►
From YouTube: OpenSSF Vulnerability Disclosures WG (April 20, 2022)
B
D
C
Yeah
yep.
I
think
this
is
my
favorite
working
group,
mostly
because
of
the
topic,
because
this
is
something
that
I'm
really
passionate
about,
but
you
know
it's.
I
mean
this
one,
but
then
also
the
the
this
the
package
packaging
ecosystem
supply
chain
meeting
that
one's
also
you
know
that
was
like
I
was
like
I've
been
hoping
for
that
to
like
that
meeting
to
have
come
into
existence
in
some
format
in
somewhere
in
the
industry
for
a
long
time.
C
D
For
because
I
know
we
changed
the
time,
so
I
see
a
lot
of
new
names
which
is
fantastic.
That
was
the
point
of
changing
the
time.
What
we
normally
do
is
there's
a
list
of
names
and
attendees.
You
can
add
yourself
and
then
change
the
color
to
something
darker
to
show
that
you
are
here
and
we
will
get
started
in
just
a
second.
I
think
we'll
give
folks
one
more
minute.
F
A
F
D
There
you
go,
I
will
put
the
agenda
in
the
chat
one
more
time,
because
I
know
zoom
chat
is
not
historical
for
folks
who
haven't
so
feel,
please
feel
free
to
add
yourself
to
the
agenda.
So
we
know
you're
here
and
I
think
we
have
a
ton
of
first
timers.
So
while
we
go
around
folks
want
to,
if
you
feel
comfortable
introducing
yourself
where
you
from
what
you
want
to
get
out
of
this
group-
and
we
will
go
from
there.
G
I
guess
I'll
jump
in
my
name
is
eric
smalling.
I
am
a
developer
advocate
at
sneak
on
the
container
and
cloud
native
side
of
the
house,
and
I've
just
started
attending
open
ssf
meetings
after
being
in
the
cncf
and
kubernetes
sigs
for
a
while,
mainly
here,
to
keep
my
finger
on
the
pulse
of
things.
So
I
know
how
to
advocate
to
the
team.
H
D
I
Hi
hi,
I'm
megazone,
I've
just
called
me
mz.
That
is
my
name
magazine,
I'm
with
f5
inc,
I'm
the
principal
security
engineer
for
the
f5
incident,
security
and
response
team,
I'm
also
our
cna
guy.
So
I
handle
all
the
cve
disclosure
things
five
and
here
that
someone
said
basically
to
kind
of
learn,
what's
going
on
and
keep
my
finger
on
things.
J
D
D
So
I
think
the
the
big
item
I
know
for
today
is
the
charter
review
or
continued
edits.
There
was,
you
know,
requests
from
the
attack
that
all
the
working
groups
have
a
charter.
I
think
this
a
lot
of
the
working
groups
that
started
early
in
the
creation
of
the
open,
ssf
have
kind
of
just
been
working
along
and
didn't
do
some
of
this
paperwork
and
we
were
probably
one
of
them
and
there's
also
the
cvd
guidance
for
security
researchers
to
discuss
and
any
opens.
E
K
I
I'm
not
sure
if
we're
supposed
to
do
hands,
but
I'll
just
jump
in
so
go
for
it
yeah.
I
have
a
question,
so
this
charter
is
very
similar
to
a
lot
of
the
working
group.
Charters
in
the
ossf
is
kind
of
like
the
the
skelet.
I
don't
know
template
skeleton
whatever
you
want
to
call
it.
So
one
of
the
questions
I
had
with
a
lot
of
these
is
there's.
You
know,
there's
a
lot
around
the
tsc
right
and
you
know
the
tscs.
K
According
to
this
charter
tsc,
the
technical
steering
committee
of
this
group
is
responsible
for
a
whole
slew
of
things.
It's
kind
of
unclear,
though,
who
the
tsc
is
and
how
you
become
on
the
tsc.
Is
it
like
voted
that
that
that
to
me
is
my
main
question
and
feedback
is
like
who
is
the
tse
of
this
group?
I'm
not
sure
where
it's
written
down
and
I
how?
How
do
you
join
the
tsc?
K
Presumably
it's
a
meritocracy
but
like
how
what's
the
process,
I
don't
don't
know
I
feel
like
that's.
The
big
gap
is
like
there's
all
this
stuff
about.
The
tsc
doesn't
actually
explain
who
the
tse
is
or
how,
how
it
gets
formed
and
how
you
join
it,
and
et
cetera,
et
cetera
the
governance
around
it.
That
that's
my
main
question
and
I
kind
of
like
ask:
do
we
want
all
these
things
you
know
are
all
of
the
things
in
this
charter
things
we
want
to
keep
with
the
tsc.
