 So I'm Josh Bressers. I am the vice president of security at a company called Angkor. We do sift and gripe. They're Sift is a S-bomb scanner gripe is a vulnerability scanner. We have an enterprise product called the anchor enterprise I've been I'm on the open SSF tack. I've been doing this open source thing for 20 some years now. It's I have a story I always tell where when I started out my career and I went to work for a Linux startup I had people legitimately tell me I'm throwing my career way on this open source crap like I think we did all right But and and then also I'm one of the co-founders of the GSD project Which is what we are going to talk about today, and I have a co-presenter here who will introduce himself Hi everybody, I'm the other Josh B. So Josh joker Josh B and Josh B I work for the cloud security alliance a global nonprofit We focus on building the cyber security community and push forward best practices that are vendor neutral Goal Sarah global security database being one of those new projects. So yeah Awesome. All right, cool. So let's start out with just asking the question. Did my clicker work? No, I didn't work. Oh It turned off All right, there we go. There. What is the global security database, right? So there's a lot of crazy history behind this and we're not going to go into a ton of it But fundamentally what this is turned into is a repository of identifiers That are meant to be an open-source project That is a way to track security Information will call it right. It's not about vulnerabilities necessarily it's not about malware it's not about one thing and There is a number of projects. We'll hear about some of them here There's there's more than we can count as well where I think it has become apparent that there's all this security information out There and it's been really difficult to bring it together And that's one of our intent. No, please. Yeah, and one of the things that we'll talk about a little bit later, too Is also not just the vulnerabilities themselves, but the discussion as well avoiding some of the Misplaced communication channels will say that's right. That's right. And I also want to I guess start this conversation off with that Josh and I are up here presenting and we have a whole bunch of slides We have a whole bunch of content and I think it would be a shame if all we did was talk So as you have questions as you have thoughts, please speak up Argue with us. There's nothing better than a good argument, especially in the world of security, right? And so by all means engage and we're here to converse. We're not here to expel right that that's not the intent, okay, so Where are we today and and I like to Describe this as modern vulnerability identifiers and specifically vulnerabilities will say in this context is It's become difficult to find them all and we have a slide coming up in a couple that kind of explain it lays out this ecosystem But there's tons of sources. There's things like CVE. There's things like github. There's no, I'm not gonna do it I'm not gonna do it. I do that later We put this in our notes not to do this right here where we start naming everything so and and so Right, there's all these weird problems and I don't want to obsess over the problem That's not why we're here, right? We are all here because we understand this is a space that has Enormous opportunity, right? And so we want to focus on on what we can do to help Yeah, and to add to that too I think one of the things is that no one person or group is gonna have the right answer as well so getting everyone together in an open source project so we can collaborate and Do through practice rather than try to theory craft a perfect answer up front exactly Exactly very open source. Okay, so This part of the presentation. I don't When you say this out loud, everyone realizes it's true, but everyone doesn't always realize it's true, so If I take the vulnerability scanner gripe that my company has created and I scan for vulnerabilities It's open source, right? It's it's an open source project anyone can contribute all that jazz There's another open source vulnerability scanner called trippy that's done by Aqua security Which is you know technically a competitor of anchor, but in the open source world We all get along if I scan something with gripe and then I scan something with trippy I'm going to get different results and is it because one scanner is better or worse than the other or is it because all of the data is Not machine readable, but often when it is machine readable It's because it's part of someone else's data set and it's probably locked up behind a gate somewhere And it's because they've done a bunch of work on it Maybe so this is all about like the data formats, right? it is it is difficult to find this data and to do something with it and Okay, I'll keep going I can talk for hours like Josh is here to keep you in check I think and then the the bit the last point on here. I think is one of the most important that Today Twitter is the best source of vulnerability information we have no, that's not don't put your thumb come on out. No, oh Okay, you're a green Good Perfect so I mean we have what why is Twitter with right? This is one of the questions that Josh and I and and the other Fellow we work with named Kurt Seaford who couldn't be here today, but we talk about this all the time All right, Josh. I've talked too much. Tell us why Twitter is winning. Yeah, so Twitter makes it really easy So there's no barrier to entry to actually submit any information to it If you want to talk about some crazy vulnerability that you're seeing locked for Jay or whatever You can just go on Twitter post about it add a hashtag and that is a way for you to get into the conversation Add your own two cents to it Maybe create a logo. Maybe make a logo. Yeah Um So and then the other thing too is like it's easy to search Twitter and find stuff Well kind of sort of yeah, it