the
oh
yeah
you're
bulleting
out,
but
this
is
all
in
the
document.
It's
the
as
the
high
level
high
level
numbered
items
in
the
in
the
document.
So
I
know
that
none
of
you
have
read
this
fully
because
there
hasn't
been
enough
time.
A
But
is
there
any
like
the
layering
point
from
your
experience
that
with
automated
vulnerable
disclosure
that
any
of
you
think
that
may
be
missed
or
the
maintainer
you
know?
Do
you
think
that
what
should
be
taken
care
of
to
make
maintainers
most
likely
to
not
hate
you
and
or
more
likely,
to
merge
the
change.
E
Yeah
so
for
the
commit
message,
format,
I
know,
I
see
you
have
the
sign
off
header
and
I.
Don't
think
that's
what
I'm
thinking
of,
but
what
I
noticed
a
lot
was
they
wanted
verification
on
the
commits,
so
the
commits
have
to
be
verified.
Otherwise,
a
lot
of
projects
would
just
automatically
discard
the
pull
request.
Gbg.
A
F
When
you're
done,
I
have
a
couple
of
questions.
First
yeah
go
for
it,
okay,
so
if
so,
you
know
that
we
have
been
also
doing
this
thing
on
the
side,
which
is
finding
out
specific,
different
kinds
of
vulnerabilities
on
the
top
10
000
projects
and
then
reporting
them
manually
to
the
maintainers.
So
if
we
are
made
like,
for
example,
submitting
pull
requests,
there's
something
that
we
also
need
to
do,
which
is
like
the
CLA
signing
and
doing
this
at
a
small
level.
F
Well,
it's
hard,
but
you
can
manage,
but
when
you
are
Auto
generating
a
lot
of
stuff,
is
there
an
automated
way
of
doing
that?
That's
number
one
question:
if
you're
not
doing
that,
as
you
were
mentioning
that
the
top
20
20
projects
in
the
top
10
000
lists
need
to
have
a
private
vulnerability
report.
So
that's.
How
do
you
automate
that
process
and
that's.
A
F
Manual
exactly
exactly
how
do
you
plan
to
so
I
mean
you
need
to
find
out
what's
the
channel
and
it
is
it
in
the
security.md
file.
If
it's
not,
then
how
do
you
do
that
and
and
so
on
so
I'm
again
like
Curious
to
learn
because
it
might
I
might
use
it
in
I?
I
will
use
it
in
in
the
work
that
we
are
doing
as
well.
So
yeah
I
mean
information
best.
A
Effort
right
kind
of
it's
it's
best
effort.
There
is
a
guide
for
reporters
that
the
open,
Star,
Security
Foundation,
put
together.
That's
specific
to
that,
and
we
can
link
to
that
guide
for
how
to
manually
report
vulnerabilities
to
maintainers
and
as
a
as
a
starting
point.
A
That
guide
kind
of
goes
through
like
here
are
all
the
places
that
you
might
want
to
look
for,
a
disclosure,
Channel
and
so
I.
Don't
have
the
answers
to
how
do
you
automate
that,
but
I
think
the
the
mandatory
private
disclosure?
You
know
one
of
the
things
about.
We
have
the
critical
projects
list
right.
The
thing
that
you
want
to
do
is
even
if
that
requires
a
manual
process
for
those
10.
It's
still
important
to
do
right
like
it's.
A
You
know
because,
like
there
are
critical
projects
out
there
and
we
want
to
try
to
get
as
many
of
the
highest
critical
projects
as
we
can
fixed
in
a
way
that
is
more
responsible,
I
hate,
the
term
responsible,
more
controlled,
you
know,
I,
don't
know,
and
the
other
question
you
had
was
feeling
CLA.
D
A
That
is
an
that,
is
it
so
I
have
just
signed
a
lot
of
those
clas
I,
also
put
in
my
advice
in
my
disclosures
I
can't
sign
all
these
clas
and,
if
you
require
me
to
like,
if
you
need
it
to
be
signed,
just
close
it
right.
F
A
it's
a
report
that
you
originally
submitted.
It
says
that,
because
we're
doing
so,
you
will
express
your
or
you
announce
your
intent
that,
because
you're
doing
it
in
bulk
is
just
not
feasible
for
you
to
sign
and
therefore
you're
not
doing
will
not
be
doing
that
I.
