►
A
B
B
Pretty
good
I
figured
out
the
postgres
and
now
I'm
just
trying
to
figure
out
the
this
HTTP
pain
on
Port
failed
to
start
error
from
the
triage
portal.
A
C
D
C
Okay,
I
am
looking
for
the
meeting
notes
or
the
just
vulnerably
disclosure
working
group
curious.
If
we're
gonna
have
anybody
else
join
us
Chris.
Have
we
chatted
before
I?
Don't
know
if
we've
met.
E
No
I,
don't
think
so.
I'm,
mostly
just
checking
out
all
the
different
working
groups,
so
just
kind
of
learning.
What's
going
on.
A
All
right
I
am
going
to
what's
today's
date.
The
24th.
D
A
B
A
C
C
E
You
yeah
so
yeah
my
name's
Chris
I
until
about
a
month
and
a
half
ago,
worked
at
Microsoft
and
was
laid
off,
but
I'm
actually
hoping
to
be
your
colleague
at
some
point
so
interviewing
currently
for
the
technical
project
manager
role
so
for
open
ssf.
So
I'm,
just
kind
of
checking
out.
E
What's
going
on
history,
wise
I
used
to
work
for
the
LF
I
was
actually
the
director
for
the
well
jQuery
Foundation,
then
JS
foundation,
and
then,
when
we
merge
with
node.js
to
form
openjs
handed
that
off
to
Robin
and
then
went
over
to
Microsoft.
So
cool.
A
C
C
Cool,
so
my
name
is
Jonathan.
Let
you
yeah
I'll
just
add
you.
C
My
name
is
Jonathan
lichu,
I'm
senior
software
security
researcher
for
the
alpha
Mega
project,
and
my
schtick
has
been
finding
fixing
vulnerabilities
at
scale
across
open
source
and
doing
more
of
that
now
here
at
this
project.
So
we're
discussing
this
yeah
I
continuous
work,
so
you
send
me,
you
wanna,
give
your
spiel.
B
Yeah
I
understand
I'm
on
the
alpha
Vega
project.
It's
a
senior
software
security
engineer.
My
goal
is
to
operationalize
the
Omega
tool
chain,
components
and
essentially
automate
and
scale
Jonathan.
If
I
had
a
tldr,
it's
automate
him.
A
F
C
All
right,
no,
if
you
want
to
add
your
attendance
to
the
attendance
that
would
be
like
you
know,
let
you
attend
attend
to
us.
Do
you
need
the
land
all
right,
so
I
spent
a
lot
of
time
chewing
on
this
document.
C
I
will
say,
share
this
in
the
chat
and
then
also
in
particular,
this
page
that
we're
on
got
a
license
for
lucidchart
I'm
a
screen
share,
so
this
is
proposed
an
alternative
to
the
disclosure
flow
we
had
originally,
which
was
this
one
over
here
where
I
deleted
a
bunch
of
stuff.
C
So
the
problem
that
Michael
raised
with
this
is
that
we
first
open
an
issue
and
then
we
wait
for
that
issue
to
get
processed
for
at
least
35
days
and
then,
if
it
wait,
if
it's
been
at
least
35
days
without
the
maintainer
responding,
then
we
go
to
this
email
part
and
he
was
like
why
don't
we
send
the
email
and
open
an
issue
at
the
same
time?
C
C
So
Michael
scovato's
proposal
was
we
do
something
like
this.
Where
we
start,
we
ask
if
the
maintain,
if
the
repository
host
supports
PDR,
if
it
does,
then
you
use
private
pmpdr.
Sorry
so
for
those
who
don't
yeah
PM
PVR
is
a
pragmatic
means
of
private
vulnerability
reporting.
So
for
GitHub.
This
is
using
GitHub
security
advisories
to
report
the
vulnerability
get
lab
apparently
lets
you
like
publish
vulnerabilities
or
you
can
create
a
private
pull
request
with
gitlab
and,
like
that's
just
a
thing,
you
can
do
natively
so
whatever
that
is.
