►
A
B
A
C
D
C
E
D
A
A
C
E
E
A
C
C
My
name
is
Jonathan
lichu,
I'm
senior
software
security
researcher
for
the
alpha
Mega
project,
and
my
schtick
has
been
finding
fixing
vulnerabilities
at
scale
across
open
source
and
doing
more
of
that
now
here
at
this
project.
So
we're
discussing
this
yeah
I
continuous
work,
so
you
send
me,
you
wanna,
give
your
spiel.
B
A
F
C
C
C
So
Michael
scovato's
proposal
was
we
do
something
like
this.
Where
we
start,
we
ask
if
the
maintain,
if
the
repository
host
supports
PDR,
if
it
does,
then
you
use
private
pmpdr.
Sorry
so
for
those
who
don't
yeah
PM
PVR
is
a
pragmatic
means
of
private
vulnerability
reporting.
So
for
GitHub.
This
is
using
GitHub
security
advisories
to
report
the
vulnerability
get
lab
apparently
lets
you
like
publish
vulnerabilities
or
you
can
create
a
private
pull
request
with
gitlab
and,
like
that's
just
a
thing,
you
can
do
natively
so
whatever
that
is.
C
We
do
that
if
you
don't,
if
the
if
the
repository
doesn't
have
pmpvr
enabled,
then
we
go
through
this
flow,
where
we
have
this
left
branch,
which
is
just
continuously
looping,
and
it
says
if
the
vulnerability
is
fixed,
if
it's
not
fixed
and
90
days
is
not
a
lap.
Since
the
the
the
process
began
and
the
public
PR
security
effects
hasn't
been
opened
and
the
broad
repository
doesn't
have
pmpvr
enabled,
then
we
just
Loop.
If
we
have
pmpvr
enabled
you
just
you
know,
report
it
and
then
you're
done.
C
If
the
public
pull
request
has
been
opened,
then
we
end.
If
90
days
have
elapsed
since
the
process
began,
then
we
open
a
public
pool
request.
Then
we
have
this
flow
over
here,
so
this
happens
concurrently.
So
this
is
this.
Is
this
is
two
two
branching,
so
this
Loop
is
occurring
whenever
an
on
some
basis.
C
At
the
same
time,
we
look
for
emails,
looking
for
emails
with
the
disclosed
check
and
then,
if,
if
the
the
repository
is
issues
enabled
and
we
found
an
email
address,
then
we
go
down
this
route
where
we,
where
we
do
both
of
these
processes.
At
the
same
time,
however,
the
issues
if
issues
are
enabled
but
emails
are
not
found,
then
we
only
do
this
side
or
if
issues
are
enabled
and
emails
are
sorry
if
issues
are
not
enabled
and
emails
are
found.
We
only
do
this
side.
A
F
C
B
F
C
C
C
C
If
the
issue
has
been
open
for
at
least
35
days,
then
we
go
to
this
or
and
then
we're
blocking
on
the
other
side
over
here.
If
emails
have,
if
we
have
detected
an
email
address
so
either
of
these
either.
This
is
yes
or
this
is
yes,
then
we
send
an
email
with
vulnerability,
details
and
requests
that
they
enable
pmpvr,
and
then
we
also
add
the
attack.
We
attach
the
fix
with
the
patch
file.
C
C
So
what
this
does,
is
it
it
if
the
emails
are
like,
let's
say,
for
example,
the
emails
are
not
found,
then
we
have
this
Branch
here
that
satisfies
the
constraint
of
this
or
over
here,
unblocking
the
other
side.
So
it's
just
it's
just
flow.
It's
like
just
you
know,
condition
or
flowchart
flows
that
unblock
the
other
FL.
You
know
you're
on
you're
undeadlocking,
the
other
deadlock
that
you're
waiting
on.
C
D
B
A
B
C
C
C
B
F
I
agree
with
you:
that's
not
that
that
that
midsection
does
look
very
complicated
hearing
your
description.
It
sounds
like
it's
necessary
complication,
but
yeah,
oh
right
there
that
looks
better
like
some
sort
of
way
to
distinguish
which
lines
are
going
where
because
having
them
all
at
the
same
level,.
F
D
B
D
F
C
D
C
So
on
for
this
black
bar,
that's
a
fork,
so
it
means
that
these
two
things
are
happening
concurrently,
right,
okay,
you
don't
necessarily
need
to
implement
the
logic.
This
way
right,
you
could
theoretically
implement
this
with,
like
you
know,
all
concurrent,
not
not
multi-threaded,
you
know
sort
of
stuff,
it's
just
for
visually,
representing
the
steps
separately.
It
kind
of
I
just
think
that
it's
it's
easier
to
show
these
two
things
happening
separately.
