►
From YouTube: OpenSSF Vulnerability Disclosures (May 1, 2023)
A
So,
while
we're
waiting
for
the
larger
group,
so
I
would
still
like
to
wrap
up
the
Linux
Foundation
wide
thing
and
what
I'm,
what
I'm
thinking
might
be
a
good
I,
don't
realize
we're
on
recording
for
incoming
vulnerability
reports.
What
I'd
like
to
do
is
maybe
just
quickly
Cobble
together
some
sort
of
Safe
Harbor
statement
based
on
existing
materials.
That's
generic
and
then
send
it
to
legal
to
get
that
reviewed
and
beat
up
and
so
on.
A
I
think
writing
something
down
to
say.
This
is
kind
of
what
we
had
in
mind.
Please
turn
it
into
actual
Eagle
stuff.
Instead
of
this
nonsense,.
A
So
maybe
you
and
I
should
have
a
brief
discussion
about
that.
Yes,.
A
All
right
well
tell
you
what,
let's
you
know:
I,
don't
know
that
you're
see
John,
nothing.
A
There
you
are
I'm
going
to
add
you
to
the
people
of
the
so
how
about
next,
how
about
tomorrow,
3
P.M
eastern
time,
which
is
noon
Pacific
time.
A
Basically,
let's
talk
about
it,
bang
out
a
very
early
draft
and
I
guess,
probably
eventually
we'll
want
to
get
both
legal
review
and
public
review.
I
don't
know
the
print
process
is
but
yeah.
B
I
sent
you
the
disclose.io
policymaker.
A
I
don't
know
that
I
saw
that,
but
okay
I
sent
it
to
your
to
your
LF
slack.
Okay
yeah
hold
up
I'm
I'm,
trying
to
create
a
meeting
for
you
and
I
tomorrow.
So.
E
No
I'm,
chair
of
the
governance
committee,.
E
They
announce
the
three
appointed
positions:
the
fellow
from
GitHub
Arnell
from
IBM
and
and
a
third
individual
whose
Name
Escapes
me
at
the
moment.
I.
A
Believe
they're
even
already
listed
on
the
public
site,
though
I
guess
I,
should
I
should
double
check
that.
A
All
right,
Jonathan
I've
sent
you
an
email,
I
already
you're
gonna
see
more
of
me.
Sorry.
B
I'm
going
to
run
this
as
if
it's
somewhat
a
standard
meeting,
the
the
top
meeting
notes
is
for
Wednesday.
So
if
you
scroll
down
there's
one
for
22
2023.0501,
if
you
could
Mark
your
attendance,
that
would
be
greatly
appreciated.
Make
sure
you
do
it
for
the
right
one.
B
A
C
Okay,
pulling
up
the
document
so.
B
A
B
Let
me
post
a
link
to
that
into
the
chat
too
for
anybody,
and
so
is
there
anybody
here
from
the
tag
from
the
email
that
I
sent
to
the
text
or
who
is
speaking
for
oh
well,
so
much
for
all
my
effort
to
try
to
get
the
tack
involved.
B
Do
we
have
anybody
who
has?
Let
me
just
start
here:
do
I?
Have
anybody
has
any
opinions
on
the
name
of
the
model,
but
not
necessarily
this
one
I
mean
if
you
have
an
opinion
there,
great,
but
mostly
on
the
the
title
model,
outbound
vulnerability,
disclosure
policy
version,
0.1.
F
I
saw
that
feedback
I
have
a
slight
question
about
the
word
model,
but
it's
not
super
important
go
for
it.
What's
your
question
yeah
basically,
this
is
this
is
to
be
the
policy,
that's
going
to
be
used
or
is
it
a
model
for
others
to
copy
import,
modify
Etc?
Oh.
B
B
Part,
let
me
screen
share
the
upper
one
is
so
this
is
the
policy
right.
The
the
new
policy.
B
Okay,
yeah
David
I
had
a
spark
of
inspiration.
B
D
B
That
more
urgent
action
is
appropriate.
The
publication
date
for
a
zero
day
will
likely
be
accelerated
to
seven
days
of
the
public
of
the
notice
date.
I.
B
Yep,
so
that's
a
thought:
I
was
I,
just
don't
want
I,
don't
like
the
idea
of
including,
like
probability
because
likely
implies
probability.
A
B
I
mean
we
could
do
normally.
The
other
thing
that
popped
in
my
head
yesterday
is
will
comma,
except
under
extreme
circumstances,.