you can kind of search, but it's not great. It's also not machine-readable. So That's one of the areas that yeah Yes, we'll talk about a little bit more later. Yeah. Yeah. Yeah I mean it's so for anyone who doesn't know that the log for shell picture There's a fellow Kevin Beaumont and he goes like I see the dog on Twitter Like he made that as a joke and everyone started using it Which was just like that chef's kiss right for just being awesome for this But in all seriousness for anyone who is paying attention to the log for shell the literal best source of information We had was following gossy the dog on Twitter like the it was an enormous service. He did for all of us, which is Terrifying in some ways, but thank goodness. He did yeah And that's one of the things that I think we're trying to address with a project like this is rather than having to Follow a whole bunch of different Twitter accounts and see like okay. What's going on? Is there any crazy stuff today? Actually have like a genuine input of oh, this is security relevant I should be paying attention to this and also have it be machine-readable So you can feed it into any automations as opposed to trying to scrape Twitter or whatever you can find for the feed That is one of my favorite things So I have friends and family members will say you know What do you do explain your job to me and it's basically well I get up and I check Twitter to see if there's anything I need to worry about And then I look at my backlog and I joke when I say that but it's not entirely wrong, which is Scary and awesome. Okay, so one of the first things people will say and I actually Argued this with a bunch of the github folks last night is what we talk about Anyone being able to update vulnerability data? They say but anyone can update the vulnerability data like you can't let that happen and the thing I remind everyone is When I started my open-source career back in the the early days and the early 2000s Do you know what everyone would say when you explain how open-source worked? They said so you're telling me anyone can update this project. How can you trust them? There's no way that works And I think the fact that if you look at this show You look at all of us here you look at you know us up here and then the front Open-source works No one's gonna argue that right open source one. It's not even just that it works. It works so well. It has destroyed the competition and So every time I hear someone say you can't possibly rely on the community to send you oh No, didn't Okay, all right. All right. We had a lot of technical difficulties getting that screen to work So it's a traumatic flashback. Yes. It's like minutes before the presentation. That's right. So anyway There is no reason we should be saying but we can't trust the community We trust the community to run literally all of our infrastructure. We trust the community to send stuff to space We trust the community for our lives the medical devices that keep people alive are running open source So I don't buy that at all that there's somehow Some advantage to locked up proprietary data, especially for vulnerabilities. It is not true I would say this is one of those instances where prove me wrong Because all of the evidence says open source works and it's awesome Yeah, and some of that to that too is if it's open source then anyone can look into it as well as With it being easier to update and edit this data if something does go wrong We can go through and quickly correct it as well. That's right. Yeah. Yeah, and you can see who did it, right? How many times how many of us know what get blame does right? I love the fact that they named it literally blame Because every time we've what did they used to call it in the CVS days was an annotate I think where it would show you so so for those of you who don't know There's a command with get called get blame and get blame will show you which line was committed by a certain person Right because obviously when there's a bug you want to know who you're gonna blame You know we we've all been there when you're doing development and and in fact in the early days I mean we would literally run like CVS annotate on the code to be like we got to go yell at this guy like he screwed up the Build and and so anyway that that's part of what open source. All right. Here we are here We are our favorite slide this is so Josh and I started talking what we started working on this a couple weeks ago right probably two three weeks and We said we want a slide where we put all of the vulnerability sources We could think of on a slide So if you're part of a project and you're not on there, it's not that we don't like you We just couldn't think of it We literally pulled this out of our butts talking on a zoom call and that's how big the list is there's way more than this Literally just the ones that came to mind Right right and and so this is part of the challenge is if you're an Organization who's dealing with vulnerability data today This is what you need to look at now some of these I will say are private like we've got sneaks up there There's twist lock up there. There's um white white source actually just change your logo I see if I put whites or something but you get the idea some of these are private some of these are not private Some of them are public, but this is one of the challenges We have is how do we take all of this data? How do we turn it into something everyone can use and there's always the arguments of oh? We should all come together and have one thing and like I'm not going to argue that's necessarily bad But competition is always good, so I'm not saying we should have one particular source necessarily, but I do think that's too many I'll just randomly tap on that. That's fine keyboard. No, it's whatever. What's that? Okay, all right if you say so We'll see See that's right. It's always the infrastructure, right? Right. It's DNS. I'm certain it's DNS as