In the realm of open-source packages, it’s sometimes easier for an attacker to find many less-sophisticated 0-days that affect many packages, rather than spending weeks or months to find a single hard-core 0-day vulnerability. In this talk, I’ll walk you through the processes we built for that.