D
A
G
Well,
so
so
in
a
formal
document
right
you
take
that
you
take
words
like
that
out,
typically,
normally
all
that
stuff
out,
you
follow
it
up
with
a
sentence.
You
or
you
say
this
will
happen
within
seven
days
or
with
the
following
exceptions,
and
then
you
note
those
like
I
I,
don't
like
what
what
that
was
like
typical,
normally
all
that
stuff.
That's
too
much!
That's
too
much
gray
for
a
formal
document.
A
A
No
I
mean
if
you,
if,
if
you're
disclosing
you
are
now
Expo,
this
is
the
original
conversation.
We
had
poor,
John,
sorry,
sorry,
Jonathan,
you're,
gonna,
I,
guess
we're
gonna
hear
the
argument
again.
The
problem.
A
Yeah,
the
the
problem
we've
got
is
that
you
know
there's
many
cases
where
we've
got
an
attacker,
but
it's
not
known
to
the
to
most
attackers
and
the
and
if
we
disclose
to
everyone
we're
causing
much
more
harm
by
letting
all
the
attackers
know
when,
in
fact,
it's
a
very
small
subset
of
attackers
who
are
exploiting
something
sure
so
the
overall
goal
I
mean
I.
Think
of
this
as
an
integration
problem
you're
integrating
over
time.
Yes,
you
are
trying
to
minimize
the
total
area
of
damage.
Yep.
F
Yeah
totally
agree
and
I
get
the
trade-off.
All
I'm
suggesting
is
that
we
keep
the
flexibility,
because
we
don't
know
what
the
integration
is
going
to
look
like
before
that
event
happens
exactly
some.
Some
of
them
are
evident
clear
evidence
of
public
exploitation.
Everyone
already
knows:
why
are
we
going
to
wait
five
days
to
disclose?
F
That's
I
want
to
just
be
sure
that
we
can
act
accordingly
in
that
situation
and
to
your
point
David,
if
right,
if
it's,
if
we
know
there's
a
little
bit
stuff
going
on
but
but
disclosing
it
publicly,
would
really
open
the
floodgates
too
soon
and
off
the
integration
curve.
Yes,
we
should
hold
off
for
up
to
seven
days.
No,
no
argument
there
I
just
want
the
policy
to
allow
both
ends
of
the
equation.
F
A
G
A
D
B
You've
been
working
in
disclosure
for
a
long
time
and
I've
spoken.
I
spoke
to
Madison
about
this
during
the
last
call
too
David's
perspective
proposal
here.
Is
that
the
unusual
circumstances
be?
You
can
deterministically
determine
that
the
attack
that
there's
only
a
single
attacker
with
knowledge
of
the
vulnerability.
F
I,
what
I'm
suggesting
is
that
the
way
we
write
the
policy
we
allow
ourselves
the
ability
to
in
David's
terms
right
create
that
integration
whatever
function
for
that
case
as
it
goes
and
I
I
would
I
would
not
I
would
never
probably
say
deterministically,
there's
only
one
attacker
who
knows,
but
there
could
be
few.
We
could
expect
that
there
are
few
I
would
fully
agree
that
a
premature
public
disclosure
increases
the
area
of
damage.
F
F
Okay,
well
here,
I
think
literally
Within
within
seven
within
seven
days.
I
think
actually
addresses
my
issue
letter
of
the
law.
You
know
zero
zero
minutes
is
within
seven
days
and
seven
days
within
seven
days.
So
back
back
when
we
wrote
this
at
cert
CC
we
kept.
We
did
not
explain
much,
but
it
was
a
much
easier
policy
to
maintain
when
you,
when
you
keep
it,
keep
it
less
less
words
but
I'm
not
saying
we
should
right.
We
said
here
just
that
yeah
anyway,
so.
F
F
When
are
we
going
to
do
add
time
delete
time,
it's
just
too
too
messy
in
advance
to
know
that
if
I
worries
try,
if
I
pretended
I
was
a
lawyer,
I
would
say
within
seven
days
addresses
my
concerns
of
being
able
to
go
immediately.
B
Or
the
problem
with
putting
a
rash
every
single
vendor
will
argue
that
they
need
more
than
seven
days
right.
There
will
be
no
vendor
that
will
be
like
well
in
our
case
seven
days,
you
know
you
disclosing,
prior
to
there
being
a
fix
is
going
to
protect
like
every
single
vendor
is
going
to
argue
that
and
the
the
I
I.