full All right. All right job take it away Yeah, so one of the things with this data is being able to integrate it into your CI CD pipeline So making it easy for you to pull in whatever the data feeds are check it against your s-bomb or your packages and see which Ones are vulnerable to which versions is there fix available. Can you deploy that immediately? and making that easy is one of the things that is important for automation and With Ruby and MPM what they've ended up doing is taking in for example like the CVE or the NVD data feeds and augmenting it to say hey, it affects this specific package this specific version range and Being able to push that back upstream is one of the Okay, just ignore it. It'll do it anyways. Okay. Oh So pushing up that data so that others can reuse it as opposed to everyone having to have their own special We're gonna augment this with our own format that kind of thing. That's right. That's right for and for anyone Who's ever done anything like this before every language now seems to have their own data set Which I mean it it's totally reflected there, right? Yeah, they'll have their own special thing I know that you're not it's that true. Yeah, most of them are public which is great But it still sucks because you have to go find it figure out what to do with it. Um, all right formats talk about the formats I guess do you want to start on the OSP stuff and yeah, yeah, so if we look at the little Do I have OSP on here? No, I don't have OSP on this one. Is that no that is OSP. Okay I can't I can't remember. We have so many pictures in this deck The the black box here is a format called OSP So the Google folks who are here have a project called OSP as well as a data format called OSP OSP is awesome. If you've never looked at it It captures a great deal of vulnerability information in a really nice way. It's JSON It's it's one of those situations where I like to describe it as the OSP data Solves a problem. It was created by people doing work versus committees now nothing wrong with Alan staring at me No, nothing wrong with committees But it is one of those situations where you can plan to death But as soon as you start doing the work everything changes, right? And so it's an instance of this is this is the result of people doing the work Which I think makes a huge difference sometimes, but it's also just it is very lovely I really really like the data format and one thing before we move on to is There's not going to be one right way to do this There's going to be different use cases that need different data formats as well And we'll talk about this a little bit later But this is where namespaces comes into play or the GSD And also one of the things that like we don't want to reinvent the wheel We don't want to come up with our own data format. We want to lean on the existing stuff So for example like pearl OSP fax, etc. Not create yet another standard. So that's right. That's right Let's just keep going where we're going to run ourselves on a time here. Yeah, all right So I guess this is the the last bit before we get on to the good stuff, right is like today Updating vulnerability data is hard. It shouldn't be hard. It's 2022, right? Come on And I like putting my quote in someone named Josh. Who said it? We don't know All right, let's get on to good stuff. So again, we kind of come back to the the GSD right it's part of the cloud security alliance. It's an open source project And now we're going to kind of show you kind of what we're doing. But first we know, all right We all know our intent though in all seriousness I put this up slightly and just just so no one points us out in a few minutes, but more importantly is The intent we have isn't to create another standard The intent we have is to find a way to work with the other standards, right? And that's I think an important differentiation versus the awesome xkcd comic we all reference all the time, right? All right, all right I'll let josh being the csa employee explain why the csa. Yeah, so one of the big things is that Well, what's it what does csa stand for just make sure everyone else so cloud security alliance We're again the nonprofit and One of the big things is that Our incentive isn't the data itself. We want to kind of build up the community around this and Oh gosh So Take over for a second. Yeah. Yeah, okay. So not a company right first of all We all know that when a company is in charge of an open source project. You run into problems. I worked at elastic Prior to anchor and there was just a keynote about open search. I'll let you work that one out But right we don't want a company involved Kurt and I are the founders of gsd And we went to the csa because the csa has given us an enormous amount of rope to hang ourselves with Which I truly appreciate so it's kind of it's pleasant to work with an organization That's very hands-off, which I really really like One of the other aspects to this why it can't be a company Is we have a list here every and now I don't know if the github folks are out in the audience But um, I told them to argue with me Yes So every company that has done this Has either gone out of business or they've taken their data private Because the data was seen as having some sort of monetary value Or more importantly you see many other organizations just taking your data from you and contributing nothing back Now there's nothing wrong with that per se I think if we look at open source the vast majority of open source projects have far more people consuming them than contributing to them So it's part of what has to be kept in mind. I think like there will be takers But we also want to make sure there's people who work together with you And so this is and and I must say the two blanks are for if anyone has any other Databases that have gone private or went away by all means speak up. That's kind of where we left it there But but and and fundamentally like for something like