How
do
the
maintenance
deal
like
deal
with
that?
Or
do.
A
They
won't
do
yeah
I
won't
do
it
for
everybody,
some
people
just
close
them
I'm.
Actually
there
is
a
conversation
that
I'm
currently
having
with
LF
legal,
because
so
traditionally,
I
have
been
signing.
I've
been
doing
clas
signing
myself,
because
the
poll
requests
have
been
originating
from
my
personal
GitHub
account
right.
The
the
so
I
can
sign
those
myself,
but
since
this
work,
at
least
under
moving
forward
will
be
shifting
under
Alpha
Omega.
F
A
A
What
do
you
want
me
to
do
with
them
and
answers
I,
don't
know
right,
I
I,
don't
I
the
one
of
the
things
that
like
popped
up
as
an
idea
from
Brian
bellendorf
when
I
spoke
to
him
earlier
today
was
like
like?
Are
there
common
enough
clas
that
we
can
catch
them
and
say
like
this?
Is
xcla
we've
already
reviewed
it?
We
can
just
sign
it
right.
Like
you
know,
it's
okay,
you
can
just
sign
it
or
is:
are
there
very?
Are
there?
A
Is
anybody
that's
requiring
a
CLA
IM
having
wide
variants
or
like?
Are
they
all?
You
know,
organization
specific,
in
which
case
this
is
a
bigger
problem.
That's
it's.
F
If
that
helps,
in
our
case,
what
we
did
was,
so
we
have
a
couple
of
people
who
were
using
an
open,
refactory
handle.
But
then
there
were
like
individual
traders
who
were
just
like
signing
on
that.
We
have
so
in
August.
F
What
we
did
was
we
had
a
the
organization
openly
Factory
signing
like
having
a
different
kind
of
agreement,
which
is
an
organizational
CLA,
but
then
it
is
nominating
a
GitHub
user
to
like
to
then
submit
the
pull
request
and
and
that
so
there
we
use
the
the
the
GitHub
handle
that
we
used
in
order
for
for
submitting
all
of
the
the
protocols.
So
there
is
an
organization
as
open
refactory
we
were
signing
or
we
were
designing
the
CLA.
F
F
And
he
it's
actually
sorry,
it's
actually
not
a
fully
automated
process
like
I
have
signed
for
the
past
I
think,
like
three
weeks
or
four
weeks,
I
think
I've
signed
for
for
adex
platform.
Where
we
submitted
a
a
bug
we
submit.
We
signed
that
the
CLA
I
think
at
four
or
five
times
now
and
every
time
it
the
subsequent
run
it
is
approved.
But
then
in
future
it
just
comes
up
as
not
signed
and
and
then
you
have
to
sign
again
and
at
this
point
they
have
also
given
up
on
figuring
out.
F
C
A
A
So
I
think
that,
just
like
us,
the
maintainers
that
are
the
on
the
receiving
end
of
these
reports
are
not
lawyers,
and
they
will
have
no
idea
what
to
do
with
that.
C
A
A
What
is
the
average
number
of
like,
or
what
is
the
upper
limit
on
number
of
clas?
You
have
to
sign
in
a
day.
Is
it
tens
es.
F
A
Okay
and
okay,
one
of
the
things
that
I've
learned
through
this
process
and
I
I,
so
I
I
hear
you're,
saying
that
you
know
for
open
refactory.
You
use
a
a
organization.
Github
account
right.
Well,.
F
We
we
right,
actually,
we
are
now
shifting,
based
on
my
conversation
with
you,
my
experience
with
the
maintainers,
the
hatred
that
that
I
received
Etc
from
from
organization,
so
we
are
actually
shifting
to
personal
or
individual
and
I
think
that's
a
good
idea,
because
if
people
see
that
there's
some
on
the
other
hand,
on
the
other
end
of
the
spectrum,
it's
not
like
a
bot
looking
ID,
but
just
a
human
looking
ID.
It
just
makes
a
whole
lot
of
difference.
Yeah.
A
Trade-Offs
I
mean
I
if.