B
A
Yeah
all
right
I
have
added
a
new
paragraph
below
okay,
because
you
know
I
actually
completely
agree
with
Jay
that
you,
if
you're
going
to
have
an
exception,
you
need
to
explain
the
rationale
the
the
wind
is,
that
exception.
I
had
some
text
earlier,
I,
don't
know
what
happened
to
it,
so
I've
I've
put
in
some
different
texts.
Maybe
this
will
be
more
acceptable.
The
exception
is
in
cases
where
we
can
determine
that
the
overall
damage
to
users
will
be
less
if
more
than
seven
days
are
granted.
F
G
G
If
you
take
longer
time
or
something
like
that
right
that
something
should
come
back
to
say
well,
it
could
provide
us
a
reason,
provide
us
with
reasoning,
for
you
know
or
or
there
should
be
some
type
of
Reason
provided
for
the
except
for
the
notification
to
take
longer
right.
I
I
mean
I.
Think
with
that
with
that
wording,
that's
what
that
opens.
It
opens
up
to
to
requiring
that
additional
information.
B
So,
okay,
the
way
this
is
currently
written,
if
only
one
attacker
knows
about
this
one
knows
about
this,
but
they
are
exploiting
it
widely.
That
gives
the
that
currently,
as
written,
gives
them
the
flexibility
to
say.
Well,
it's
only
one
attacker,
even
though
they're
exploiting
it
widely.
A
A
You
know,
you
know
it's
much
less.
You
know,
whereas
oh
look,
I'm
gonna,
download
and
attack
everybody
on
the
internet.
You
know
you
can't
keep
that
a
secret.
C
B
There
are
so
many
places
you
can
have
arguments
sure
and
and
I
I
I
struggle
with
the
the
thing
that
I'm
struggling
with
is
giving
another
place
for
a
maintainer
to
an
engage
in
an
argument
with
you
in
the
vulnerability
disclosure
process
he's
exhaust.
It
sounds
as
the
reporter
to
be
another
point
to
exhaust
and
wear
you
down
as
the
reporter.
A
Right,
the
problem
is,
of
course,
that
it's
actually
not
the
we're
trying
to
optimize,
frankly,
not
for
the
reporter,
but
for
the
end
user
right.
We're
trying
to
minimize
damage
to
end
users
now
I
agree
that
if
you
overwhelm
the
reporter
too
much,
that's
also
going
to
cause
long-term
harm.
The
end
users.
F
A
B
A
A
B
A
How
would
you
know
seven
days
isn't
really
enough
time
to
even
notify
if
it's
a
European
on
a
two-week
vacation,
they
may
come
back
and
do
deal
with
it
in
hours,
but
they
won't
know
for
two
weeks.
A
I
mean
canning,
the
parenthetical
is
fine,
I
mean
that's.
That
was
just
the
rationale.
Not
the
this.
B
B
C
B
B
B
For
cases
where
we
determine
that
the
overall
damage
to
the
user
will
be
less
if
more
than
seven
days
are
granted,
this
would
be.
This
would
typically
be
because
there
is
no
evidence
that
attackers
are
aware
the
vulnerability
of
the
vulnerability.
B
G
F
B
C
A
F
F
F
Because
no
one
knows
everything:
I'll
I'll,
I'm
good,
with.
B
B
H
H
I
H
C
A
B
Zero
day,
okay,
yes,
you
believe
that
more
urgent
action
is
appropriate.
The
public,
the
publication
date
for
a
zero
day
will
be
accelerated
to
within
seven
days
of
the
notice
date,
with
one
exception
described
below.
We
offer
an
exception
for
cases
where
we
did
determine
that
will
there
will
be
less
overall
damage
to
users
if
more
than
seven
days
are
granted.
This
would
typically
be
because
there
is
evidence
that
widespread
exploitation
is
unlikely
maintainers
merely
requiring
more
time
to
fix.
B
A
Yeah
and
I
got
rid
of
the
with
described
below
because
it's
the
next
sentence,
yeah.
B
The
reason
for
this
special
o-day
designation
is
that
for
each
day,
an
actively
exploited
vulnerability
remains
undisclosed
to
the
public
and
unpatched
more
devices
are
accounts
to
compromise.
Seven
days
is
an
aggressive
time
limit
and
maybe
too
short
for
some
maintainers
to
update
their
software,
but
should
be
enough
time
for
maintainers
to
publish
advice
about
possible
mitigation
such
as
temporary,
disabling
Services,
restricting
access
or
contacting
the
retainer
for
more
information.
F
Are
starting
up
finished
up,
try
not
to
distracted.