the csa We want an open source project that's going to be self-governing and not run by any one Organization or person or company Because I mean we've all seen open source projects where you know One company takes over or one person takes over and then they have their agenda and they start pushing it And that that doesn't help anyone right like this is this is data That the world needs Okay, all right 2022 open source one right we covered all this stuff. This makes sense. Okay Does anyone disagree? Come on someone's got to disagree I mean we're at the open source What's that It is the year of the linux desktop and next year will be the year of the linux desktop and the year after that and the year after that That was actually was really funny. I had a friend who was organizing an event and they had like a timeline of open source And they put year of the linux desktop. I think in like 1999 It's like it was real small and you had to know it was there, but it was like such a good joke But you know, it's funny. I've been running linux on my desktop since probably 97 maybe like a really long time So like I feel the pain and every year it's like this is the year I want to believe I'm like, what was it? Mulder had the the poster up in his office in the x files with that. I want to believe. Yeah, that's me That's me. Okay. All right. So let's start talking about the most interesting parts of all of this namespaces Do you want to talk about namespaces josh? Yeah, explain namespaces. So this is where Having the existing feeds like we showed the slide of like 20 different Databases being able to pull that into one central machine readable place and doing that with Each of those databases goes under their own namespace and one of the other things that we can do this as well is for example, uh, the new york presbyterian hospital They have some data you said hospital. I got it right. I was thinking when we were talking about this the other day We kept saying presbyterian church instead of hospital Sorry, sorry. Yeah, go ahead. Well done But they have some data enrichment that they're doing to the nvd data as well So being able to push that up under your own namespace is one of the things that we're going to be able to support With the gsc project. Well, we do support it. I mean, this is literally a screenshot from someday So I'll kind of start at the beginning. We jumped into some content and we're gonna we don't have a ton of time here But I'm gonna so everything you see here is in github We have a link to github somewhere later on in the deck But basically we've taken a bunch of existing data and we stuffed it into github. We use Osv for a bunch of the data. There's also this made up crap format. That's it's at the top That's what I made up like years ago as as the start of the tooling It's going to go away at some point in the near future because it's terrible But that's fine. Like that's how open source works, right? Like terrible data. No big deal. You just patch it It's how it is. Yeah in two quick additions to that too One of the things we can do with this is support researchers adding content under their own specific namespace. That's right. Um And then No, I forgot the other parts That's right. We'll come back to that. So so if we look up here, we've got it's us cve So we also made the gsd Identifiers are we'll call them cve compatible where you can basically take any cve id replace cve with gsd And it's literally the same id and the data will be in This data set because if you look here in this namespace There's an nvd namespace and a cve namespace. I collapsed them because it's a lot of stuff and it just It's hard to it's hard to present in a in a way that makes sense But the idea is Like those are read-only data sources. We pull them in from somewhere else We put them in here But there's no reason that someone else couldn't add your own namespace For your company your project your yourself as a person and add commentary You can add more metadata You can do any we can add metadata into the the higher level gsd namespace because the intent here is that There are it is not uncommon for there to be missing references for there to be typos in the data for there For there to be anything in fact if we here i want to jump back to this like This one I That's actually in the cve data right like there's a bunch of weird descriptions like that because the cna is Provide the descriptions and then who who takes care of them after that and it's hard to update today But this is one of those instances where when you have a namespace anyone can update anything And it's in github so anyone can submit pull requests anything You can't touch these though because these are an automated process that pulls them in they're they're read only from our perspective Which is great because there's no reason we shouldn't be able to pull data from other places for example And stick them in one last quick addition for this too is this is where we can support multiple formats So if you have a format that your company uses specifically or whatever your Project is using you can put that in your own namespace and folks can consume that knowing because it's under specific namespace I know to expect this format. Yep. Yep exactly and in fact this is like that So the terrible gsd format i made up there's also an osv token you see i think this has There's gsd up there. There's also an osv on the newer ones because i rewrote my parser But like that's the osv format anyone could submit a pull request to that But then like if you if you take the cde.org namespace It's literally the cde json if you take the nvd.nis.gov namespace It's literally their json and that's the intent is it is stupid to say everyone has to do it our way or else Right, there's many ways to do this kind of stuff And so that's one of the things and additionally we recognize that all of this will evolve as the community works on it There's no single answer, but