B
B
A
C
C
I
have
a
problem:
I
just
found
a
problem
in
this
flow,
so,
okay,
we
found,
we
didn't
find
an
email
address.
We,
the
repositories,
enable
if
you
didn't
find
an
email
address
we
go
into
here.
We
find
that
there's
an
existing
issue,
so
we
use
that
the
existing
issue
was
closed
without
a
response,
so
we
satisfy
here.
C
C
F
D
A
D
C
B
F
C
A
C
Right
and
I,
don't
I,
don't
mind
like
including
this
in
the
thing
but
yeah,
yes,
I
yeah
wait.
Do
we
not
have
a
vulnerable
exposure
working
group
meeting
tomorrow,
or
was
it
no?
It's
normally
okay.
So
we're
not
actually
going
to
run
this
by
the
open,
vulnerable,
open,
open
sort?
Okay,
so
we
can't
run
this
by
them
until
next
week,
tragically
yeah
Michael
scovato
likes
this,
are
we
I
mean?
Are
we
in
agreement
about
moving
forward
with?
This?
Is
the
proposed
flow.
B
C
B
C
The
other
thing
that's
not
covered
here
that
we
do
need
to
do
that.
I
was
going
to
discuss,
so
we
don't
have
this.
This
report
via
pmpvr,
is
completely
blank.
The
the
thing
about
reporting
via
pmpdr
that
we
were
thinking
about
was
so
that
so
the
problem
that
we
currently
have
with
pmpvr
is
for
githubs,
which
the
github's
feature
is
called
private
vulnerability,
reporting
or
PBR
hi
Brian.
C
D
A
C
But
if
so,
we
first
go
through
like
opening
an
issue,
you
know
waiting
for
them
to
respond.
If
they
don't
respond
within
35
days,
then
we
report
via
email
or
we
fall
back
to
email.
But
the
problem
with
this
is
that
we're
waiting
35
days
and
then
waiting
90
days
for
to
send
an
email
and
Michael
scavetta's
proposal
was
why
don't
we
just
send
the
email
and
open
the
issue
at
the
same
time,
so
the
proposal
was
switched
to.
We
have
a
flow
over
here.
That's
continuously
monitoring
four
of
PM
pvrs
enabled
if.
A
C
Is
we
use
it,
but
in
the
meantime,
we
check
for
emails
with
Michael
scovetta's
disclosure
check
which
he
wrote
We.
If
the
repository
has
issues
enabled
and
they
have
emails
enabled,
then
we
do
both
of
these
sides,
but
otherwise
we
if
emails,
are
not
if,
if
emails
are
not
found
or
repositories,
are
not
enabled,
depending
on
that,
we
go
down
one
of
these
two
sides
exclusively,
but
we
consider
the
other
side
to
have
been
satisfied.
C
We
do
them
both
in
parallel
right.
So
this
is
the
issue
side,
and
this
is
the
email
side,
but
if
the,
if
the
emails
are
not
found,
then
it's
automatically
satisfied.
Emails
are
not
found.
This
is
satisfied
and
if
issues
are
not
enabled,
then
this
site
is
satisfied
and
then
we
just
assume
we
move
forward
down
the
flow
and
then,
like
you
know,
if
the
repository
at
the
end
of
this
flow
has
not
enabled
pmpvr,
then
we
open
a
public
pull
request.
Is
that
making
sense
or
have
I
lost
you
somewhere
in
here
you're?
G
G
Assume
nor
do
I
feel
like
I
need.
You
need
my
approval
right
now:
okay,
I
care,
much
more
about
the
vetting
of
this
by
our
community,
I,
I
and
and
knowing
that
you
and
Steve
have
worked
on
it.
I'm
just
really
gonna
give
it
a
blank
check,
but
but
but
knowing
it's
been
aired
here
with
Noah
and
Chris,
and
maybe
even
posting
it
to
a
list
and
sharing
it
if
you're
comfortable
with
it.
But
like
that's
gonna
matter
a
lot
more
than
my
personal
opinion.
C
G
I
want
to
understand
is
where
what
I
will
care
about
is:
where
does
it
have
implications
for
the
budget
in
Alpha
Omega
and
the
parts
that
we
are
able
to
automate
or
make
manual
and
and
that
sort
of
thing,
and
but
if
it
aligns
with
the
policy
of
not
wanting
to
draw
too
many
zero
days
on
unsuspecting
people
you
know
and
that
we're
operating
in
good
faith?
You
know
I'm
gonna,
look
for
validation
from
others
here.
Well,.
C
Okay,
so
the
one
thing
that
may
be
of
contention
here
right,
there's
a
couple
things
that
may
be
contentious:
we
send
them
emails
and
we
don't
look
at
the
responses,
but
we
have
this
ticking
clock
of
90
days
and
we're
just
going
to
disclose
it
90
days.