C
F
So
also
I
want
to
say:
Yoda
has
had
his
hand
up
I
think
so.
I
Sorry,
sorry,
yeah,
no,
no
worries
I
just
didn't
want
to
throw
you
off
just
a
quick
question:
do
we
reference
a
one
reference
somewhere
in
the
document,
a
case
where
the
vulnerability
is
in
an.
D
A
I
think
that's
handled
here,
because
here's
the
thing
there's
been
many
many
cases
where
something
is
out
of
out
of
support,
it's
out
of
life
and
so
on
and
there's
a
crisis
and
it
gets
fixed
anyway.
I
So,
for
example,
if
we
take
lock
for
Jay
I,
don't
know,
let's
say
one
four,
two
one
point
two
and
we
certainly
Tomorrow
there's
a
critical
vulnerability
so
and
the
maintainers
say:
okay,
this
is
from
2012
we're
not
going
to
fix
it.
Then.
A
Okay,
that's
the
logic
of
this.
Now
you
can
argue
that
maybe
that's
not
right,
but
I,
actually,
don't
I,
don't
think
we
should
care
whether
or
not
it's
obsolete,
because
people
say
it
that
they're
not
going
to
maintain
and
then
they
get
a
report
and
then
they
change
their
mind.
So
I
I,
don't
I
I
think
we
should
just
you
know,
follow
the
process
and
and
ignore
that
it's
less
helpful.
A
If
they,
if
they
reply
to
us
and
say
we're
not
going
to
fix
it,
I
think
that's
already
covered,
isn't
it
if,
if
they
express
you
know
if
we
do
not
see
receive
any
engagement,
well,
yeah,
we
already
say:
if
we
do
not
receive
an
engagement
that
infirms
their
intention,
we
were
reserve
the
right
to
explore
to
disclose
that
point.
So,
basically,
if
they
say
nah
we're
not
going
to
fix
it.
A
Yeah
I
guess:
according
to
this
logic
we,
but
but
it's
not
getting
but
yeah
it.
Basically
it
says
that
35
days
at
that
point
because
they've
we
have
not
received
any
engagement
that
says
they're
going
to
fix
it.
They've
actually
said
they
won't,
but
I
guess
that
then
it's
still
just
within
the
35.
there's
an
argument
for
that
I
guess
they
could
change
their
mind,
but.
A
A
A
Yeah,
okay,
so
great
Point,
great
question,
I'm
sorry,
I
lost
who
who
said
that
now
your
time.
A
Your
time.
Do
you
agree
yeah
yeah,
I,.
A
Yeah
and
that
also
but
I
think
that
deals
with
the
we
declare
it
obsolete
case
because,
as
I
said,
you
know,
Microsoft
has
many
many
times
and
frankly,
I
think
this
is
a
good
thing:
fixed
vulnerabilities
and
stuff
they
formally
declared
were
obsolete
and
they
were
we're
not
going
to
fix
it,
and
then
they
change
their
mind
and
you
know
I'm
grateful.
A
B
A
B
G
Usually
comes
on
the
back
of
some
major
customer
running
some
type
of
something
or
other
on
a
legacy
system.
That
only
runs
that
cannot.
You
can
only
run
Windows
95
on
something
Buck
Wild
like
that.
D
G
Right
there
with
you,
I
know
these
organizations
they're
running
they're,
running
some
type
of
crazy
application
that
can
only
be
run
on
a
legacy
OS
of
some
sort
on
some
type
of
Bastion
host
somewhere.
That
only
connects
one
time
once
every
five
years
to
receive
something
or
other,
and
that
is
the
one
time
when
somebody
decides
to
introduce
something
something
crazy.
So
yes,
careful,
they'll,
reach
out
and
say:
hey,
hey,
hey,
hey,
hey,
hey
I'm,
trying
to
be
as
as
clandestine
as
I
can.
When
I
talk
like
this
now
come
on.
Jeff.
E
G
A
Now,
yes,
I
I
actually
have
a
presentation
where
I
make
that
pitch.
Legacy
is
just
you
know:
I
even
have
a
sticker
where
you
know
we're
building
the
Legacy
systems
of
Tomorrow.
H
F
Just
just
as
we
were
writing
today,
I
think
David
used
the
word
damage
and
we
have
harm
and
we
have
risk
somewhere.
I,
don't
have
a
strong
opinion,
I
usually
write
risk
I
just
would
suggest
we
be
consistent.
B
Okay,
so
looking
at
the
the
C
CVSs
V3
scoring
system,
they
have
confidentiality,
integrity
and
availability.