F
We,
if
you
get
famous
as
in
like
let's
say,
Slash,
dot,
famous
and
and
so
on
and
or
CNN
famous
or
whatever
and
and
then
everybody
knows
about
you
at
that
point-
it's
a
it's
a
different
thing,
but
before
that
you're
always
having
an
uphill
battle
like
and
and
like
having
a
personal,
a
Humane
approach
so
having
a
human
name
or
somebody
submitting
it
that
that
makes
a
whole
lot
of
difference,
but
doesn't
doesn't
mean
like
maybe
two
years
from
now
there
there's
a
there's
a
company
that
is
doing
it.
A
If
there,
for
example,
is
like,
if
you
know
so,
you
get
hit
by
a
bus,
and
so
I'm
gonna
just
take
over
this
project
if
they
have
to
regenerate
a
duplicate,
polar
quest
for
all
these
projects,
because
like
they
need
to
be
somebody
new
at
the
wheel
to
make
sure
that
they
I
don't
see
that
it
necessarily
is
a
terrible
thing
that
there's
two
pull
requests
with
the
same
exact
contents.
But
somebody
else
now
driving
the
second.
F
But
we
have
a
dashboard
where
we
are
keeping
stuff
so
where
basically,
it's
just
a
workload.
That's
being
so,
everything
is
in
our
database,
it's
being
kept,
so
you
can
look
at
like
what
in
the
contributor
X
did
in
the
past
three
months
or
whatever,
and
and
then
you
can
see
like
if
something
needs
to,
and
you
can
monitor
each
of
those
pull
requests
there
is
a.
F
There
is
also
a
status
on
pull
requests
that
we're
keeping
as
in
the
pull
requests
have
a
lifetime
as
in
like
okay,
you
just
submitted
it
has
been
rejected.
It
has
like
requesting
this
and
then
you
some
action
needs
to
be
done
and
so
on.
So
the
pull
requests
now
have
their
own
Journey
that
we
have
to
track
and
there's
a
dashboard
for
them.
How.
A
Interesting
because
that's
what
yes,
Nia
and
the
the
triage
portal
is
eventually
going
to
be
that.
A
More
context,
Alpha
Omega
is
building
out
a
triage
portal
to
help
pull
in
a
bunch
of
results
for
a
bunch
of
different
tools
like
code
ql,
and
you
know
various
different
code
scanners
that
find
vulnerabilities
and
give
those
like
all
those
tools,
a
single
pane
of
glass
to
review
and
that
portal
also,
hopefully
assist
with
things
like
turning
those
reports
into
real
vulnerability
reports
and
real
cve,
like
you
know,
and
tracking
the
whole
disclosure
process
for
it
for
those
tickets,
that's
a
division
for
what
this
portal
will
be,
but
it
doesn't
exist
currently,
but
ideally.
F
A
Would
also
integrate
with
these
pull
request
campaigns
as
well.
So
you
know
in
the
future,
but.
A
Scope
of
this
working
group,
but
it
is
just
something
that
hopefully,
we
will
see
as
open
source
security
foundation
in
Omega
yeah
are
there
any
other
I
appreciated
the
call
out
for
gbgt
signing
that
was
really
helpful.
Kasmir
thank.
A
Big
sort
of
points
that
you
think
we're
missing,
so
vulnerability
report,
Upstream,
mandatory
private
disclosure,
vulnerability
messaging
requirements
about
like
information
that
you
must
provide
vulnerability,
fixed
origin,
maintainer,
communication,
responsiveness,
automated
fixed
Target
of
source
code
being
avoiding
just
test
changes,
commit
message,
format,
repository
host
coordination
and
disclosure
assistance
offer
are.
Are
there
any
other
big
things
that
you
think
that
we're
missing
from
that
list
of
of
things
that
we
should
make
sure
that
we
include
in
any
of
these
campaigns.
A
D
It
Chrome
do
you
wanna,
suggest
a
deadline
and
allow
folks
to
kind
of
do
homework
around.
A
Them
that's
a
long-term
plan.
Yeah
absolutely
I
just
figured
while
we're
here.
If
there's
anybody
else
that
wants
to
top
of
mind
sure.
Yes,
this
will
end
up
getting
sent
out
into
the
vulnerability
disclosures
working
group
email.