K
L
So
I
do
a
great
deal
of
work
with
governance
for
a
lot
of
projects
over
the
past,
30
or
so
years,
and
tscs
are
not
something
that
typically
is
in
a
working
group.
This
is
obviously,
and
in
every
single
one
of
the
working
groups
that
I'm
in,
which
is,
I
think,
all
of
them
at
the
moment
they
are
all
dealing
with
this
omg.
What
is
going
on
with
this
tsc
stuff?
L
Well,
obviously,
somebody
cut
and
paste
just
to
give
us
a
template
to
get
started
great,
but
tscs
don't
make
sense
in
a
working
group.
They
do
in
a
project
right
and
a
technical
project
specifically.
So
I
think
that
this
is
something
that,
as
a
working
group,
it
makes
sense
to
get
rid
of
and
instead
do
some
other
form
of
governance
such
as
we
have
somebody
who
leads
the
meetings.
L
They
lead
the
working
group
and
then
explain
what
that
looks
like
and
how
that
person
gets
chosen
or
nominated
or
otherwise,
and
I
think
that
makes
a
lot
more
sense
then,
and
just
drop
pretty
much
all
of
this
tsc
stuff,
which
is
a
great
there,
might
be
some
stuff
to
keep
there.
But
just
I
will
hand
wave
that
at
the
moment
just
say
drop
it.
D
D
K
K
The
one
thing
that
I
would
suggest
we
need
to
figure
out
how
we
want
to
do
a
little
bit
more
strict
governance
around
is
if,
when
this
working
group
produces
artifacts
or
endorsements
of
artifacts,
like
on
behalf
of
the
ossf
right,
so
when
we
produce
something
like
the
document,
we
just
produced
right.
How
do
we?
How
do
we
ensure
that
we
have
that
working
consensus
right?
Because
I
I
think
you
know
one
of
the
things
that
to
me
has
been
I'll
be
completely
honest.
K
A
little
bit
challenging
with
some
of
the
stuff
in
the
ossf
is
like
there's
stuff
that
you
know
everything's
kind
of
moving
a
5
000
miles
an
hour
and
there's
there's
some
things
that
kind
of
proceed,
and
it's
like.
Oh,
we
think
we
have
consensus
so
we're
doing
it,
but
it's
like
you
know,
was
there
consensus.
How
many
people
were
in
the
meeting
where
that
proceeded
like
that?
That,
to
me,
is
one
of
the
things
that
I
think
is
important
to
codify
in
these
charters
like
how
are
we,
how
are
we
validating
for
consensus?
K
L
L
D
G
L
D
And
vicky,
I
think
you
probably
have
good
visibility
into.
I
know
some
of
the
other
conversations
going
on
in
the
open.
Ssf
right
now
are:
how
are
projects
accepted?
What
is
the
process
for
like
when
we
did
the
cvd
guide?
I
think
we
also
were
kind
of
bouncing
around
at
the
board
like
how
does
this
get
a
stamp?
How
does
it
not
so
I
know
a
lot
of
these
answers
are
probably
happening
in
parallel.
L
Because
of
the
sort
of
deliverables
that
a
working
group
has,
it's
typically
doesn't
need
to
get
up
to
that
level,
but,
as
far
as
I
know,
nobody's
really
discussed
that
type
of
acceptance
whether
it
meet
these
deliverables
need
to
go
up
to
say
board
level
for
approval.
So
I
suspect
they
don't,
but
it's
a
good
question,
so
whoever
is
very,
very
kindly
taking
notes.
D
D
D
D
C
I
sent
crowba,
I
wrote
up
a
long
thing
about
vulnerability
disclosure
and
my
experience
with
one
of
real
exposure
it
was
directed
specifically
to
I
was
chatting
with
some
people
in
the
open.
I
was
chatting
with
people
in
the
github
security
lab
and
this
the
github
security
lab
people
are
like
it's.
A
combination
of
both
people
that
work
at
github
and
also
the
people
that,
like
are
security,
researchers
participating
in
getting
bug
bounties
out
of
the
github
security
lab
and
there's
a
long
discussion
around.
C
C
Yeah
because
it
was
very
specific,
but
I
could
I
could
I
could
edit
this
down
and
send
this
somewhere,
but
just
some
of
the
stuff
that
I've
I
like.
I
try
to
encode,
like
my
experience
and
knowledge
and
and
like
stuff
that
I've
learned
doing
vulnerability,
exposure
in
open
source
for
the
past
three
years
and
like
the
pitfalls
you
quickly
fall
into
in
that
area.
So,
like
you,
know,
I've
done
this
this.