C
We
do
that
if
you
don't,
if
the
if
the
repository
doesn't
have
pmpvr
enabled,
then
we
go
through
this
flow,
where
we
have
this
left
branch,
which
is
just
continuously
looping,
and
it
says
if
the
vulnerability
is
fixed,
if
it's
not
fixed
and
90
days
is
not
a
lap.
Since
the
the
the
process
began
and
the
public
PR
security
effects
hasn't
been
opened
and
the
broad
repository
doesn't
have
pmpvr
enabled,
then
we
just
Loop.
If
we
have
pmpvr
enabled
you
just
you
know,
report
it
and
then
you're
done.
C
If
the
public
pull
request
has
been
opened,
then
we
end.
If
90
days
have
elapsed
since
the
process
began,
then
we
open
a
public
pool
request.
Then
we
have
this
flow
over
here,
so
this
happens
concurrently.
So
this
is
this.
Is
this
is
two
two
branching,
so
this
Loop
is
occurring
whenever
an
on
some
basis.
C
At
the
same
time,
we
look
for
emails,
looking
for
emails
with
the
disclosed
check
and
then,
if,
if
the
the
repository
is
issues
enabled
and
we
found
an
email
address,
then
we
go
down
this
route
where
we,
where
we
do
both
of
these
processes.
At
the
same
time,
however,
the
issues
if
issues
are
enabled
but
emails
are
not
found,
then
we
only
do
this
side
or
if
issues
are
enabled
and
emails
are
sorry
if
issues
are
not
enabled
and
emails
are
found.
We
only
do
this
side.
A
F
C
This
repository
is
enabled,
because
you
have
one
of
three
conditions
or
one
of
three
three
entry
points
into
this.
This
flow
on
the
right
so.
B
F
C
C
So
if
if
emails
are
found
in
repository
issues
are
enabled,
then
we
go
down
both
of
these.
These
are
ORS
just
to
clarify
these
are
ORS,
and
as
long
as
one
of
these
flows
reaches
these
ores,
they
are
satisfied
and
you
proceed
to
the
blocking
point
where
you're
waiting
for
the
other
flow.
C
That
makes
sense.
So
if
we
have
any
it
in
the
case
where
issues
are
enabled,
if
an
existing
issue
has
been
opened
create
to
request
enabling
pmpdr,
you
use
the
existing
issue.
If
it's
not,
then
you
create
a
new
one.
C
If
the
issue
has
been
open
for
at
least
35
days,
then
we
go
to
this
or
and
then
we're
blocking
on
the
other
side
over
here.
If
emails
have,
if
we
have
detected
an
email
address
so
either
of
these
either.
This
is
yes
or
this
is
yes,
then
we
send
an
email
with
vulnerability,
details
and
requests
that
they
enable
pmpvr,
and
then
we
also
add
the
attack.
We
attach
the
fix
with
the
patch
file.
C
C
So
what
this
does,
is
it
it
if
the
emails
are
like,
let's
say,
for
example,
the
emails
are
not
found,
then
we
have
this
Branch
here
that
satisfies
the
constraint
of
this
or
over
here,
unblocking
the
other
side.
So
it's
just
it's
just
flow.
It's
like
just
you
know,
condition
or
flowchart
flows
that
unblock
the
other
FL.
You
know
you're
on
you're
undeadlocking,
the
other
deadlock
that
you're
waiting
on.
C
B
It
makes
sense
to
me
just
visually
I
had
to
zoom
in
on
one
of
my
bigger
screens,
but.
D
B
A
B
Then
notifying
that
it's
or
just
from
an
outsider
viewer
coming
in
and
you
know
trying
to
identify
where
the
lines
go,
I
think
that
could
that
could
help
at
least
visually
direct
it.
But
as
far
as
the
process
goes,
I
see
why
why
I
was
done.
The
way.
C
C
C
B
Yes
and
then
maybe
these
other
intersections
I,
don't
know
if
you
see
my
yeah
well.
B
Yeah,
that's
more
visually
I'm,
like
I,
said:
I,
don't
know
about
anything
else.
As
far
as
it
flows,
I,
don't
know
if
Chris
or
Noah
have
any
feedback
on
that
or
if
it
makes
sense
to
them.
F
I
agree
with
you:
that's
not
that
that
that
midsection
does
look
very
complicated
hearing
your
description.