Are
you
saying
that
one
of
those
kind
of
like
Risk
encapsulates
more
of
them
than
damage
potentially
does.
A
I
said
I
said
damage,
but
risk
means
likelihood
and
consequence
to
be
honest
when
I
say
overall
I'm
integrating
the
likelihood
and
impact.
But
you
know
overall
risk
to
users.
I
think
is
fine.
F
B
The
word
risk
implies
a
a
reducing.
The
amount
of
risk
is
reducing
the
amount
of
chances
for
damage
to
action,
damage
to
actually
occur
right
versus
right,
so
you're,
reducing
the
the
potential
for
the
damage
to
occur.
If
you're,
reducing
versus
reducing
the
damage
occurring
right,
it's
like
you're,
you're,
abstracting,
one
step
away
and
so
risk
in
and
of
itself
is
kind
of
nebulous
right.
A
I
think
in
this
case
it
doesn't
matter
because,
when
you
say
overall
damage
to
users,
as
I
said,
you're
Integra,
you
are
doing
a
sum
of
all
the
of
all
the
damages.
Some
of
them
will
have
damage.
Some
of
them
will
not,
which
basically
encapsulates
the
likelihood
so
I
I.
Think
if
you,
if
I
was
doing
calculus
I'd,
say
these
two
equations
have
the
same
answer.
If
you
sum
up
all
the
damage
or
you
compute,
the
expected
damages
for
each
and
you
sum
up,
it's
the
same
thing
it's.
What
is
what
are
you
expecting?
F
B
Consistent
with
it,
so
so,
okay,
so
this
is
the
reason
that
I'm
kind
of
bringing
this
up
right,
sure
country
a
builds
nuclear
bomb
country
B,
builds
a
nuclear
bomb
right
they're
both
planted
at
one
another.
There
is
a
lot
of
risk
there,
but
because
both
of
them
have
nuclear
bombs,
one
at
each
other,
less
likely
that
they're
going
to
actually
shoot
it
at
one
another.
Well,
that
lowers
the
risk
sure
it
lowers
the
risk,
but
the
risk,
the
the
exist.
B
The
existence
of
country
a
having
built
bomb
outside
of
the
context
of
both
countries
having
bomb
is
right.
It
has
to
do
with
there's
a
certain
amount
of
like
the
risk
is
like
the
potential
for
a
thing
to
happen.
The
actual
thing
that
could
the
thing
actually
being
likely
to
happen,
May
like
Risk,
is
so
nebulous
that
it
has
to
do
with
the
probability
of
the
risk
occurring
and
that
probability
may
be
one
percent,
but
yeah.
F
A
B
F
You
don't
care
about
yeah,
it's
yeah
I
mean
it's
damaged,
yeah
and
it
again
I'm,
I
I,
don't
think
it.
The
word
all
I'm
really
asking
this
is
more
of
an
editorial
position
than
a
a
debate
on
risk
risk
versus
consequence
versus
threat
versus
you
know
probability
I
think,
there's
still
probabilities
involved,
someone's
still
going
to
choose
to
attack
or
not
a
lot
or
a
little
one
person
doing
it
a
lot
one
person
you're
doing
to
one
key
place,
there's
a
lot
of
factors:
I
I
for
this
policy.
F
I,
don't
think
it
matters
the
choice
of
word.
But
again,
unless
we
mean
different
things,
different
points
in
the
policy.
Let's
say,
then
damage
is
fine.
They've
wrote
damage
this
morning,
but
we
have
harm
somewhere
else,
which
is
a
synonym
great
risk
down
below,
which
is
a
different
word.
So
just
because
this
is
true,
we
can
just
pick
yeah.
C
B
F
Don't
care
okay
and
then
I.
The
reason
I
also
brought
it
up
is
I
went
as
David
was
talking
about
the
integration
of
the
minimizing
damage
for
users.
I
went
and
thought
we
should
just
have
that
sentence
somewhere.
I
put
it
up
at
the
top,
but
it's
actually
already
sorted
down
here
and
I
threw
it
back.
I
put
it
in
again
more
clearly
we
can.
This
is
sort
of
covered
by
reducing
risk
for
the
ecosystem
and
soft
Landings,
but
I
thought
we
should
just
State
this.
Clearly.
F
This
is
a
little
different
than
you
know.