So
if
they
don't
have
it
fixed,
you
know
in
that
time
or
they
haven't
enabled
pmpvr
over
here.
In
that
time
it
will
just
become
public
after
90
days.
G
G
I
think
the
approach
is
to
not
over
over
engineer
over
optimize
the
beginning,
for
the
use
case
of
you
know
thousands
per
week
of
CVS
right,
I.
Think
the
I
think
what
we
throttle
up.
We
see
what's
automatable,
we
see
really
do
we
get
50
response
rates
or
one
percent
response
rates
and
adjust
with
eventually
the
goal
of
cranking
up
the
number
of
scans.
B
D
B
On
to
what
Brian
mentioned
earlier
is
that
we
would
have
to
consider
the
different
types
of
messages
we
would
get
in
a
different
languages
too,
because
you
might
actually
get
responses
like
from
reviewing
and
our
discussion
earlier.
I.
Don't
think
we
took
into
consideration
of
them,
responding
to
us
and
then
analyzing
the
language
that
they're
using,
so
that
we
know
what
next
steps
to
do.
B
G
C
Put
like
an
optional
like
you
can,
like
you
know,
you
can
optionally
if
the
person
like
if
they
respond
with
it's,
not
a
bug.
It's
a
you
know:
it's
not
a
vulnerability.
It's
a
bug
we
can
put
like
optionally,
you
are,
will
you
know
you
can
you
can
taught?
You
know,
drop
this
forward,
you
know,
and
then
you
don't,
but
you
don't
have
to
implement
that
you
can
just
wait
90
days
like
that's
still
within
spec,
okay,
all
right.
Let's
do
that
then.
C
The
other
thing
that
crossed
my
mind
that
that
maybe
controversial
is
let's
say
that
we
can't
find
any
emails
to
report
with
they
have
issues
enabled
so
emails
are
not
found.
It
repositories
are
enabled,
so
we
go
we're
only
going
to
do
it.
We're
going
to
found
this
flow
so
and
we
let's
say:
we've
already
opened
an
existing
issue
requesting
that
PM
PVR
be
enabled.
C
D
G
C
C
A
A
C
A
G
You
know
what,
as
you're
as
we're,
because
I
think
there's
a
bit
of
selling
of
this
plan
that
we'll
need
to
do
publicly
at
least
explaining
it
and
in
Lay
terms,
for
people
to
find
following
a
flowchart
card
which
isn't
any
of
us
almost
call,
but
but
would
be.
You
know,
people
getting
thrust
with
one
of
these
things
out
of
the
blue
or
or
a
journalist,
or
something
would
be
perhaps
some
sort
of
prose.
G
C
G
We
ran
this,
we
found
a
bug
in
Fubar
and
we
filed
a
an
issue.
You
know
private
issue,
but
it
was
closed
immediately.
So
we
then
said
great.
You
know
it's
it's,
okay
for
us
to
publish
it.
Just
like
a
few
of
these
kind
of
Pathways
that
demonstrate
for
people
how
in
each
case,
we
are
we're
balancing
these
different
different
priorities
appropriately.
H
C
C
G
G
C
C
A
G
My
hope
would
be
if
we
come
up
with
bugs
that
actually
qualify
based
on
their
CVSs,
so
they're
on
their
severity
score,
that
we
decide
how
how
to
sufficiently
automate
and
or
Mechanical
Turk
and
or
find
volunteers
and
or
do
what
whatever
is
required.
Maybe
this
is
a
conversation
we
have
with
miter.
What's
the
right
way
for
us
to
turn
this
bundle
of
100
or
a
thousand
High,
you
know
mid
severity,
qualifyingly
severity
high
enough
bugs
to
get
them
into
the
CD
system.
Or
are
you
telling
us
cve
consumers?
H
Yeah
so
just
and
I
think
as
part
of
the
discussion
discussion,
we
should
also
consider
maybe
GHSA
because
I
think,
because
we're
talking
about
open
source,
it's
kind
of
best
entwined
into
GitHub,
and
you
know
you
have
the
security
Tab
and
whenever
you
have
a
GHSA
for
a
project
it
automatically,
it
will
appear
there,
and
that
is
also
something
that
can
be
later
pushed
through
nvd
and
get
a
cve
I
assume
easily
more
like
in
a
more
straightforward
way
than
from
the
GST,
but
maybe
I'm
wrong.
Yeah.
C
So
the
problem
with
with
GHSA
is:
is
that
so
anybody
can
get
a
GHSA
right.
Github
won't
issue
a
cve
number
as
a
c
as
the
CNA
unless
the
maintainer
requested
so
researchers.