So
if
you're
not
a
part
of
the
vulnerability
disclosures
working
group,
Google
group
I
recommend
you
subscribe
to
that
email
chain
or
also
and
or
join
the
slack
Channel
I
will
try
to
duplicate
all
of
the
like
requests
for
feedback
into
both
of
those
locations.
A
Oh,
that
too
I'll
also
paste
it
there,
but
I
can
also
open
a
ticket,
so
the
the
this
sig
is
going
to
operate
until
we
if
we
get
too
big,
we'll
move
but
we'll
operate
within
the
up
and
the
vulnerability
explosion
working
group
get
a
repository,
but
probably
not
all
within
that
single
issue.
A
Cashmere,
did
you
try
to
do
any
or
actually
customary
random
war?
Did
you
guys
try
to
do
any
bulk,
automated
pull
request
generation
against
anybody?
Anybody,
but
GitHub
did
you.
Did
you
do
anything
against
gitlab
or
bitbucket,
or
did
you
just
Target
GitHub
just.
F
A
A
Software
Foundation
projects
that
are
hosted
on
like
some
random
server
somewhere,
that
is,
that
is
like
mere
repositors,
are
mirrored
to
GitHub,
but
most
of
our
development
happens
on
whatever
that
server
is
I.
Don't
render
that
too
often,
but
yeah.
F
Yeah,
something
like
open,
div
I
have
not
used
that.
So
it
was
the
cinder
project
it's
in
review.opendave.org
and
that's.
A
Is
anybody
engaged
in
any
of?
Oh?
Yes?
Is
there
anybody
engaged
in
any
of
these
were
any
of
this
work
currently
for
a
current
campaign
that
they're
there
that
they
want
to
discuss.
F
I'm
very
interested
in
what
you
are
doing
with
SQL
injection
in
Java
and
like
can
we,
you
know
like
create
a
scope
for
that
and
then
explore
like
whether
some
of
that
can
be
automated
or
or
how
much
of
like
automated
fixes
are
we
able
to
generate
on
certain
projects
and
then
roll
out
roll
that
out
so
yeah.
We
had
a
discussion
earlier
today,
but
I
I
want
to
follow
up
on
that
part.
Yeah.
A
Yeah,
so
that's
that's
not
something
that
I
I,
so
I
haven't
I
started
writing
a
little
bit
of
code
for
SQL
injection
just
to
like
play
with
it
and
then
I
think
I
like
stashed
it
and
haven't
touched
it
since
then,
but
one
of
my
goals
at
some
point
is
to
try
to
tackle
like
with
automate
so
for
those
of
you
that
are
may
not
have
talked
to
me
before
I,
primarily
work
with
a
Pitter
technology
called
open
rewrite,
which
is
a
format
preserving
abstract,
syntax
tree
Transformer.
A
A
That's
currently
only
local
but
hopefully
will
eventually
be
more
global
data
flow
and
control
flow
analysis,
the
use
case
being
that
we
can
fix
more
complicated
security
vulnerabilities
like
Zip
slip,
and
things
like
that
that
require
you
know
knowing
what
the
data
flow
is
knowing
what
the
control
flow
of
the
application
is
in
order
to
guarantee
that
the
fixes
is
sufficient.
A
A
You
can
go
and
run
a
code
to
our
query
against
a
repository
and
see
pretty
accurately
that
that
that
there
is
an
SQL,
injecting
vulnerability
in
the
code
base,
because
user
supplied
value
flows
through
these
30
odd
steps
into
this
location,
where
there's
string
concatenation
and
given
that
we
can
find
in
the
code
where
the
AST
like,
where
in
the
AST
that
vulnerable
code
path
exists,
it's
not
too
far
of
a
stretch
to
getting
the
point
where
we
could
remediate
that.
A
So
that's
that's
the
that's
the
kind
of
the
vision
implementation
of
that
is
more
difficult,
but
I
I,
don't
have
anything
specifically
for
humanoir
about
that.
I
can
I
could
when
I
start
chewing
on
it.
I
can
definitely
like
include
you
in
that
conversation
and
I
will
try
to
Peg.
Some
of
that
in
I
will
definitely
Peg
a
lot
of
that
into
the
you
know.
The
working
group
slack
Channel.
A
A
E
I'm
in
a
few
of
them
yeah
the
autofix
one.
A
And
I'll
also
cross
post
that
into
the
what
was
the
name
of
that
bug.