It
sounds
like
it's
necessary
complication,
but
yeah,
oh
right
there
that
looks
better
like
some
sort
of
way
to
distinguish
which
lines
are
going
where
because
having
them
all
at
the
same
level,.
F
D
B
D
F
C
D
C
So
on
for
this
black
bar,
that's
a
fork,
so
it
means
that
these
two
things
are
happening
concurrently,
right,
okay,
you
don't
necessarily
need
to
implement
the
logic.
This
way
right,
you
could
theoretically
implement
this
with,
like
you
know,
all
concurrent,
not
not
multi-threaded,
you
know
sort
of
stuff,
it's
just
for
visually,
representing
the
steps
separately.
It
kind
of
I
just
think
that
it's
it's
easier
to
show
these
two
things
happening
separately.
B
B
A
C
C
I
have
a
problem:
I
just
found
a
problem
in
this
flow,
so,
okay,
we
found,
we
didn't
find
an
email
address.
We,
the
repositories,
enable
if
you
didn't
find
an
email
address
we
go
into
here.
We
find
that
there's
an
existing
issue,
so
we
use
that
the
existing
issue
was
closed
without
a
response,
so
we
satisfy
here.
C
The
emails
weren't
found
so
we've
gone
down
here
and
we
satisfied
this
or
so
we're.
Now
here
we
come
down
here.
Repository
doesn't
have
pmpvr
enabled.
C
F
D
F
Yeah
I,
you
know,
gave
us
some
thought
about
him.
She
is
disagreeable.
A
D
C
B
F
I
was
when
I
was
first
going
over
this
and
looking
at
it.
I
thought
this
is
so
it's
like.
It
takes
some
doing
to
analyze
it,
but
it
is
so
clear
in
in
ways
that
the
human
prose
would
not
be
no.
C
A
C
Right
and
I,
don't
I,
don't
mind
like
including
this
in
the
thing
but
yeah,
yes,
I
yeah
wait.
Do
we
not
have
a
vulnerable
exposure
working
group
meeting
tomorrow,
or
was
it
no?
It's
normally
okay.
So
we're
not
actually
going
to
run
this
by
the
open,
vulnerable,
open,
open
sort?
Okay,
so
we
can't
run
this
by
them
until
next
week,
tragically
yeah
Michael
scovato
likes
this,
are
we
I
mean?
Are
we
in
agreement
about
moving
forward
with?
This?
Is
the
proposed
flow.
B
Yeah
I'm
good
with
it.
When
you
write
out
the
paragraphs
you
know,
I'm
always
open
to
to
review
and
help.
C
B
Yeah
just
shoot
them.
Excuse
me,
maybe
shoot
them
an
email
with
yeah
I'm
about
to
say
his
name.
Brian
Brown
Thunder.
C
C
The
other
thing
that's
not
covered
here
that
we
do
need
to
do
that.
I
was
going
to
discuss,
so
we
don't
have
this.
This
report
via
pmpvr,
is
completely
blank.
The
the
thing
about
reporting
via
pmpdr
that
we
were
thinking
about
was
so
that
so
the
problem
that
we
currently
have
with
pmpvr
is
for
githubs,
which
the
github's
feature
is
called
private
vulnerability,
reporting
or
PBR
hi
Brian.
C
D
A
C
C
But
if
so,
we
first
go
through
like
opening
an
issue,
you
know
waiting
for
them
to
respond.
If
they
don't
respond
within
35
days,
then
we
report
via
email
or
we
fall
back
to
email.
But
the
problem
with
this
is
that
we're
waiting
35
days
and
then
waiting
90
days
for
to
send
an
email
and
Michael
scavetta's
proposal
was
why
don't
we
just
send
the
email
and
open
the
issue
at
the
same
time,
so
the
proposal
was
switched
to.
We
have
a
flow
over
here.
That's
continuously
monitoring
four
of
PM
pvrs
enabled
if.
A
C
Is
we
use
it,
but
in
the
meantime,
we
check
for
emails
with
Michael
scovetta's
disclosure
check
which
he
wrote
We.
