 Basically, it's the people behind these alias, right? So if you write an email to security at katie.org, there's some people that read it and sometimes do things about what you send. So what do we do, right? So why should you email us? You should email us if you found what you think is a security issue in software we produce, right? Do not email us if you found a security issue in software we use, right? It's different. If you find a security issue in GitLab or WordPress or Drupal or whatever, that's this admins problem, right? So you send them an email and it will be good. You can also send it to us and we will use forward it. There's this magical key in K-mail named F and it will forward the email, right? It's not super terrible, but you save me from pressing a key on my keyboard. It will last a bit longer. So who are we, right? So it's a group of nine people plus Adam. It's not that Adam is not a person. It's just that, yeah, sorry, I mean, he gets it, so he's not unhappy, right? We have some history, right? There's a star over there. There's three people of those nine that nobody knows anymore when the accounts were created, right? So like the first list of people with accounts, there are not that list already. So they're that old. The rest of us, we're still very old, right? There's no one in that list that has an account older than 2010, right? So at least all of us have more than 12 years of experience with KDE. This is good because you need to trust the people that are on this list, right? You don't want potential security issues to be known by someone that hasn't been with Project with a bit. Maybe 12 years, it's too much of a bit, right? We should probably find people that are not that old, right? Also happens that the people that have some history, they are super busy, right? So yeah, let's get new blood into the team if possible. What do we do? We are mostly reactive due to the lack of people slash time, right? Reactive means somebody will send us an email and we will handle it, right? One of the things we do that's not reactive or actually you could say it's reactive, it's OSSFAS, right? So I don't know if you know OSSFAS, but it's basically this big thing that Google has going in which will be basically create random data and give it as input to your app or library in this case and make sure the library doesn't crash, right? So we use that to make sure that the image formats, the codecs and the archives, if somebody sends you a malicious image, it will not explode and it cannot be exploited and whatnot, right? So that's good. What do we do when somebody sends us an email, right? When somebody sends an email, the first thing you have to do, the most important thing ever is say, thanks for looking to it. The security people get very angry if you don't answer them, right? They are, I don't know, they feel, I'm not going to say anything because this is being played over the internet, but yeah. Just answer very quickly, right? It's not that hard and if it's hard for that, that's why we got Adam to help us. He'll say the thanks, we'll look into it, right? Then check if the issue that they are reporting has any merit, right? Recently, we got a person saying, oh my God, I've discovered that in X11, any app can't record my password. It's like, yes, that's a feature, not a bug, right? So yeah, I mean, that's how it works, right? I'm so sorry that X11 lets you snoop keystrokes, but cannot be fixed, right? Use Wayland, it will fix it, I've been told. Some of the people just misconfigure their setup, right? There's like, all your binaries are sweet root, right? Don't do that, right? Don't shoot yourself on the foot, it will hurt less. But some of the actual reported things are bugs, right? I mean, I'm not saying we are perfect developers, we are not, right? Paper-brung moment, you might remember this thing we had about, if you plug an USB that has shell script on its USB drive name, and then you go open, execute, it will execute the shell script, not very good, right? So yeah, sometimes we fuck up and we have to fix it, right? Sometimes the people on the team can fix it, we're only nine people, so most of the times we cannot fix it, right? We are smart, but not that smart. We will contact someone from outside the team, inside KDE, to make sure we get fixed it. Once you get fixed it, you have to get a CVE. This is like a very annoying but important part. Most of the security people, distros, world out there will ignore you if you don't have a CVE. CVE stands for common vulnerabilities and something else I don't remember, but it's basically a number you get assigned to your issue and say, hey, this is my issue and it has the CVE, and suddenly everybody, everybody, everybody takes you so much more seriously, right? It's just so fun because it's the same back before, but just that the back now has a name, right? It has a number, numbers make things better. And then you have to publish the advisory, right? This means telling the world, hey, we're sorry we did a mistake, we fixed it now, right? Sometimes we also tell distributions before that we're gonna do that, right? So they are ready to update the packages, right? You don't want to drop something very huge while someone is on holiday or wherever, right? So give it that distribution so heads up that we're gonna do this and then publish the advisory. In publishing the advisory, it is always a bit of a fine line to work, which is like, how much do you want to publish it, right? You need to publish it enough so that the people that need to fix the things fix it and they realized the problem is that if you publish it a bit too much, then it goes to the register and the register doesn't know what they're talking about and you get very bad publicity, right? So yeah, you have to work the balance, but yeah, it has to be done. Yeah, I have one slide left, so that's fine. How can you help? We need to add more things towards as fast, right? There's things like Baloo and K-File metadata, which is not Baloo, but it's very similar and K-Mime, which is the thing that K-Mail uses for parsing the email. Those things are executed without you knowing, right? Somebody will send you an email, K-Mail will download it, and the thing will be executed. If the email has malicious data that crashes K-Mail, well, I mean, if it just crashes, it's not too bad. If it deletes all your files, then it's bad, right? So we should add those to us as fast. It's not super difficult. I mean, it's not trivial because everything needs to be compiled statically and whatnot, but it's doable. We need to audit the K-OUT uses. This thing we use for things that need to be root, right? Well, they need to be root. Sure, I want to install a font. Good, install the font, but make sure that code cannot be misused for other things, right? Thankfully, the distro people are doing this. We've had the OpenSuicide team at least contacting us about some of our K-OUT users, making sure that we did things a bit more strictly, but the more time we can do looking at that, the better. And then, if you really have time, you could experiment rewriting some of the stuff, like some of this stuff, like K-Film metadata, Baloo or K-Mime, or the image formats of whatever in these safe languages, right? When I do that, I mean, there's Rust. Everybody says Rust is amazing. I still have to see it. So you should prove me wrong, right? You should prove that Rust is amazing and it's so much better and it's so much safe. So if you have time, experiment rewriting some of our stuff with Rust or whatever else that you think it's more safe, and let's see how it works. And that's it. There's no questions in this lining talk. So thanks.