It's
the
parslip.
So
it's
like
Zip
slip.
It's
CBE
2007-4559!
If
you
care.
D
A
There
is
actually
a
Twitter
account
that
assigns
random
names
using
a
predictable.
It's
like
what
three
words,
but
for
cves,
so
you
can
like
identify
them
with
a
same
name:
yeah
foreign.
A
D
A
Where
I
run
it
at
the
time
that
I
run
that
run
it
and
then
like
any
new
code
that
gets
gen
that
gets
written
and
submitted
and
opened
into
open
source
that
is
vulnerable,
doesn't
get
fixed
right
do
manoir?
Are
you
running
regular
campaigns
to
regularly
fix
new
stuff
that
gets
identified
as
new
changes
come
into
open
source,
or
is
it
usually
one-off
runs.
F
It's
it's
basically
just
a
rolling
basis,
so
I
mean
we
run
periodically
our
tool
and
it
generates
results
and
one
of
our
three
others
review
a
sub
small
subset
of
this,
because
we
run
a
lot
and
we
have
only
one
three
other
right
now:
three
tears,
but
one
reporter
one
who's
overseeing
the
project
at
this
point.
Looking
into
this,
so
it's
a
very
small
subset
of
these
reports
and
then
as
he
or
she
is
doing
that
new
reports
come
in
that
invalidate
the
old
one.
F
So
we
probably
like
has
like
after
every
three
weeks
or
so
we
run
with
our
updated
analysis
engine.
So
at
that
point
new
vulnerability
signatures
have
been
introduced
and
so
on.
So
maybe
that
there's
a
new
report
at
that
particular
point
and
then
then
effort
starts
on
that.
So
there's
no
real
I
would
say,
structure
exhaustive
in
this
thing,
because
I
mean
we
get
it's
just
like
there's
too
many
bugs
out
there
there's
no
way
like
two
or
three
or
even
20
30
people
can
be
even
exhaustive.
A
Yeah
and
you're
are
these
all
pull.
These
are
all
polar
rust,
Generations
or.
F
A
F
Requests
at
this
point
we
have
done
submitted
issues
based
on
suggestions
in
the
security.md5,
like
they
say,
like
okay
submit
an
issue
instead
of
a
pull
request
and
in
those
cases
we
did
that,
but
yeah
I
mean
we
just
follow
what
what
the
security.md
suggests.
That's
that's
that.
A
E
A
A
A
Yeah,
so
my
plan
for
Alpha
Omega
is
I,
have
a
bunch
of
campaigns
that
I've
been
writing
zip
slip,
partial
past
reversal,
temp
directory
hijacking,
HTTP,
downloaded
dependencies
and
Maven
and
Gradle
build
files,
and
the
plan
is
to
set
those
things
up
is
continuously
running
scanning
campaigns
that
will
run
and
generate
polar
quests.
Every
two
weeks
to
just
continuously
keep
the
like
get
rid
of
a
base
level
of
security,
vulnerabilities
from
open
source
across
the
board.
A
A
C
Just
had
a
thought
back
to
the
requirements
for
opening
up
like
opening
Mass
pull
requests.
Do
we
want
to
make
sure
that
they're
not
going
to
be
creating
new
pull
requests
for
the
same
vulnerability
in
the
same
repo,
if
they're
doing
it
on
a
scheduled
basis,.
A
Yeah,
so
the
way
that
it
should
work
is,
if
you're,
generating
it
against
the
same
branch
and
from
the
same
organization.
It
should
just
re
like
the
thing
that'll
do
is
it'll,
basically
rebase
the
change
and
and
make
sure
that
it's
on
Ed,
whatever
the
head
is
yeah,
so
yeah
that
that'll
be
that'll,
be
the
plan.
So.
A
Generating
duplicate,
pull
requests
that
did
inspire
me
to
ask
a
question,
though,.
A
So
this
proposal
is
one
of
the
one
of
the
things
that
I'd
like
to
see
come
out
of
this
Sig.
Are
there
any
other
sort
of
okay?
So
there's
this
the
other.
The
the
next
thing
after
this
that
I
was
planning
on
doing
is
once
this
has
been
reviewed
by
us.
I
would
like
to
get
reviewer
feedback
from
maintainers,
so
I
would
like
to
reach
out
to,
for
example,
the
Apache
software
Foundation.