L
C
Most
was,
I
was
expecting
there
to
be
more
people.
Is
it
just?
It's
is.
Are
there
more
people
doing
this
sort
of
open
source
vulnerability?
Disclosure
like
it
seems
like
like
I
I
I'm
surprised.
I
am
surprised
that
I'm
the
only
one
here
with
experience
right
like
well.
You
know
like
why.
What
is
what
is
up
the
rest
of
the
industry
is
there's
nobody
else.
That's
doing
this
sort
of
thing,
or
am
I
just
in
the
right
place
at
the
right
time
like
I
also
like
my
experiences
have
been
like.
C
K
Or
what
I
mean
I
I
expect
that
part
of
it
jonathan
is
because,
like
you
know,
researchers
probably
more
concentrate
on
places.
They
can
get
bounties,
which
are
probably
less
often
open,
source
projects
right-
and
you
know
I
that's
kind
of
why
google
started
project
zero
back
in
the
day,
was
to
fill
this
gap
right,
but
I
that's
got
I
I
mean
the
economics
is
gonna
lot
to
do
with
it.
If
I,
if
I'm
gonna,
spend
five
hour,
you
know
five
days
working
on
a
problem.
D
Yes,
yeah
jonathan,
I
think
you
have
a
lot
of
people
here
who
are
on
the
other
side.
On
the
you
know
the
response
side
receiving
your
reports,
your
fine
rewards,
but
I
think
that's
a
great
question
and
jason
made
me
point
to
there's
kind
of
an
incentive.
We
need
to
hear
these
voices
more
to
understand.
C
C
You
know
I'd
also
love
to
meet
some
people
from
product
zero
because
you
know
I've
always
I've
watched.
You
know
I've
seen
their
vulnerabilities
closures
for
years
and
followed
that
whole
thing.
It's
like.
Oh,
you
know
you
know,
they've
been
doing
cool
stuff.
I'd
love
to
meet
some
of
those
people.
Are
there
any
any
other
big
research
groups
like
this
white
source,
but
are
there
any
other?
There's
the
githubs
there's
people
from
the
github
security
lab
that
are
doing.
C
L
D
N
I
was
just
gonna
say
that
also
you
know
we
had
with
hunter.
We,
I
think
our
security
research
and
open
source
maintain
a
community
is
about
6,
000
people
right
now
so
happy
to
connect
or
like
act
as
a
bridge
between
our
community
and
the
workings
of
the
group
to
relay
you
know
comments
from
our
community
back
and
see.
You
know
what
constructive
feedback
we
can
find.
O
B
M
M
C
C
L
C
L
C
L
C
L
C
And
can
we
be
specific
about
companies
and
company
names
and
the
pitfalls
of
using
verse,
cert?
Okay,
let
me
provide
an
example
right
if
you
disclose
a
vulnerability
by
github,
the
information
that
you
encode
in
the
disclosure
has
like
a
structured
format
and
then
that
structured
format,
especially
if
you
do
disclosure
fully
like
it,
gets
published
in
a
way
that
that
data
is
parcel
by
machines.
C
But
if
you
do
disclosures
by
a
snick
and
you
get
a
cv
via
snick,
if
you
don't
publish
that
with
another
way,
then
snake
publishes
it
they
get
to
give
a
cd
for
it,
but
their
database
is
closed,
source
and
closed,
and
so,
if
you
want
to
use
it
for
structured
data
like,
for
example,
if
you're
building
a
dependable
or
you're
building,
you
know
some
open
source
tool
to
audit
for
security
vulnerabilities.
You
have
to
curate
all
that
data
again
and
that's
why.
C
Personally,
I
use
github
security
advisories
to
publish
my
disclosures
because
at
least
I'm
publishing
it
in
a
curated
formatted
way
that
those
tools
can
automatically
scrape
and
because
github's
database
is
creative.
Commons,
like
I
prefer
to
do
that,
but
I
also
prefer
to
use
git
snick
as
a
cna,
so
like
you're,
including
these,
like
concerns
and
issues
about
specific
companies
and
why
you
might
want
to
use
specific
company
versus
another
one.
Is
that
like
okay,
in
the
context
of
like
this
article,
or
is
that
do
we
want
to
avoid
like
well?
C
O
C
When
you're
doing
cna
cve
issuance,
though
like
the
vendor,
has
like,
if
you
want
to
get
a
cv,
there
are
different
pitfalls
of
using
different
ones
right
that
you
may
not
know
without
experience
of
having
done
this,
which
I
do
have
the
experience
of,
because
I've
done
this
long
enough.
But
I
know
like
that's:
why
that's
why
I've
used?
