►
From YouTube: OpenSSF Vulnerability Disclosures (June 29, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA
Repo: https://github.com/ossf/wg-vulnerability-disclosures
B
It's
it's
been
quite
funny
to
us
locals
that
this
is
not
breaking
any
records
for
us.
C
A
C
A
A
A
D
A
Back
at
Red
Hat,
a
big
chunk
of
our
team
was
down
in
Melbourne
and
Sydney,
so
it
was
there's
a
period
of
time
when
they
were
our
boss
was
in
Scotland,
and
so
there
was
a
period
of
time
where
there
was
like
zero
ability
to
talk
because
Mark
wouldn't
budge
on
his
time.
A
A
Do
we
have
any
new
friends
to
this
group?
We
wanted
to
say
hello.
E
Well,
I'm
not
new
to
I've,
been
to
previous
vulnerability,
disclosure
calls,
but
this
is
my
first
one
at
one
of
the
monthly
ones.
So,
hello,
everybody,
my
name
is
Aaron
I'm,
one
of
the
mentees
working
under
the
alpha
omega
project,
I'm
working
as
a
security
researcher
under
Jonathan
and
yeah
I'm
excited
to
see
what
this
is
all
about.
A
D
A
Oliver
and
Andrew
are
they
work
on
the
osv
project,
which
is
part
of
our
working
group,
and
we
set
this
call
up,
so
we
could
have
better
open
lines
of
communication
and
kind
of
share
back
and
forth.
What's
going
on
in
their
world?
What's
going
on
with
the
rest
of
the
foundation.
A
We
did
not
have
any
substantive
updates
from
the
rest
of
the
working
groups,
Jonathan's
doing
a
bunch
of
new
work
with
the
auto
fix
Sig.
A
His
his
notes
are
woven
in
with
the
regular
working
group
notes.
So
if
you're
ever
curious,
what
nonsense?
What
trouble
he's
going
to
get
into
you
could
take
a
peek
there,
but
the
tldr
of
it
is
that
group
is
trying
to
find
a
palatable
way
to
open
up,
potentially
thousands
of
PRS
for
vulnerabilities.
They
find
across
the
open
source
ecosystem
and
not
piss.
A
The
maintainers
off
I
guess
is
the
one
of
the
chief
goals
and
he's
got
a
little
workflow
and
that
they're
testing
out,
and
he
found
some
opportunities
with
some
of
his
automation
that
he
was
lamenting
this
week.
But
you
know
no
major
progress
there
and
he
would
have
joined
us
but
he's
on
a
plane
right
now.
A
If
you
ever
have
questions
you
can
hit
him
up
if
you're
curious
to
kind
of
see
what
he's
doing
so.
I
had
three
things
that
are
all
semi-related
and
we
can
kind
of
talk
through
them
and
then
you
know,
any
additional
topics
you
want
to
talk
about
would
be
great,
firstly,
is
first,
which
is
an
organization
that
stands
for
the
form
of
incident
response
and
security
teams.
So
it's
the
vendor
security
teams
across
the
industry.
A
They
and
Cisco
are
going
to
be
hosting
what
they
are
lovingly
calling
the
Vex
Summit.
So
it's
going
to
be
a
day-long
thing
where
they
will
be
doing
show
and
tell
and
demonstrations
for
csaf,
advisories
and
Vex.
They
want
to
have
people
come
in
and
kind
of
show
off.
You
know
how
they
plan
on
using
Vex
and
sharing
Vex
information
puerco,
who
helps
lead
the
technical
part
of
our
open,
Vex
Sig
he
and
I
will
be
attending
it's
going
to
be
probably
California
time
zone,
so
a
Pacific
time
zone.
A
If
anybody's
so
inclined,
we'll
probably
do
an
open,
Vex
demo
there
for
them
just
to
kind
of
showcase,
a
very
lightweight
way
of
issuing
Vex
statements,
which
is
a
way
if
you
guys
aren't
familiar
it's
a
way
of
expressing
the
effectiveness
of
a
component
to
a
vulnerability.
There's
a
couple
different
you
can,
you
can
be
affected
if
you're
affected,
you
probably
should
have
an
advisory,
you
could
be
not
affected
and
then
you
could
be
under
investigation.