If
the
repository
has
issues
enabled
and
they
have
emails
enabled,
then
we
do
both
of
these
sides,
but
otherwise
we
if
emails,
are
not
if,
if
emails
are
not
found
or
repositories,
are
not
enabled,
depending
on
that,
we
go
down
one
of
these
two
sides
exclusively,
but
we
consider
the
other
side
to
have
been
satisfied.
C
We
do
them
both
in
parallel
right.
So
this
is
the
issue
side,
and
this
is
the
email
side,
but
if
the,
if
the
emails
are
not
found,
then
it's
automatically
satisfied.
Emails
are
not
found.
This
is
satisfied
and
if
issues
are
not
enabled,
then
this
site
is
satisfied
and
then
we
just
assume
we
move
forward
down
the
flow
and
then,
like
you
know,
if
the
repository
at
the
end
of
this
flow
has
not
enabled
pmpvr,
then
we
open
a
public
pull
request.
Is
that
making
sense
or
have
I
lost
you
somewhere
in
here
you're?
G
G
Assume
nor
do
I
feel
like
I
need.
You
need
my
approval
right
now:
okay,
I
care,
much
more
about
the
vetting
of
this
by
our
community,
I,
I
and
and
knowing
that
you
and
Steve
have
worked
on
it.
I'm
just
really
gonna
give
it
a
blank
check,
but
but
but
knowing
it's
been
aired
here
with
Noah
and
Chris,
and
maybe
even
posting
it
to
a
list
and
sharing
it
if
you're
comfortable
with
it.
But
like
that's
gonna
matter
a
lot
more
than
my
personal
opinion.
C
G
I
want
to
understand
is
where
what
I
will
care
about
is:
where
does
it
have
implications
for
the
budget
in
Alpha
Omega
and
the
parts
that
we
are
able
to
automate
or
make
manual
and
and
that
sort
of
thing,
and
but
if
it
aligns
with
the
policy
of
not
wanting
to
draw
too
many
zero
days
on
unsuspecting
people
you
know
and
that
we're
operating
in
good
faith?
You
know
I'm
gonna,
look
for
validation
from
others
here.
Well,.
C
Okay,
so
the
one
thing
that
may
be
of
contention
here
right,
there's
a
couple
things
that
may
be
contentious:
we
send
them
emails
and
we
don't
look
at
the
responses,
but
we
have
this
ticking
clock
of
90
days
and
we're
just
going
to
disclose
it
90
days.
So
if
they
don't
have
it
fixed,
you
know
in
that
time
or
they
haven't
enabled
pmpvr
over
here.
In
that
time
it
will
just
become
public
after
90
days.
G
C
Yeah,
that's
kind
of
encoded
in
the
yeah
I'm
wondering.
Is
there
a
way
to
like.
C
I'm
I'm,
the
thing
that
I'm
thinking
about
here
is
great
that
works
in
small
scale,
but
when
you're
dealing
with
like
you
know
the
scale
of
what
trellix
did
where
they
generated
65
000
pull
requests
right
at
that
point,
there's
you're
dealing
with
a
scale
at
which
this
is
impractical.
G
I
think
the
approach
is
to
not
over
over
engineer
over
optimize
the
beginning,
for
the
use
case
of
you
know
thousands
per
week
of
CVS
right,
I.
Think
the
I
think
what
we
throttle
up.
We
see
what's
automatable,
we
see
really
do
we
get
50
response
rates
or
one
percent
response
rates
and
adjust
with
eventually
the
goal
of
cranking
up
the
number
of
scans.
G
We're
able
to
do,
and
the
number
of
you
know
you
know,
consume
more
and
more
about
that
pipeline
right
as
we
but
I
think
to
some
degree
automation,
you
don't
really
know
what
parts
to
optimize
until
that
flow
starts.
B
D
B
On
to
what
Brian
mentioned
earlier
is
that
we
would
have
to
consider
the
different
types
of
messages
we
would
get
in
a
different
languages
too,
because
you
might
actually
get
responses
like
from
reviewing
and
our
discussion
earlier.
I.
Don't
think
we
took
into
consideration
of
them,
responding
to
us
and
then
analyzing
the
language
that
they're
using,
so
that
we
know
what
next
steps
to
do.