We're
just
just
just
doing
this
to
get
researchers
to
do
what
we
want
or
we're
just
just
just
just
just
doing
it
for
maintainers
if
we
are
really
doing
it
for
everyone,
let's
be
clear
about
that
and
I
think
that's
a
great
thing
to
say,
but
maybe
that's
not
our
position
here.
So
that's
when
I
wrote
the
word
risk
and
then
I
thought
what
did
we
say
elsewhere
we
said
damage
we
said
harm.
F
We
said
risk,
so
we
can
debate
leaving
this
sentence
in
or
not
and
then
again,
let's
just
use
damage
throughout
yeah.
Okay,.
A
B
B
Okay,
so
the
reason
a
policy
like
this
exists
is
to
two
things
right.
It's
you
use
the
action
where,
where
this
policy
actually
gets
used
and
has
to
get
deployed,
creates
a
precedent
that
shows
main
maintainers,
that
they're
failing
to
act
will
necessarily
result
in
negative
Downstream
consequences
to
their
end
users
right.
So
it's
not
about
respecting
the
interests
of
researchers
and
maintainers.
It's
it's
it's!
This
policy
is
not
just
for
the
one
vulnerability,
but
it
is
for
all
future
vulnerabilities
beyond
the
point
where
you
actually
have
to
exercise
it.
F
F
F
F
That
may
not
be
the
thing
that
you
want
to
do,
because
you
may
want
us
to
wait
97
more
days
and
we're
not
going
to,
or
you
might
want
us
to
drop
zero
day
immediately
and
we're
not
going
to,
because
we
think
we
have
determined
that
made
a
choice
to
minimize
harm
to
users
which
may
not
be
in
the
best
interest
of
either
the
researcher
or
the
maintainer.
B
Yeah
I'm,
let
me
think
about
it:
okay,
another.
H
We've
been
kind
of
going
through
it
in
the
chat
and
I
put
it
as
as
a
comment
on
the
doc
I.
Just
was
just
it's
just
a
little
bit
of
a
knit,
but
because.
H
This
qualifying
language
there,
yeah
I,
don't
think
it's
Earth.
H
Yeah,
there's
also
a
qualification
that
happens
after
where
it
says
you
know.
What's
like
there's
some
criteria
given
for
at
least
for
what's
not
adequate
justification,
for
example,.
B
A
B
Oh
God
there's
a
restriction.
We
may.
A
B
H
B
A
Right
I
would
make
some
bullets,
but
you
know
I,
don't
yeah
yeah
HTML
handles
simple.
It's
just
fine.
B
C
F
That's
I
you
could
you
cannot
accept
that
I
search,
there's
both
words.
Oh.
F
B
B
B
A
We
right.
B
A
B
B
A
A
B
H
H
As
then,
I
would
suggest
that
it
captures
like
the
entire
following
paragraph
and
it
may
already,
but
is
there
if
there's
anything
pertinent
that
you
would
want
in
the
lead
sentence?
That's.
A
D
B
Okay,
so
yes,
we
are
respecting
maintainers
researchers,
less.
The
the
policy
Point
again
is
to
protect
users
through
its
application
over
the
long
term
right.
It
is
not
necessarily
about
as
applicability
in
a
single
case
and
that
that
that
mindset
is
also
what
researchers
see
right.
The
researcher
mindset
is
this
policy
is
not
just
for
this
one-off.
C
B
B
Going
to
be
turning
this
into
a
cfp,
which
is
due
end
of
day
today
for
Defcon
I'm
gonna,
be
chatting
in
the
vulnerability
exposures
working
group,
slack
Channel.
If
anybody
is
willing
to
help
contribute
to
a
an
abstract
and
helping
me
come
up
with
a
title.
B
I
would
greatly
appreciate
the
time,
resources
and
energy
dedicated
to
that
effort.
I
will
probably
be
spinning
up
a
zoom
call
just
running
continuously
throughout
the
day.
So
if
anybody
wants
to
hop
in
and
help,
please
don't
hesitate
to
do
so.
B
A
The
footnote,
where
what
footnotes
are
invisible
in
a
lot
of
browsers?
If
you
have
a
footnote,
it's
like
it
doesn't
exist.
So
if
you
want
a
footnote,
you
really
it
has
to
be
for
text,
you
don't
care
about
I,
don't
I
recommend
not
having
footnotes
in
the,
because
this
is
going
to
become
HTML
and
then
the
HTML.
No
one
will
see
it.
It's
going
to
go
Mark
day
it's
going
to
become
markdown
but
yeah
even
worse,
yes,
but
markdown
becomes
HTML
and
then
then
we'll
see
it.