A
D
A
And
I
don't
know
I
guess
let
me
ask,
are
you
guys
engaged
with
at
any
level
any
of
the
csaf
efforts?
C
A
It's
fairly
it
for
a
commercial
vendor
like
Intel.
It
is
something
that
we
will
be
doing
for
providing
our
advisories
in
electronic
format,
but
for
open
source
maintainer.
It
can
be
pretty
heavy,
not
really
enabling
velocity
and
Agility.
So
it
may
or
may
not
be
something
that
you
guys
would
want
to
engage
with,
but
there'll
be
some
csaf
conversations
in
that
Summit,
so
you
might
be
able
to
learn
some
things
there
as
well.
A
But
the
next
item
is
an
idea,
that's
being
tossed
around
also
through
first
I'm
part
of
the
t-shirt
Sig
there
so
I
helped
write
a
framework
and
I
do
I'm
helping
organize
a
conference
for
them.
A
But
foreign
first
works
a
lot
with
the
cve
board
and
Oasis
and
a
lot
of
these
standards
bodies
and
they
hold
their
governing
board
meetings
twice
a
year,
and
the
idea
is
that
first
quarter
next
year
they
are
proposing
to
create
a
new
conference
and
the
the
stub
type
that
the
placeholder
title
is
called
Volcan
and
the
idea
is
that
they
would
bring
together
all
the
different
organizations
that
are
involved
in
vulnerability.
A
Communication
standards
like
cve
cwe,
CVSs,
epss,
Vex,
csaf,
bring
all
of
these
organizations
together
and
hold
a
summit
focused
exclusively
around
coordinating
vulnerabilities
and
sharing
vulnerability
information
and
as
I
get
more
details.
I
will
share
with
the
group.
We've
already
had
a
bunch
of
people
in
from
Europe,
and
the
states
express
interest
in
participating
and
I.
Don't
know
if
it's
going
to
be
hybrid
or
physical
or
virtual,
yet
that's
still
very
early
days
in
planning,
but
I
think
at
a
minimum.
A
We
want
to
plan
on
having
some
type
of
representation
of
osv
there
and
I'm,
probably
going
to
poke
the
GSD
folks
as
well
to
make
sure
that
they're
included
in
the
conversation,
but
this
will
be
kind
of
a
meaning
of
the
minds,
and
if
there
is
opportunity,
if
it's
virtual
I
would
really
hope
you
guys
could
participate
if
it's
physical,
it
might
be
something
of
interest.
You
might
want
to
run
up
the
flagpole
once
I
get
more
solid
details
to
potentially
travel
for,
but.
A
Will
be
there
I?
Imagine
we'll
see
a
lot
of
different
kind
of
government
coordination.
Centers
like
cert
CC,
we'll
see
a
lot
of
folks
there,
so
it'll
be
kind
of
the
who's
who
of
people
that
do
coordinated
vulnerability.
Disclosure
kind
of
talking
about
topics
that
are
of
interest
to
us
all
so
I'll
keep
you
guys
updated
as
I
get
more
details.
A
Nvd
is
reaching
out
and
they
are
looking
to
create
a
combination,
public
Private,
Industry
collaboration
around
the
vulnerability
database.
Talking
about
you
know,
methods
of
improving
it
and
evolving
it
into
the
future
and
there's
a
thing
here
in
the
United
States
anything
any
kind
of
project
that
goes
out
goes
through
the
federal
government.
A
A
It
because
it'll
be
us-based
it'll,
probably
be
Eastern
time
zone,
so
it
might
be
a
challenge
for
you
to
directly
interact
with,
but
the
the
larger
vulnerability
group
really
sees
some
value
in
this
and
trying
to
get
in
there
and
influence
the
nvd
in
the
future
and
I
would
I
think
will
might
want
to
schedule
some
additional
sessions
as
we
get
more
details
to
kind
of
prepare
the
people
that
are
in
the
time
zone
so
that
they
can
speak
on
a
more
educated
about
kind
of
expressing
our
community's
concerns.
D
Yeah,
we
already
have
a
a
I
think
full
weekly
dialogue,
Channel
open
with
the
NBD
and
what
they
clued
us
up
on
this
coming
down
the
pike
already.