B
B
Yeah,
we
probably
just
have
to
be
like
a
very
generic,
like
monitoring
results
or
monitoring
like
issues
where,
if
it
doesn't
fall
in
those
two
cases,
maybe
we
get
kind
of
like
an
alert
to
like
hey
check
out
this
pull
request
or
something.
G
You
know
some
degree
steps
in
this
process
that
involve
humans.
What
your
hope
is
that,
eventually,
you
can
replace
that
human
with
automation,
with
a
rule
with
a
signal
that
yeah
with
a
rule
right
data
that
you
can
automate
around.
C
Put
like
an
optional
like
you
can,
like
you
know,
you
can
optionally
if
the
person
like
if
they
respond
with
it's,
not
a
bug.
It's
a
you
know:
it's
not
a
vulnerability.
It's
a
bug
we
can
put
like
optionally,
you
are,
will
you
know
you
can
you
can
taught?
You
know,
drop
this
forward,
you
know,
and
then
you
don't,
but
you
don't
have
to
implement
that
you
can
just
wait
90
days
like
that's
still
within
spec,
okay,
all
right.
Let's
do
that
then.
C
The
other
thing
that
crossed
my
mind
that
that
maybe
controversial
is
let's
say
that
we
can't
find
any
emails
to
report
with
they
have
issues
enabled
so
emails
are
not
found.
It
repositories
are
enabled,
so
we
go
we're
only
going
to
do
it.
We're
going
to
found
this
flow
so
and
we
let's
say:
we've
already
opened
an
existing
issue
requesting
that
PM
PVR
be
enabled.
C
Right
then,
as
as
stated
this,
if
this,
if
this
issue
that
we
requested
pmpvr
be
enabled
from
a
previous
report
is,
is
it's
still
either
was
just
closed
or
you
know
closed
by
stalebot?
Then
we
go
down
here
and
we
just
jump
immediately
to
creating
a
public
pool
request.
C
So
we
go
directly
from
pmpvr
is
enabled
to
is
not
enabled
to
creating
a
public
polar
press
because
they
closed
the
last
issue
that
we
had
are
requesting
that
you
know
requesting
a
disclosure
channels
be
open
to
us
and
because
we
can't
find
an
email
to
disclose
to.
G
D
C
Oh,
don't
forget
to
put
your
your
your
what's.
It
called
in
the
in
the
Google
Doc
the.
G
C
So
the
shortest
time
Beyond
no
response
would
be
35
days
here
where
we
can't
find
an
email.
They
don't
respond
to
the
issue.
That'd
be
35
days.
C
Okay,
the
third
most
aggressive
time
frame
is
90
days
where
we've
sent
the
E
the
issue
or
we
sent
the
email
and
there's
there's
there's
90
days
simultaneously.
This
whole
flow
over
here
is
continuously
running.
That.
A
C
The
vulnerability
is
fixed,
then
we're
done
if
the
vulnerability,
if
90
days,
have
elapsed
since
the
process
began,
then
we
open
a
public
pool
request
if
the
public
PR,
if
a
public
pull
request,
has
been
open,
then
we're
done
because
it
happened
from
this
other
flow
that
occurred.
A
C
A
G
You
know
what,
as
you're
as
we're,
because
I
think
there's
a
bit
of
selling
of
this
plan
that
we'll
need
to
do
publicly
at
least
explaining
it
and
in
Lay
terms,
for
people
to
find
following
a
flowchart
card
which
isn't
any
of
us
almost
call,
but
but
would
be.
You
know,
people
getting
thrust
with
one
of
these
things
out
of
the
blue
or
or
a
journalist,
or
something
would
be
perhaps
some
sort
of
prose.
G
That
says
here
are
here's
some
happy
paths
and
here's
how
we
handle
the
not
happy
pads
right
through
this
through
this
system.
Just
just-
and
this
is
something
we
can
create
after
this
is
finalized,
but
just
to
help
the
public
understand
the
duty
of
care
we're
taking.
C
G
Is
a
whole
white
paper's
worth
of
flow
I'm
saying
but
dumb
it
down
a
little.
G
We
ran
this,
we
found
a
bug
in
Fubar
and
we
filed
a
an
issue.