If,
if
you
are
a
researcher-
and
you
believe
that
there's
a
cve
there's
a
vulnerability
here,
they
will
not
assign
you
cve
number
just
based
upon
the
researcher's
perspective
as
a
corollary
to
that.
If
you
open
a
PDR
right
and
Report
the
vulnerability
to
the
maintainer
and
the
maintainer's
non-responsive,
they
will
not.
They
have
made
the
line
understand.
C
They
do
not
want
to
operate
as
an
arbitrator
in
those
cases.
So
what
I've
done
is
a
little
different
I
have
the
way
that
I've
done
things
is
instead
of
getting
the
the
security
or
most
of
the
time
when
you're
doing
disclosure
you,
the
the
maintainer,
is
the
one
that
owns
the
GSD
or
sorry
the
GHSA,
the
GitHub
security
advisory.
C
C
H
C
H
So
I
agree
it's
not
ideal,
but
from
the
reasons
you
just
mentioned,
maybe
we
should
consider
it
as
well
like
to
have
like
one
project
that
is
for
the
fixed
Automation
and
then
all
of
the
ghsas
will
be
open
from
there
and
then
we'll
remain
in
control
of
whether
we
want
to
pursue
for
CV
and
then
it's
also
all
in
one
place
anyway.
I
don't
know
like
what's
the
ideal
solution,
but
I
think
it's
definitely
something
that
we
should
consider
when
we
have
the
discussion
regarding
GSD
or
alternatives.
C
C
D
G
C
Kind
of
I
that
I've
talked
to
Madison
Oliver
about
this.
It's
a
little
interesting
if
you
publish,
if
you
publish
a
GHSA
and
you
have
included
a
link
to
it
in
your
cve
request,
right
GitHub
gets
the
cve
request
via
then.
Instead
of
coming
in
from
there
it's
been
asked,
it's
been
given
by
a
maintainer.
C
It
then
comes
in
through
their
cve
request
flow,
where
they're,
seeing
it,
but
they'll
see
the
link
to
the
GHSA
and
usually
for
that
GHSA
I've
filled
in
all
the
details
of
like
what
packages
impact
stuff
like
that
github's
database,
the
the
GitHub
security
advisory
database
is
one
of
the
few
databases
I
think
it's
the
only
database
that
is
Creative
Commons
licensed
that
has
data
in
a
structured
format.
Snicks
database
does
not
have
that
characteristic.
H
C
Yeah
there's
another,
the
other
thing.
That's
popping
so
nvd
also
publishes
this
CPE,
so
this
CPE
is
supposed
to
be
it's
like,
ideally
an
identifier
for
a
piece
of
software,
and
it
doesn't
map
very
well
to
pearls
right
like
there's.
No
so,
but
there
is
an
effort
to
to
to
to
map
from,
like
you
know
the
cve
to
to
what
packages
or
what
product.
What
thing
is
impacted,
it's
just
very
imperfect
and
nvv.
Doesn't
it
doesn't
Supply
these
in
a
consistent
way.
C
C
Has
it
been
open
for
more
than
90
days?
You
know,
no,
then
make
it
public.
You
know
like
or
pull
it
up
all
the
data
out
and
make
it
public
and
then
also
some
collaboration
with
the
maintainer
because,
like
ideally,
this
will
be
a
collab
that
that
part
will
be
a
collaborative
effort.
Hopefully,
if
possible,.
C
G
It
does
also
feel
like
this
recent
conversation
about
how
to
report
the
vulnerability
suggests
it
needs
its
own
unless
it's
here
and
I'm
not
seeing
it
because
again,
I
can't
see
the
labels
part
of
the
workflow.
That
you
know
is
a
part
of
our
conversation
with
folks,
like
GitHub,
around
ghsas
and
and
maybe
even
eventually,
miter
so
I.
Oh,
you
dropped
a
link
too
I.
G
Give
the
link
I'm
just
on
a
laptop
and
and
like
being
able
to
see
this
and
see
all
of
you
and
see
the
conversation
at
the
same
time.
I
don't
have
my
like.
You
know
full
immersive,
cockpit
kind
of
like
set
up
right
now,
so
apologies
for
that,
but
but
I
also
just
want
to
emphasize
again
like
bring
me
your
edge
cases
bring
me
your
you
know:
where
are
we
calibrating
too
aggressive
or
not
aggressive
enough?
G
G
C
G
C
C
C
A
C
G
If
you
want
David
Nalley
as
the
president
and
and
he's
also
at
Amazon
and
he's
a
big
supporter
of
Alpha
Omega,
and
what
we're
doing
here
might
be
a
good
person
to
start
with
I
know.
Mark
Cox
has
also
been
very
helpful
with
open
ssf
early
early
on,
but
rather
than
going
too
broad
I
suggest,
maybe
starting
maybe
starting
with
David.