So
we
know
we
know
we're
keen
we're
very
keen,
I
think
in
those
small
parts,
because
we
have
started
having
that
dialogue
Channel
within
the
these
impacts.
The
idea
of
having
a
Consortium,
because
there's
a
few
other
folks,
also
having
regular
dialogue
with
them.
Apparently
so
yeah
I'm.
A
A
D
Conversations
that
we've
had
with
them
I
think
they're
well
aware
of
the
the
pain
points
and
challenges
and
I
think
they're,
also
resource
constrained,
both
financially
and
just
humans,
and
so
this
Consortium
is
an
opportunity
to
bolster
I,
think
I,
think
they're,
actually
more
interested
in
in
kind
contributions
than
necessarily
Financial
from
from
the
conversations
I've
had
today.
So.
A
I
think
we
definitely
have
the
technical
wherewithal
to
help
them
out.
Hopefully
there
I'm
I'm
positive
about
all
three
of
these
things.
The
Vex
Summit
I,
don't
know
I,
don't
know
that
anything's
going
to
happen
out
of
it,
but
Volcan,
and
then
the
nvd
Consortium
I'm
very
excited
about
I.
Think
it's
a
great
chance
for
us
to
influence
and
try
to
help.
You
know
make
it
easier
for
our
open
source
community.
A
D
I
just
wanted
to
briefly
speak
to
the
the
vfc
finder
thing
that
I
dropped
in
slack
the
other
day.
Just
as
an
FYI,
we
had
a
couple
of
chats
with
a
couple
folks
from
NCSU
and
and
they've
been
doing
some
interesting
work
on
be
able
to
scale
the
automatically
reasonably.
D
Find
vulnerability
for
senior
clinics
subset
of
patches
and
they've
written
a
paper
I,
don't
know
if
the
paper
is
publicly
available
yet,
but
the
dico
drop
of
the
code.
D
No,
it
was,
it
was
NCSU,
wasn't
it
or
am
I
getting
my
afternoons,
yeah
North
Carolina,
State
University,
oh.
A
C
D
C
A
C
Think
Trevor,
who
implemented
this
might
already
be
intending
some
of
the
other
working
group
meetings.
Actually
yeah.
B
I'm,
pretty
sure
that
he
is
he's
involved
in
various
places
in
the
open,
ssf
Trevor
is
so
he's
also
reached
out
to
me
about
this
tool
and
shared
it
with
me
and
I've
been
sharing
it
with
my
team
for
review
and
hopefully
to
get
him
some
feedback.
B
So
he's
been
using
this
tool
to
find
fixed
commits
for
advisories
and
vulnerabilities
that
don't
have
that,
and
the
last
couple
of
months
has
been
submitting
that
information
to
my
team
for
inclusion
in
our
database
and
various
advisories,
so
he's
given
us
I
think
a
little
over
250
so
far
that
have
been
very
high
quality,
really
great.
B
The
tools
so
far
from
our
perspective
as
having
like
reviewed
a
ton
of
this
data
so
far
has
been
very
positive.
I'm
really
excited
to
play
with
this.
A
Cool
cool,
maybe
if,
if
he
I,
have
don't
recall,
meeting
him,
if
maybe
if
you
could
broker
introduction
Madison
someday
and
slack
yeah.
B
B
Yeah
I
just
shared
a
link
to
like
my
team's
public
repo
and
the
contributions
that
Trevor
has
been
giving
to
us
just
just
an
example
of
the
out.
Some
of
the
output
and
impact
of
this
tooling.
A
Cool
no
I'm,
I'm
gonna
read
some
more
and
see
if
we
can
arrange
a
demo
and
I
think
this
would
be
interesting
to
see
more
about
things.
B
D
Going
for
the
if
you
can
get
a
hold
of
the
paper,
the
paper
was
was
quite
interesting.
Read
as
well.
Have
you
seen
the
paper
medicine.
D
We
we
got
given
a
copy
of
it
before,
like
that
I'm
not
really
up
on
an
academic
research
stuff,
but
they
they've
done
like
a
I
think
it
was
like
a
blind
submission
or
something
like
that,
and
so
we
got
sort
of
given
a
please
don't.