You
know
private
issue,
but
it
was
closed
immediately.
So
we
then
said
great.
You
know
it's
it's,
okay
for
us
to
publish
it.
Just
like
a
few
of
these
kind
of
Pathways
that
demonstrate
for
people
how
in
each
case,
we
are
we're
balancing
these
different
different
priorities
appropriately.
H
C
I'm
curious,
so
one
of
the
things
that
we're
also
not
capturing
here
is
what
happens
if
issues
are
enabled
our
issues
are
or
not
enabled
right,
but
we
go
to
this.
This
volume
emails
found,
but
we've
we've
sent
emails
to
the
same
set
of
maintainers
in
the
past
and
gotten
no
response.
C
G
Yeah,
you
know,
maybe
they
learned
their
lesson
the
first
time.
Maybe
those
set
of
maintainers
is
slightly
different.
Maybe
yeah
no
I
think
you
give
them
the
benefit
of
the
doubt.
I
see.
G
C
We're
still
waiting
those
90
days,
okay,
okay,
so
then
this
this
flow
will
require
some
sort
of
State
Management
around.
Like
monitoring.
You
know
like
how
time
time
frames
and
stuff
like
that
right,
like
we
sent
an
email
at
this
date
and
it's
been
X
period
of
time
right.
C
I'm
less
inclined
so
I
I
know
that
you
Michael
scavetta
and
everybody
loves
the
term
cve
for
I'm
less
inclined
to
unless
we've
done,
unless
we've
explicitly
audited
and
done
the
done
the
like
the
like,
the
the
vetting
of
yes,
this
is
truly
a
vulnerability.
C
C
A
G
My
hope
would
be
if
we
come
up
with
bugs
that
actually
qualify
based
on
their
CVSs,
so
they're
on
their
severity
score,
that
we
decide
how
how
to
sufficiently
automate
and
or
Mechanical
Turk
and
or
find
volunteers
and
or
do
what
whatever
is
required.
Maybe
this
is
a
conversation
we
have
with
miter.
What's
the
right
way
for
us
to
turn
this
bundle
of
100
or
a
thousand
High,
you
know
mid
severity,
qualifyingly
severity
high
enough
bugs
to
get
them
into
the
CD
system.
Or
are
you
telling
us
cve
consumers?
H
Yeah
so
just
and
I
think
as
part
of
the
discussion
discussion,
we
should
also
consider
maybe
GHSA
because
I
think,
because
we're
talking
about
open
source,
it's
kind
of
best
entwined
into
GitHub,
and
you
know
you
have
the
security
Tab
and
whenever
you
have
a
GHSA
for
a
project
it
automatically,
it
will
appear
there,
and
that
is
also
something
that
can
be
later
pushed
through
nvd
and
get
a
cve
I
assume
easily
more
like
in
a
more
straightforward
way
than
from
the
GST,
but
maybe
I'm
wrong.
Yeah.
C
So
the
problem
with
with
GHSA
is:
is
that
so
anybody
can
get
a
GHSA
right.
Github
won't
issue
a
cve
number
as
a
c
as
the
CNA
unless
the
maintainer
requested
so
researchers.
If,
if
you
are
a
researcher-
and
you
believe
that
there's
a
cve
there's
a
vulnerability
here,
they
will
not
assign
you
cve
number
just
based
upon
the
researcher's
perspective
as
a
corollary
to
that.
If
you
open
a
PDR
right
and
Report
the
vulnerability
to
the
maintainer
and
the
maintainer's
non-responsive,
they
will
not.
They
have
made
the
line
understand.
C
They
do
not
want
to
operate
as
an
arbitrator
in
those
cases.
So
what
I've
done
is
a
little
different
I
have
the
way
that
I've
done
things
is
instead
of
getting
the
the
security
or
most
of
the
time
when
you're
doing
disclosure
you,
the
the
maintainer,
is
the
one
that
owns
the
GSD
or
sorry
the
GHSA,
the
GitHub
security
advisory.
C
The
way
that
I
do
things
is
a
little
differently.
I
have
a
private,
robot
or
public
repository
where
my
I
have
my
security.
