►
From YouTube: OpenSSF Vulnerability Disclosures (June 29, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA
Repo: https://github.com/ossf/wg-vulnerability-disclosures
C
A
C
A
A
A
D
A
E
Well,
I'm
not
new
to
I've,
been
to
previous
vulnerability,
disclosure
calls,
but
this
is
my
first
one
at
one
of
the
monthly
ones.
So,
hello,
everybody,
my
name
is
Aaron
I'm,
one
of
the
mentees
working
under
the
alpha
omega
project,
I'm
working
as
a
security
researcher
under
Jonathan
and
yeah
I'm
excited
to
see
what
this
is
all
about.
A
D
A
A
His
his
notes
are
woven
in
with
the
regular
working
group
notes.
So
if
you're
ever
curious,
what
nonsense?
What
trouble
he's
going
to
get
into
you
could
take
a
peek
there,
but
the
tldr
of
it
is
that
group
is
trying
to
find
a
palatable
way
to
open
up,
potentially
thousands
of
PRS
for
vulnerabilities.
They
find
across
the
open
source
ecosystem
and
not
piss.
A
The
maintainers
off
I
guess
is
the
one
of
the
chief
goals
and
he's
got
a
little
workflow
and
that
they're
testing
out,
and
he
found
some
opportunities
with
some
of
his
automation
that
he
was
lamenting
this
week.
But
you
know
no
major
progress
there
and
he
would
have
joined
us
but
he's
on
a
plane
right
now.
A
If
you
ever
have
questions
you
can
hit
him
up
if
you're
curious
to
kind
of
see
what
he's
doing
so.
I
had
three
things
that
are
all
semi-related
and
we
can
kind
of
talk
through
them
and
then
you
know,
any
additional
topics
you
want
to
talk
about
would
be
great,
firstly,
is
first,
which
is
an
organization
that
stands
for
the
form
of
incident
response
and
security
teams.
So
it's
the
vendor
security
teams
across
the
industry.
A
They
and
Cisco
are
going
to
be
hosting
what
they
are
lovingly
calling
the
Vex
Summit.
So
it's
going
to
be
a
day-long
thing
where
they
will
be
doing
show
and
tell
and
demonstrations
for
csaf,
advisories
and
Vex.
They
want
to
have
people
come
in
and
kind
of
show
off.
You
know
how
they
plan
on
using
Vex
and
sharing
Vex
information
puerco,
who
helps
lead
the
technical
part
of
our
open,
Vex
Sig
he
and
I
will
be
attending
it's
going
to
be
probably
California
time
zone,
so
a
Pacific
time
zone.
A
If
anybody's
so
inclined,
we'll
probably
do
an
open,
Vex
demo
there
for
them
just
to
kind
of
showcase,
a
very
lightweight
way
of
issuing
Vex
statements,
which
is
a
way
if
you
guys
aren't
familiar
it's
a
way
of
expressing
the
effectiveness
of
a
component
to
a
vulnerability.
There's
a
couple
different
you
can,
you
can
be
affected
if
you're
affected,
you
probably
should
have
an
advisory,
you
could
be
not
affected
and
then
you
could
be
under
investigation.
A
D
A
C
A
It's
fairly
it
for
a
commercial
vendor
like
Intel.
It
is
something
that
we
will
be
doing
for
providing
our
advisories
in
electronic
format,
but
for
open
source
maintainer.
It
can
be
pretty
heavy,
not
really
enabling
velocity
and
Agility.
So
it
may
or
may
not
be
something
that
you
guys
would
want
to
engage
with,
but
there'll
be
some
csaf
conversations
in
that
Summit,
so
you
might
be
able
to
learn
some
things
there
as
well.
A
Communication
standards
like
cve
cwe,
CVSs,
epss,
Vex,
csaf,
bring
all
of
these
organizations
together
and
hold
a
summit
focused
exclusively
around
coordinating
vulnerabilities
and
sharing
vulnerability
information
and
as
I
get
more
details.
I
will
share
with
the
group.
We've
already
had
a
bunch
of
people
in
from
Europe,
and
the
states
express
interest
in
participating
and
I.
Don't
know
if
it's
going
to
be
hybrid
or
physical
or
virtual,
yet
that's
still
very
early
days
in
planning,
but
I
think
at
a
minimum.
A
We
want
to
plan
on
having
some
type
of
representation
of
osv
there
and
I'm,
probably
going
to
poke
the
GSD
folks
as
well
to
make
sure
that
they're
included
in
the
conversation,
but
this
will
be
kind
of
a
meaning
of
the
minds,
and
if
there
is
opportunity,
if
it's
virtual
I
would
really
hope
you
guys
could
participate
if
it's
physical,
it
might
be
something
of
interest.