They
have
a
security
email
list
where
I
have
had
some
maintainers
particular.
A
Commons
projects
that
I've
gotten
pissed
at
me
in
the
past
and
trying
to
engage
maintainers
in
this
dialogue
of
establishing
these
standards.
So
it's
not
just
these
are
the
standards
that
us
who
are
doing
automated
Clockwork
generation
want,
but
also
people
that
are
going
to
be
on
the
receiving
end
of
these
things
can
have
a
say
in
the
set
of
standards
and
practices
best
practice.
They
want
to
see.
B
Based
off
the
the
discussion
about
different
campaigns
and
some
that
are
ongoing,
is
there
a
potential
for
you
know
different
different
groups
using
similar
tooling,
and
you
know,
if
you're
taking
on,
for
instance,
like
30
000,
repos
and
trying
to
do
them
every
so
often.
Is
it
possible
that
folks,
adhering
to
the
specification
there
would
be
some
kind
of
coordination
around?
B
A
B
Yes,
I
was
just
wondering
if,
like
is
there
some
kind
of
you
know
item
you
might
want
to
consider
adding
to
the
specification
about
just
you
know,
coordinating
or
registering
a
campaign
so
that
other
folks,
you
know,
can
discover
what
campaigns
already
exist
and
they
don't
end
up
duplicating
the
effort.
F
One
week
could
be
again,
this
is
just
coming
of.
The
top
of
my
head
is
the
pull
requests
that
are
being
submitted
by
these
different
campaigns?
Can
fi
can
be
like
put
under
a
specific
Project,
Specific
branch
and
then
like
categorize
under
specific
Project
Specific
branch,
and
then
all
the
pull
requests
that
are
submitted
to
that?
F
That
way
like
if
somebody
submitting
it
might
be
like
that's,
somebody
can
look
it
up
and
before
submitting,
like
especially
the
manual
ones,
that
we
are
doing
and
then
stop
triading,
something
that
or
spending
even
time
on
triaging
on
something
that
has
already
been
submitted
by
others.
But
I
mean
that
would
require
that
there's
a
standard,
there's
a
central
place
where
these
data
are
going
to
come
in
and
we'll
find
a
home
we've.
A
Definitely
haven't
had
enough
of
these
campaigns
run
to
have
that
cause
problem.
I
have
well.
Okay.
I
will
correct
that
there
has
been
a
set
of
campaigns
that
I've
run
where
someone
from,
for
example,
the
Jenkins
team
ran
a
campaign
targeting
only
the
Jenkins
projects
to
fix
the
vulnerability,
and
then
I
ran
my
own
and
generated
a
new
pull
request
and
then
I
think
that
I
ran
that
same
campaign
again.
A
A
third
time
with
a
different
system
ended
up
with
some
projects
in
the
Jenkins
project
having
three
polar
quests,
one
from
the
original,
like
the
the
security
person
for
the
Jenkins
projects,
myself
from
2019
and
myself
from
2022.
A
F
That
relates
to
another
question,
I
mean
and
and
Kashmir
can
also
answered
that
I
mean
and
I've
asked
that
to
you
as
in
what
because
you're
generating
things
at
bulk,
it's
just
hard
to
keep
track
of
of
the
pool
the
status
of
the
public.
That
I
was
referring
to
as
in
like
what
happens
in
in
that,
because
the
pool
requests
have
their
own
Lifetime
and
like
is
there?
F
Is
there
any
like
post,
pull
request
track
that
you
you
did
or
or
like
how
many
of
them
have
gotten
Mars
like
the
recent
the
trilics
one
week
like
what
60
000,
plus
how
many
of
them
were
have
been
marched.
Yeah.
E
I
can
go
ahead
and
answer
so
for
the
exact
merge
number
I,
don't
have
it
off
top
of
my
head.
We've
had
a
good
amount
merged
already,
as
you
said,
we
did
have
almost
we
had
over
60
000,
pull
requests
that
we
sent
out,
which
was
a
bit
tough
to
manage.
So
every
day
one
of
the
people
who
worked
with
me,
his
name's
Charles.
He
went
through
the
email
associated
with
the
GitHub
account
and
looked
through
just
any
emails,
responding
to
the
pull
requests.