Research
and
I
have
been
disclosing
here,
and
so
these
are
not
published
from
where
the
repository
is
because
I
can't
force
a
maintainer
to
publish
something.
C
H
C
H
So
I
agree
it's
not
ideal,
but
from
the
reasons
you
just
mentioned,
maybe
we
should
consider
it
as
well
like
to
have
like
one
project
that
is
for
the
fixed
Automation
and
then
all
of
the
ghsas
will
be
open
from
there
and
then
we'll
remain
in
control
of
whether
we
want
to
pursue
for
CV
and
then
it's
also
all
in
one
place
anyway.
I
don't
know
like
what's
the
ideal
solution,
but
I
think
it's
definitely
something
that
we
should
consider
when
we
have
the
discussion
regarding
GSD
or
alternatives.
C
C
Ideally,
what
would
happen
here?
Is
you
open
the
pmpvr
right
report,
the
vulnerability,
this
flows?
Not
late
is
not
I've
not
created.
C
The
slow
I
will
create
this
flow,
but
you
create
the
pmpvr
to
report
the
vulnerability,
and
then
you
wait
right
and
if
the
maintainer
is
unresponsive,
then
you
take
the
if
they're
unresponsive
you
give
them
90
days
if
they're
unresponsive,
you
take
that
PM
PVR
and
you
create
a
public
pull
request
from
it,
and
then
you
also
take
that
pmpvr
and
you
publish
your
own
disclosure
for
it
right
and
so
because
you
can't
force
the
maintainer
GitHub,
won't
let
you
force
that
thing
to
get
disclosed
that
you
opened.
D
G
C
Kind
of
I
that
I've
talked
to
Madison
Oliver
about
this.
It's
a
little
interesting
if
you
publish,
if
you
publish
a
GHSA
and
you
have
included
a
link
to
it
in
your
cve
request,
right
GitHub
gets
the
cve
request
via
then.
Instead
of
coming
in
from
there
it's
been
asked,
it's
been
given
by
a
maintainer.
C
It
then
comes
in
through
their
cve
request
flow,
where
they're,
seeing
it,
but
they'll
see
the
link
to
the
GHSA
and
usually
for
that
GHSA
I've
filled
in
all
the
details
of
like
what
packages
impact
stuff
like
that
github's
database,
the
the
GitHub
security
advisory
database
is
one
of
the
few
databases
I
think
it's
the
only
database
that
is
Creative
Commons
licensed
that
has
data
in
a
structured
format.
Snicks
database
does
not
have
that
characteristic.
C
I,
don't
know
if
they
treat
these
reports
like
what
I
do
any
different
I,
don't
know
if
GitHub
like
is
pulling
in
as
the
API
or,
if
they're,
just
looking
at
the
thing
that
I
wrote
up
and
then
copying
and
pasting
the
fields
over
into
their
own
thing,
because
they
have
a
team
of
people
that
is
doing,
you
know
doing
the
stuff.
H
Yeah
I
think
it's
worth
exploring
with
them,
maybe
and
I
think
another
Advantage
was
if
it
does
get
fed
into
their.
You
know,
pool
of
ghsas,
then
it
will
also
appear
in
osv
because
obviously
contains
all
of
the
GitHub
security
advisors
as
well.
C
Yeah
there's
another,
the
other
thing.
That's
popping
so
nvd
also
publishes
this
CPE,
so
this
CPE
is
supposed
to
be
it's
like,
ideally
an
identifier
for
a
piece
of
software,
and
it
doesn't
map
very
well
to
pearls
right
like
there's.
No
so,
but
there
is
an
effort
to
to
to
to
map
from,
like
you
know
the
cve
to
to
what
packages
or
what
product.
What
thing
is
impacted,
it's
just
very
imperfect
and
nvv.
Doesn't
it
doesn't
Supply
these
in
a
consistent
way.
C
Yeah,
so
yeah
I
think
that
my
plan
next
is
to
go
implement
this
thing,
which
actually
should
be
pretty
straightforward.
It's
mostly
going
to
be,
like
you
know,
wait.
C
Has
it
been
open
for
more
than
90
days?
You
know,
no,
then
make
it
public.