That's
why
I
use
the
vendors
that
I
do
in
this
context,
because
if
you
disclose
in
a
specific
way
your
information,
the
information
disclosed,
doesn't
go
out
in
a
way
that
is
easily
consumable
by
other
tools.
O
L
C
On
man,
I
mean
writing
for
me.
It's
not
that
it's
not
that
I
don't
mind
writing
instead.
Writing,
for
me,
is
a
really
difficult
process.
It's
like
it
takes
a
lot
of
time,
so
you
know
I,
you
know
I'd
be
happy
to
write
it
with
somebody
collaboratively,
but
me
sitting
down
and
writing
a
blog
post
is
actually
a
lot
of
work.
L
Yeah
trust
me
in
the
middle
of
my
second
book.
I
understand
adhd
over
here,
but
it's
it
is
the
sort
of
thing
that
you
know
where
you
publish
and
the
ramifications
of
that.
If
there
is
some
way
to
discuss
that
in
the
document
in
a
somewhat
vendor-neutral
way,
such
as
there
are
differences
in
where
you
publish
your
cve,
and
here
are
some
of
the
things
you
might
expect
just
in
general,
without
naming
names,
maybe
there's
a
way
to
do
that
in
the
document.
L
L
I
Yeah,
I
I
I
would
agree
on
for
an
official
type
document.
I
would
not
name
names
that
that
gets
political
and
and
can
somebody
might
refuse
to
use
the
document
or
say
it's
biased
or
whatever,
but
as
a
separate
like
an
informal
community
document,
a
separate
document
of
reviews
of
things
or
you
know
like
a
pros
and
cons
document-
that's
separate.
That's
not
part
of
like
a
standards,
type
thing,
it's
probably
more
useful,
but
also
to
say
in
the
end.
I
C
G
C
The
choice
to
pick
a
cna
is
going
to
be
itself
a
vendor
decision
kind
of
I
mean
it's,
not
it's
not
account
vendor
that
the
vendor
actually
sells
the
product
right.
Vendors,
like
you
know,
white
source
and
snick
are
not
selling
where
cna
they're
selling
their
data
right,
but
there's
a
decision
that
you're
making
around
picking
which
one
of
these
cnas
you
want
to
work
with
and
why
you
might
want
to
pick
one
over
another
one
and
those
are
companies.
N
Yeah,
I
was
just
more
kind
of
leaning
on
from
what
jonathan
was
saying.
I
wonder
if
this,
if
the
working
group
has
ever
discussed
vulnerability
reports
made
to
the
various
you
know:
vendors
databases
whatever
that
don't
receive
cvs,
because
I
think
there's
a
there's
a
vested
interest
in
some
vendors
to
keep
vulnerability,
information,
proprietary,
and
so
they
don't
necessarily
or
like
for
whatever
reason.
Maybe
they
haven't
received
a
request
for
a
cv
or
whatever
it
might
be.
N
Because
of
this,
which
also
creates
difficulties-
and
I
think
I
think
every
vendor
is
at
fault
of
this
right-
I
don't
think
any
vendor
consistently.
A
hundred
percent
of
the
time
will
issue
a
cv
for
every
single
vulnerability.
That
record
of
value,
you
know,
will
issue
a
cve,
but
but
I'm
not
sure
how
you
also
solve
that
problem.
But
maybe
this
is
kind
of
like
a
tangential
topic.
L
Thank
you
yeah.
It
does
seem
like
it
will
be
tricky
with
that.
It
might
be
something
that
has
to
be
decided,
as
the
document
is
built
to
figure
out
what
the
I
think
we're
we're
talking,
all
theoretically,
without
actually
seeing
what's
in
the
document
right
now,
most
of
us,
and
so
it's
great
to
have
the
information
out
here.
L
So
we
know
that,
as
we
are
looking
at
the
document
because
we're
all
going
to
look
at
the
document
right
that
these
are
things
we
should
be
keeping
in
mind
as
we
do
it
and
we
do
have
a
bunch
of
people
who
have
volunteered
to
look
at
the
document,
which
is
wonderful.
Thank
you
all.
Can
you
commit
to
having
some
progress
on
that
by
next
meeting
in
two
weeks.
L
O
L
L
And
it
might
be
difficult
to
have
a
look
at
that
and
listen
to
a
meeting.
So
I
understand
that
will
be.
You
might
not
be
able
to
do
that
right
now.
But
if
you
look
at
this
and
see
something
that
you
would
like
to
participate
in,
please
leave
a
comment
and
or
put
your
name
on
that
and
then
we
can
start
making
progress
because
we
do
have
a
deadline
on
this,
since
we
would
like
to
believe
it
was
august.