Please
don't
circulate
copy
of
the
paper
while
it
was
going
through
that
submission
process,
but
it
apparently
got
an
early
reject,
so
they
were
like
all
sad
and
just
decided
to
open
source
it
anyway.
D
A
D
A
A
A
And
I
I
get
to
attend
the
first
stuff
very
frequently
so
I'll
I'll
be
our
conduit
for
more
information
about
that.
C
Oh
yeah
I
just
added
a
quick
FY
but
Haskell.
Your
high
school
security
group
has
started
a
new
vulnerability
database
for
Haskell
advisories
and
they
are
right
now
working
on
the
osv
export,
which
I
see
use
already
happening.
It's
exciting
that
there's
another
ecosystem
on
board
awesome.
A
Now
do
you
do
you
all
keep
a
little
like
a
hall
of
fame
or
anything
on
your
website
about
the
ecosystems
and
tools
that
use
osv.
C
Yeah
yeah
so
on
the
main
osv
schema,
we've
heard:
there's
a
list
of
databases
that
export
osv
and
yeah
on
our
own
repair.
There's
also
some
links
to
tools
and
stuff.
A
That's
what
with
open
Vex,
what
they're
trying
to
do
is
there
have
been
several
smaller
implementations
of
open,
Vex,
so
they're
looking
to
try
to
find
a
way
to
Federate
or
at
least
kind
of
start,
to
build
a
little
community
of
people
using
that
lightweight
standard.
D
E
C
Think
you
dropped
a
message
in
one
of
the
slack
groups
about
a
potential
open
ssf
day
talk
about
open,
wax
and
osv.
Yes,
we'll
have
to
be
involved
if
that's
gonna
happen.
So
please
do.
A
We
have
until
July
7th
to
submit
abstract
and
it
looks
like
I'll
be
going
to
Spain
I
had
to
figure
out
how
to
get
it
paid
for
so,
depending
on
what
you
guys
wanted
to
do.
I
don't
know
like
what
your
current
travel
policies
are,
but
if
you
wanted
to
present
something
I'm
glad
to
help
work
with
you
guys
on
that
abstract
to
get
it
ready.
A
If
you
guys
just
want
to
write
some
content,
I
can
try
to
find
some
working
group
members
to
help
present
it.
If
you
want
so
just
let
me
know
how
you
would
like
to
do
that
and
I
of
the
up
carry
forward
with
whatever
path
you
guys
want.
C
Yeah
I
think
either
way.
I
would
love
to
contribute
content,
travel,
I'm,
hoping
we
can
make
that
happen.
If,
if
I
will
have
to
confirm
that
first,
but
either
way,
we
would
love
to
help
you
with
abstract
in
the
content
all.
A
Right
I
will
tomorrow,
so
your
Saturday
I'll
send
out
a
link
to
a
Google
doc
with
kind
of
a
template
for
the
abstract,
and
if
you
guys
want
to
jump
on
that
early
next
week,
I'll
ping,
you
in
slack
and
just
see
what
you
know,
what
needs
adjusted
and
we
can
go
through
the
submission
process.
A
A
All
right
so
I
will
I'll
commit
to
make
the
document
and
share
it
with
I'll
open
up
for
everybody,
but
you
know
Andrew
and
Oliver,
as
you
have
substance
to
put
into
it.
I'll
I'll
help
you
massage
it
and
we
can
figure
it
out
whether
it's
it
would
be
wonderful
if
you
guys
could
make
it.
But
if
not
again,
we
can
we'll
find
we
can
find
a
representative
to
portray
it.
A
All
right,
well,
you
know
thank
you
for
your
time
and
attention.
I
love
hearing
from
you
all
and
I
appreciate
you
giving
us
some
time
on
your
Friday
morning.
So
hopefully
you
have
a
quiet
day
and
you
get
right
into
a
nice
nice
weekend,
you're
bun
you're,
your
Tuesday
will
be
great
because
it's
a
holiday
here
in
the
states,
so
no
one
will
be
around
our
Monday
or
Tuesday.
So
you
guys
will
have
a
very
quiet
start
of
your
week.
A
Yourself,
thank
you.
I'll
have
some
adult
beverages
and
forget
about
work.