You
know
like
or
pull
it
up
all
the
data
out
and
make
it
public
and
then
also
some
collaboration
with
the
maintainer
because,
like
ideally,
this
will
be
a
collab
that
that
part
will
be
a
collaborative
effort.
Hopefully,
if
possible,.
C
Yeah
any
questions
concerns
other
things
about
this
proposal
or
this
this
flow
this.
C
The
one
annoying
thing
that
I
have
about
this
part
is
that
we
may
not
be
able
to
automate
comments
on
pmpvrs
because
I,
don't
I,
don't
know
if
GitHub
will
support
that.
So
yeah.
G
I,
don't
have
much
more
to
add,
or
at
least
not
not,
that
we'll
only
take
two
minutes,
but
I
think
this
is
probably
mature
enough
to
consider
socializing
a
bit
more
widely
within
the
open
ssf
like
to
the
full,
like
as
an
email
or
to
the
full
vulnerability,
working
group
disclosure
or
to
possibly
even
attack
or
general,
or
something
like
that,
but
just
like
just
consider
gradually
opening
it
up
a
bit
more
and
I.
G
It
does
also
feel
like
this
recent
conversation
about
how
to
report
the
vulnerability
suggests
it
needs
its
own
unless
it's
here
and
I'm
not
seeing
it
because
again,
I
can't
see
the
labels
part
of
the
workflow.
That
you
know
is
a
part
of
our
conversation
with
folks,
like
GitHub,
around
ghsas
and
and
maybe
even
eventually,
miter
so
I.
Oh,
you
dropped
a
link
too
I.
G
Give
the
link
I'm
just
on
a
laptop
and
and
like
being
able
to
see
this
and
see
all
of
you
and
see
the
conversation
at
the
same
time.
I
don't
have
my
like.
You
know
full
immersive,
cockpit
kind
of
like
set
up
right
now,
so
apologies
for
that,
but
but
I
also
just
want
to
emphasize
again
like
bring
me
your
edge
cases
bring
me
your
you
know:
where
are
we
calibrating
too
aggressive
or
not
aggressive
enough?
G
What
I
suck
at
is
completeness
and
so
I'm
gonna
depend
upon
others
to
really
be
helpful
there
and
then.
Secondly,
where
does
it
create
big
expense
for
us
or
risk
for
us
as
the
as
alpha
omega
as
a
project
and
I?
G
Think
if
we
I
think
that
the
final
comment
is
if
we're
okay,
with
an
iterative
approach
and
kind
of
optimizing
the
bottlenecks
as
we
go
and
occasionally
maybe
we,
you
know,
volunteer,
slash
mechanical
turket,
then
then
I
think
we'll
be
able
to
to
fix
the
hot
spots
that
emerged.
You
know
over
time.
C
G
C
Agree:
okay,
Yesenia
dropped,
thankfully,
a
link.
We
are
trying
to
move
this
meeting
because
it
doesn't
work
for
a
lot
of
people
if
you
have
not
yet
filled
out
the
doodle
for
when
meetings
work
great
for
you,
that'd
be
great.
I'm
gonna
try
to
hopefully
go
sailing.
C
You
know
at
five
o'clock
on
Wednesdays
moving
forward,
so
I've
I've
blocked
off
my
four
to
five
so
that
I
can
drive
to
the
sailing
place
that
I
do
so,
but
yeah.
You
know,
let's
try
to
find
a
spot
that
works
for
everybody
for
the
summer.
C
Yeah.
Thank.
C
A
C
C
G
If
you
want
David
Nalley
as
the
president
and
and
he's
also
at
Amazon
and
he's
a
big
supporter
of
Alpha
Omega,
and
what
we're
doing
here
might
be
a
good
person
to
start
with
I
know.
Mark
Cox
has
also
been
very
helpful
with
open
ssf
early
early
on,
but
rather
than
going
too
broad
I
suggest,
maybe
starting
maybe
starting
with
David.
C
You
know,
because
the
people
that
are
going
to
be
experiencing
this
so
the
people
that
are
actually
like
the
maintainers,
the
software
maintainers
and
some
of
them
have
been
not
not
so
thrilled
so
I
want
to.
You
know:
I
want
to
give
them
the
opportunity
to
you
know,
voice
their.