i know hopefully will converge on some good ideas like if if i was in charge Sorry, if i was in charge everything would be osv because i love that format Well, i love it today in a couple months i might decide i don't like it I don't know i go back and forth on things all the time But you know it's kind of one of those things like it's a really cool project that's doing really cool stuff All right, anything else um One of the things is being able to play with the data as well So if we want to explore new data formats put it under an experimental namespace See if it works try it out in practice works great doesn't kill it Yep, that's right. That's right. And it's kind of that whole open source model right like move fast and break things sort of Where there's no reason we can't try crazy new things and sometimes it works and sometimes it doesn't and that's okay Uh, right. Oh, i move fast and break things. Look at that So one of the other well you you you built this you talk about this uh, so i built the The purple one the purple one very questionable ui. Uh, i am not a ui designer. So Anyone if any of you can help with ui like please absolutely um So the idea is being able to support not just vulnerability Researchers and the folks that are really into this but also giving a easy to use public interface For being able to edit this if you are a member of the press or just somebody in the public Being able to go in and fix a typo or something like that should be quick and easy to support Um, and then along those lines also being quick and easy to create new ideas So if you found something it doesn't actually exist yet Go ahead and use the request form and I guess you built the request form. Do you want to talk about? I did built that it's uh, it's a very bent form the only thing I will say I did is You can't see it But the description is is as you fill in details it starts filling the description out for you Which is like I'm not good at at javascript and that took me a really long time to do so i'm very proud of it But you can go to um, what is it request.globalsecuritydatabase.org? We probably have a link later we can we can send it to you if you want But in like literally anyone can request ids and that's the way it should be right it should be what Then we would defer to the cbe format and we would the intent would be we would take Mark the gsd as basically like an alias of the cbe and then we'd just point right at that Yeah, that's the intent. Yeah chris We're not working with embargoes at all. I don't want embargoes embargoes, I mean we can It's public and we can we can argue philosophically if embargoes should exist or not But from my perspective it's very expensive and hard to do and here's the thing The reason we don't care is because if you can get an id in five seconds Just get the id when you go public right like that's kind of the intent there is the reason embargoes exist today I think is because a current system is too slow to accommodate something like that, right So get an id like hit publish grab your id update your advisory or just grab the id You know the 10 seconds before you publish or whatever absolutely not It is It is public data if the reporter doesn't contact a project like that's on them. It's I i'm I don't is that I mean is that something that happens now where there's any sort of verification that someone requesting an id from a cna Contacted an upstream. I suspect there isn't Yeah, well if the if the cna is responsible sure Yeah, uh, yes Sure, sure, sure right right, okay One quick addition for that too is this is where namespaces you could filter out Say you only want to look at the github security advisories and nbd or whatever combination of data Please they want to look at you can limit it to the specific subsets because the focus is having machine readable data So yeah, that's right. Also no humans humans are bad at everything, right? We also have multiple ways to request id so one of the things we do is we work with the linux kernel And this is where we kind of explain Where we start getting fundamentally different from the way a lot of this happens today So the linux kernel Sasha levin who works he's the the stable branch maintainer for the linux kernel And he has an ml job That he runs against the kernel tree before release and it looks for commits that are potentially security relevant right now as Security practitioners we probably hear something like that and we cringe Because this is anything like it has a word security in it is probably going to get tagged even if it's like a document update Whatever we don't care and so sasha sends. I think on this this picture. I can't see my little screen. I've got Yeah 1,562 Ids were requested by them in one go for one kernel release, right? That's a lot But it's not meant to be Individual id's we obsess over I think we exist in this security vulnerability space today Where we have an intense focus on singular id's Versus having a more aggregated view of things and saying this version of this project has this many Potentially security relevant commits right which is a different way to think about all of this And so this data isn't meant to be like if you want to obsess over singular commits Like that's what cve does that you go work with them. That's where you do this what we want is to have A broader view where you can think of it more like a heat map right where you've got different versions having Different security relevant commits and my example of this is if you search On github for buffer overflow in double quotes in the little search box you get nine million issues in github There are 200,000 cve's since the beginning of time So think about that now all nine million aren't security bugs That's easy to say But how many of them are right? Is it a million? Is it hundreds of thousands? We have no idea And so this is one of those places that we want to start being able to do Interesting automation