E
E
So
we
did
have
some
people
complaining
that
we
weren't
monitoring
just
to
see
you
know
people's
responses
and
all
that
which
was
interesting
definitely
hard
to
keep
that
balance.
There.
F
A
My
statistics
range
from
40
to
20
to
5,
depending
like
it.
Twenty
percent
is
usually
like
the
prod
for
some
of
the
campaigns
that
were
more
common
I
had
a
five
percent
merge
rate
on
a
campaign
that
was
targeting
projects
that
mostly
included
code.
That
was
for
projects
that
were
like
mostly
one-offs
right.
It
was
a
it
was
a
code
generator
generating
a
base
project
and,
like
a
lot
of
people,
generated
that
based
project
as
part
of
like
a
class
or
trying
something
new.
A
A
And
I
think
that
most
of
the
repositories
that
don't
react
at
all
are
mostly
because
they're
like
unmaintained
yeah,
yes,
Nia
is
working
I.
So
one
of
the
things
that
I
do
is
I.
Have
a
tracking,
GitHub,
reposit
or
I
have
a
tracking
issue
that
I
always
create
for
any
of
these
campaigns,
and
so
anytime
I
generate
these
campaigns.
A
All
of
the
campaigns
will
point
to
a
single
issue
and
you
can
use
the
GitHub
API
to
scrape
that
issue
and
see
all
of
the
pull
requests
that
it
backlinks
to,
and
that
can
give
you
a
really
good
indication
of
which
Which
pull
requests
were
created,
like
that.
Can
give
you
a
really
good
way
of
tracking
that
for
the
future,
if
you
can't
like,
if
you're
not
recording
all
the
pull
request,
URLs
as
you're,
generating
them
generating
the
the
PRS.
A
So
yeah
so
hopefully,
hopefully
I
should
have
more
detailed
statistics.
That
will
be
that
we
can
come
up
with
and
and
present
with
some
stuff.
That
yesterday
is
doing
yes,
Nina
sorry.
A
We
have
about
10
minutes
left
other
than
including
the
main
like
actual
maintainers
in
this
discussion.
Are
there
any
other
big?
So
so
we've
had
for
ideas
of
like
kind
of
deliverables
for
this
working
group.
This
specification,
maybe
some
coordination
around
making
sure
the
campaigns
don't
step
on
each
other.
Are
there
any
other
big
sort
of
items
that
people
would
like
to
see
this
working
group
more
Sig,
not
working
group,
this
sig,
create
or
develop
or
or
you
know,
have
have
ownership
over.
B
I,
don't
know
if
it's
within
the
scope,
but
you
know
the
sort
of
thing
I'm
interested
in
is
also
it's
the
systemization
of
the
patching
of
the
vulnerabilities
once
once
they
you
know
like
availability
has
been
discovered
and,
and
that's
happened
and
there's
you
know,
there's
a
vulnerability
disclosure
so
from
that
lens
I
was
interested
in.
B
You
know:
Common
machine,
readable
Syntax
for
these
things,
so
it
sounds
like
it's
pretty
early
days
with
some
some
PRS,
but
if
we're
using
campaigns
that
are,
you
know
doing
doing
things
at
scale,
you
know
some
kind
of
way
of
coordinating.
B
You
know
standardization
of
of
the
sort
of
the
metadata
or
what
you're
doing
when
you're
submitting
it
between
different
campaigns,
so
that
you
know
after
the
fact,
you
know
that
that
information
is,
you
know,
can
be
inspected
by
other
automation
tools.
Does
that
make
sense?
Yes,.
A
There
is
in
the
in
me,
commit
message,
format
and
gpg.
Key
signing
part
of
the
specification
item.
Number
three
is
commit
messages.
Should
it's
not
a
must?
Also
anybody
wants
to
discuss
the
musks
and
shoulds
that
I've
put
in
here.
A
Please
don't
hesitate
to
do
so,
but
I
have
a
should
that
it
should
follow
the
ccom
convention,
which
is
a
convention
that
is
not
very
well
known
about
it's
somebody
that
did
a
research
project
out
of
some
University,
but
it's
a
standard
for
commit
messages
that
describe
or
that
that
are
commit
messages
for
specifically
for
security
fix.