You
might
want
to
run
up
the
flagpole
once
I
get
more
solid
details
to
potentially
travel
for,
but.
A
Will
be
there
I?
Imagine
we'll
see
a
lot
of
different
kind
of
government
coordination.
Centers
like
cert
CC,
we'll
see
a
lot
of
folks
there,
so
it'll
be
kind
of
the
who's
who
of
people
that
do
coordinated
vulnerability.
Disclosure
kind
of
talking
about
topics
that
are
of
interest
to
us
all
so
I'll
keep
you
guys
updated
as
I
get
more
details.
A
Nvd
is
reaching
out
and
they
are
looking
to
create
a
combination,
public
Private,
Industry
collaboration
around
the
vulnerability
database.
Talking
about
you
know,
methods
of
improving
it
and
evolving
it
into
the
future
and
there's
a
thing
here
in
the
United
States
anything
any
kind
of
project
that
goes
out
goes
through
the
federal
government.
D
Yeah,
we
already
have
a
a
I
think
full
weekly
dialogue,
Channel
open
with
the
NBD
and
what
they
clued
us
up
on
this
coming
down
the
pike
already.
So
we
know
we
know
we're
keen
we're
very
keen,
I
think
in
those
small
parts,
because
we
have
started
having
that
dialogue
Channel
within
the
these
impacts.
The
idea
of
having
a
Consortium,
because
there's
a
few
other
folks,
also
having
regular
dialogue
with
them.
Apparently
so
yeah
I'm.
A
D
Conversations
that
we've
had
with
them
I
think
they're
well
aware
of
the
the
pain
points
and
challenges
and
I
think
they're,
also
resource
constrained,
both
financially
and
just
humans,
and
so
this
Consortium
is
an
opportunity
to
bolster
I,
think
I,
think
they're,
actually
more
interested
in
in
kind
contributions
than
necessarily
Financial
from
from
the
conversations
I've
had
today.
So.
A
I
think
we
definitely
have
the
technical
wherewithal
to
help
them
out.
Hopefully
there
I'm
I'm
positive
about
all
three
of
these
things.
The
Vex
Summit
I,
don't
know
I,
don't
know
that
anything's
going
to
happen
out
of
it,
but
Volcan,
and
then
the
nvd
Consortium
I'm
very
excited
about
I.
Think
it's
a
great
chance
for
us
to
influence
and
try
to
help.
You
know
make
it
easier
for
our
open
source
community.
A
D
A
C
D
C
A
C
B
B
B
B
B
D
D
We
we
got
given
a
copy
of
it
before,
like
that
I'm
not
really
up
on
an
academic
research
stuff,
but
they
they've
done
like
a
I
think
it
was
like
a
blind
submission
or
something
like
that,
and
so
we
got
sort
of
given
a
please
don't.
Please
don't
circulate
copy
of
the
paper
while
it
was
going
through
that
submission
process,
but
it
apparently
got
an
early
reject,
so
they
were
like
all
sad
and
just
decided
to
open
source
it
anyway.
A
D
A
C
C
D
E
C
A
We
have
until
July
7th
to
submit
abstract
and
it
looks
like
I'll
be
going
to
Spain
I
had
to
figure
out
how
to
get
it
paid
for
so,
depending
on
what
you
guys
wanted
to
do.
I
don't
know
like
what
your
current
travel
policies
are,
but
if
you
wanted
to
present
something
I'm
glad
to
help
work
with
you
guys
on
that
abstract
to
get
it
ready.
A
C
A
A
All
right
so
I
will
I'll
commit
to
make
the
document
and
share
it
with
I'll
open
up
for
everybody,
but
you
know
Andrew
and
Oliver,
as
you
have
substance
to
put
into
it.
I'll
I'll
help
you
massage
it
and
we
can
figure
it
out
whether
it's
it
would
be
wonderful
if
you
guys
could
make
it.
But
if
not
again,
we
can
we'll
find
we
can
find
a
representative
to
portray
it.
A
All
right,
well,
you
know
thank
you
for
your
time
and
attention.
I
love
hearing
from
you
all
and
I
appreciate
you
giving
us
some
time
on
your
Friday
morning.
So
hopefully
you
have
a
quiet
day
and
you
get
right
into
a
nice
nice
weekend,
you're
bun
you're,
your
Tuesday
will
be
great
because
it's
a
holiday
here
in
the
states,
so
no
one
will
be
around
our
Monday
or
Tuesday.
So
you
guys
will
have
a
very
quiet
start
of
your
week.