and start capturing more of this data and having good ways to filter it out And this is again where some of the ideas behind namespacing and machine readability come into play Because depending upon your risk profile depending upon your use case You might want to say like I don't care about these crazy kernel issues. They don't affect me. It's not something important. What's that? Sorry, no jumping jumping. I talk a lot Just trying to keep us on time. So I guess we can move on to the next one, which is talking about The quantity versus quality. Yeah. Yeah, definitely. Thank you what you're getting into. No, go for it. Please. Please So Yeah, we can't be overly rigid. We have to support both the Large quantity data, but not necessarily sure that it's Accurate Versus we want only the things that don't have false positives because it's going to waste a lot of our time if we have Anything that flags and then also Lots of different personas. So it's not just the developers not just the security researchers, but The press as well people that are making these tools for automation I guess anything you wanted to I mean, I have a great story for this actually that that There was It was one of those that elastic there was an nvd result that had the version wrong It was something like it affected three dot It was it was like version two to three dot o dot 13 or something like that and they marked it as like version three dot 13 Right in in nvd So I go to nvd and I go to their I send an email and I'm like, hey, you got this cpe wrong And they're like, oh, that's because of the description in the cpe is wrong You have to go fix a cpe and I'm like, all right fine So I go to the mitre's forum I type it in I explain what's wrong Then they come back to me a couple days later and say, oh, you have to talk to the cna to get this wrong and I'm like So you know what I did I went on twitter and I complained and then the cna fixed it because they saw me on twitter complaining like No Don't do that. So anyway, that's kind of the point right is there there's these different aspects to this and This is where like I I put up there like syssa the known exploitable vulnerability catalog if any of you have seen that this is where syssa has a list Of vulnerabilities they know beyond a reasonable doubt are being exploited, right? It's a small list It's well curated like we know that list is extremely high quality But we also know syssa can't do that for like millions of issues Assume, let's hope there aren't millions of issues being being actively exploited But you know what I mean like that's a good example of like that is a very specific use case for very specific data And that's an instance where we can obsess over individual things But now at the same time we've got jonathan light shoe in the back with the cool hat He filed what that 6000 Right, he right thousands of pull requests for vulnerabilities. He found right like that's an instance where You have a lot of data and so you're not going to look at it in the context of it being like very high quality I'm going to look at it individually But rather we're going to look at that in the aggregate and say like what are all these issues jonathan filed What does that look like right and so they're just they're very different use cases, but today They have to live in the same place and I think that that's problematic and I think none of us would disagree with that Anything else I guess one last thing to add to that too is one of the reasons we call it the press is for example Locke-Pochel really huge But if you remember the press you have really tight deadlines having a prose description that actually explains in layman's terms What is this thing that's something that we can support with a more flexible data format with the gfc totally All right, we're almost done. We're almost done. This is it. All right What now right we need help it's an open source project We want anyone who can help us to come help us because we think this is important and we think it matters We've gotten a handful of folks who work on this now There's I recognize a couple of you in the crowd. We have we have meetings. We have github repos We have a mailing list. We have this thing called circle that the csa likes to use It's kind of like an online mailing list thing But I mean fundamentally Our intent isn't to have meetings and get nothing done Our intent is to run an open source project and an open source project that people who do the work make the decisions Right like that's just how it works so I I mean Come help please that that's basically the whole point of why we're up here and and we want people to help us We're we're literally here like begging everyone To help us out anything else Yeah, I guess Like we're saying just we want to put into practice what is needed rather than trying to through craft this So come help us figure out what it is that is actually needed and implementing that And we're going to screw up a lot. We're going to make mistakes and that's okay Like that's the point right we want to try things jonathan I mean I no that's a great question his question is like what do we do about bad actors? What if someone shows up and generates thousands and thousands of issues? I mean that's certainly a possibility. So the way we do it today. I'm not going to zoom back You have to have a github login to interact right like the web forms make you login with github or you submit pull requests by github And so because of that github id we can obviously identify who the people are Like because you're going to have the same id and I think that I think generating lots of github IDs is probably I'm not going to say it's impossible, but that's a pretty high bar So fundamentally like if if someone with a certain username is basically spamming the the system will ban them and will just delete all their stuff You know it's it's github. It's easy to do that Yes, and and the gentleman here