A
So
since
you're
automating,
the
generation
of
these
pillar
requests
anyways
right,
you
might
as
well
generate
a
commit
message
that
is
following
a
standard,
and
so
that
may
be
a
good
starting
point,
but
if
you
want
something
more
than
that,
that
also
like,
if
you
want
something,
that's
not
just
the
commit
message,
but
you
want
something
external
to
that.
That
also
could
be
a
potential.
Are
you.
B
If
I'm
looking
at
sort
of
the
you
know
developing
tool
into
to
unify
that
information
or
look
at
tool
and
already
does
that
and
aggregating
that
information,
you
know
I've
sort
of
I've
looked
at
examples
of
like
a
tool
that
has
submitted
an
issue.
There
was
a
cve
and
then
I
was
looking
to
trace,
trace
it
and
then,
in
the
commit
that
addresses
that
CBE
you
know
there
was
a
between
the
different.
You
know
the
different
machines
that
are
submitting
this.
B
There
was
a
disconnect
and
so
I'm
just
thinking
like
systemically
that
that
can
happen
quite
a
bit.
So
this
is
a
great
starting
point
for
me.
So
that's
that's
good.
A
A
That's
not
necessarily
the
order
in
which
things
need
to
happen.
They
can.
You
can
get
a
cve
first,
but
getting
a
CV
number
is
actually
takes
time,
which
is
can
be
a
blocker
for
developing
the
fix.
B
Is
there
is
there
a
way
to
if,
if
there's
a,
if
there's
a,
if
there's
a
pull
request
and
there's
a
patch
and
the
patch
is
released
that
addresses
this?
But
there's
no
there's
no
CBE.
Remember
because
there's
too
much
overhead
or
it
takes
too
much
time,
is
there
some
other
kind
of
way
to
systemically
identify
that
a
patch
has
a
security
like
as
a
security
patch,
not
just
a
feature
patch
or
a
version
bump,
or
something
like
that.
A
Well,
I,
so
one
of
the
things
that
I
often
do
when
I'm
doing
these
campaigns
I
will
ask
the
maintainer
hey.
Did
this
fix
a
rail
security
vulnerability
or
do
you
like
and
I've,
had
a
lot
of
people
that
have
been
like?
Thank
you.
This
is
great.
It's
a
security
hardening,
but
I
don't
consider
security,
vulnerability
fix
right.
A
So,
in
those
cases
you
if
you're
looking
at
the
data
right
you're
going
to
miss
out
on
the
Nuance
of
a
conversation
that
may
have
occurred,
whether
maintainer
is
like
I'm
gonna
merge
this
anyways
but
I,
don't
necessarily
consider
the
sporty
of
a
CBE
and
like
we
that
there
might
be
an
argument
that,
like
they're
wrong
and
that
takes
energy
that
sometimes
I
don't
have
so.
B
A
You
could
I
mean
there's
a
theory.
You
could
theoretically
have
a
GSD
right,
G,
the
Global
Security,
the
global
or
GSD.
They
could
give
us
an
ID
subset
that
are
for
this
stuff
right
and,
and
so
it
could
end
up
in
the
GSD
database.
Specifically
under
a
this
could
be
a
security
vulnerability,
but
maybe
not
if
you
want
to,
if
you
want
to
include
it
in
something
that
you
are
using
as
a
signal
go
for
it,
but
you
know
it
may
have
a
higher
false
positive
rate
than
CBE.
Does.
A
Does
that
make
sense
what
the
context
of
what
you
understand,
GSD
to
be
yeah,
yeah,
big
nod.
A
We
have
two
minutes.
Anybody
have
any
final
closing
thoughts.
Questions
concerns
anything
they
want
to
share.
A
If
not,
thank
you
all
for
coming
feel
free
to
invite
your
friends.
Thank
you
for
being
here
I'm,
looking
forward
to
working
with
you
all
together
to
do
more
of
this
stuff
in
the
future
and
I
hope
that
none
of
your
experiences
with
ball
pool,
request
generation
has
scared
you
away,
because
I
think
this
is
the
I
truly
think
this
is
the
best
way
for
us
to
scale.
Our
knowledge
of
you
know:
math
science,
technology
and
security
to
have
the
biggest
positive
impact
that
we
can
across
the
industry.