said, you know, you can look at age of github IDs and things like that Yeah, definitely like if there's an id that's you know, five minutes old and just submitted a pull request with 7 000 You know id's or whatever like no, that's not that's not gonna fly Yeah, and to kind of hammer home the namespace is sustained too This is where if you are concerned about having bad actors like that then you can consume just the other vulnerability databases that are within gsd And just ignore all the random researchers that might be You don't know necessarily The quality or trust levels there and and part of it too is like We're gonna figure this out as we go. I mean, how does the linux kernel avoid people spamming it, right? They seem to have done a pretty good job Most of the search projects do but not all so anyway Do we have any time for questions? Oh, we got it. Well, there's not there's a break after this So I'm happy to hang out and answer questions as long as any of you want Uh, does anyone unlike I don't know if there's any other virtual questions. Does someone have access to that or? Okay, great great great any other questions All right, um Absolutely, okay, so the question was is a room for capturing some of the nuance for disputes and the example being there are instances where vendors Will say are less than honest There's instances where you might have a researcher pushing an agenda There's many many things we've seen in the space and this is the whole point of this is why we came up with the namespaces We're literally for this reason Because how many of us have read the stories where a researcher reports something and the vendor says oh, that's that's low That doesn't count right that's no big deal And then the researcher publishes information And all of a sudden everything lights on fire because oh it turned out it actually was quite serious And this is one of those instances where if a researcher has a namespace and a vendor has a namespace They can both add their data and then as consumers of the data we can make decisions about like what are we going to do about this? Like for example If if one vendor says not an issue A researcher I trust says it is an issue I might be more inclined to lean on that researcher's Commentary in that instance But yeah, that's a great question All right, I'm going to pick on Alan next because he had his hand up and then we'll come Yeah, so Alan's question was basically there's We'll say not a lot of nuance today in the vulnerability data Versus how do we go from what we have today to kind of where we go and I would argue I mean this is why we made it compatible with cve because I think cve is solving the problems of today No questions asked But then because of that compatibility, there's no reason that needs to drastically change as we migrate ourselves into the future And and that's kind of the intent of that Uh, I knew you had a question sir. Yeah So discourse explain what you mean by discourse Ah, so you're saying let me let me repeat the question to make sure I understand this So the question was basically so let's say there is an identifier in the system And and you want to add metadata to it. What does that look like? So today it looks like a pull request Which you could edit the like top level gsd section You can't edit the cve or the mvd section Those are because those there's an automated process that'll override any changes you might do So we reject those or you could add your own namespace and do whatever you want Like you could you could decide i'm going to rewrite every description as high coups And that's fine like great. I have no problem with that like we can argue the the necessity of it But and so that's the long term We want to have like nice tooling that you know, you can open a form look at something Oh, there's a typo here like I'm going to fix this typo and then hit submit And then how that all works out We don't and part of it is building this because we don't have all the answers today and I'm happy to acknowledge that So I think that's all the time that we have are we are they giving us the hook they did Uh, yeah, I mean it's break time now if anyone wants to hang out and chat more like I'd love that That's great. And if not like we're here For the year. Are we done? You can just turn us off. That's fine Yeah Please Ah, so the online question was can anyone submit any request to any namespace or are the github IDs associated with the namespace We do not have an answer to that question right now. We argue with it back and forth every possible way you can imagine I would say today Humans are approving the pull requests. So if you try doing something silly, it's not going to be approved But if you say edit another namespace that isn't a read-only namespace But if you edit another namespace with like a typo like changing an uh to an an I suspect that would make it through But again, this is also where part of the goal of this is to Build a community and start asking these kind of questions and coming up with with plausible answers for how should this work anything else Uh, so here I'll put this slide up for anyone So there's a a shortener thingy here this gsd dash quick links. Ah, that's really bright Um, and if you want just hassle me and I can I can give it to you too We could put it on twitter or something maybe But that has links to all the things we've talked about. They're all there And yeah, yeah, there's also. Oh, there's also a slack which is very new and very few people are in it That's part of the csa that required me convincing kurt that he has to open the slack up to everybody And I did it. I wore him down. We have it now. I persevered. So yeah, consider this an announcement So you can join the slack. All right anything else All right, let's end this but come come chat. All right. I can touch this now and Hopefully not ruin anything. I'll be terrified. That's gonna turn off. That's right. Hello. Never come back on