►
From YouTube: Alpha Omega Project Public Meeting (September 7, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
Well,
welcome
everybody
to
the
September
7th
Alpha
Omega
public
meeting.
Wait.
A
D
A
We
don't
really
have
too
much
in
the
way
of
new
content
to
talk
about
today,
because
we're
we're
saving
it
all
for
for
next
week's
event
in
in
Dublin
for
open
ssf
day
so
I
hope,
if
you
are
not
there
you'll
at
least
be
there
virtually
it'll
be
on
YouTube
afterwards,
and
we
hope
we
hope
the
announcements
we
have
to
make
then
are
as
as.
A
We
think
they
are
so
yeah.
B
A
Yeah
yeah,
it
is
good
yeah,
so
so
agenda
yeah,
that's
what
we're
gonna
talk
about,
so
the
level
set
just
for.
Has
anybody,
let's
see
right,
see
a
few
names
that
might
not
be
super
familiar
with
with
Alpha
Omega,
so
super
high
level
purpose
of
this
is
you
know
of
alpha.
Meg
entirely
is
protect
Society
by
making
sure
that
the
open
source
that
we
will
use
is
secure,
but
we
do
this
directly
by
directly.
A
You
know
you
know:
analyzing
open
source
projects
working
with
maintainers
working
with
foundations
and
organizations
that
care
and
feed.
For
you
know
critical,
open
source
projects,
we're
essentially
putting
putting
money
into
solving
the
problem
which
is
Michael
likes
to
to
say
it
is
turning.
A
A
On
the
alpha
side,
this
means
scaled.
You
know
impact.
This
is
why
we
work
with
foundations
and
larger
organizations.
We
target
the
most
critical
projects
out
there
because
we
feel,
like
you
know,
given
you
know,
given
a
fixed
amount
of
funding,
we
can
do
the
most
good
by
by
applying
it
judiciously
in
in
in
the
right
spots.
A
It
is
still
still
an
experiment,
we're
not
really
sure
like
exactly
what
we're
doing
you
know.
So
you
know
particularly
I
think
we've
had
some
success.
You
know
already
here,
but
we're
trying
to
figure
out
what
the
right
places
to
to
apply
funding
and
what
kind
of
Engagement
models
really
work.
So
I
think
you'll.
You
know
continue
to
hear
us
saying
the
word
experiment
lots
of
times,
which
is
the
you
know,
we're
trying
things
out
and
seeing
seeing
what
happens
so.
C
A
Alpha
is
on
the
most.
You
know
small
number
of
most
critical
projects.
You
know
EG,
like
100,
ish
Omega
is
Let's
scan
the
the
top
say,
10
000,
using
tools
and
automated
sorry,
automated
tools
and
expert
triage.
An
expert
triage
is
really
important
to
find
vulnerability
to
find
critical
vulnerabilities
and
get
them
fixed.
A
So
this
is
your
team.
This
is
our
team,
so
Michael
and
I
we're
joined
recently
by
Anna
from
City,
who
is
being
supported
by
City
on
on
a
I
I
hope,
a
very
long-term
engagement
but
it'll
on
the
on
the
PM
side.
Of
course
we
have
Brian
and
then
all
the
wonderful
support
staff
at
Linux,
Foundation
and
openssf
that
helps
us
helps
us
do
what
we
do.
A
Foreign
so
I
think
this
is
my
last
slide
at
a
glance.
On
the
alpha
side,
we
have
three
active
engagements
right
now:
node
started
and
Rafael.
So
awesome,
you're,
you're
here
I,
don't
want
to
put
you
on
the
spot.
If
you
would
like
to
talk
about
anything,
that's
going
on
with
node,
you
are
more
than
welcome
to.
If
not
that's
cool
too,
but
you
know
we
would
I'm
sure
everybody
would
love
to
hear
you
know
what
about
any
of
that
stuff.
E
Okay,
so
yeah,
actually
in
the
middle
of
releasing
no
Jazz.
So
sometimes
my
my
vote,
my
voice
will
freeze
because
compiling
node.js
use
100
of
my
CPU,
and
then
you
know
so.
Basically,
what
we
are
doing
in
the
in
the
node.js
at
the
secured
side
is
like
it's
everything,
true
that
that,
through
that
security
working
group,
we
have
several
good
initiatives
there.
The
big
one
is
the
one
that
I'm
trading,
that
is
the
permission
system
the
permission
model.
E
It
will
enable
users
to
restrict
access
to
specific
resources.
Currently,
we
are
in
the
middle
of
a
good
refactor,
moving
towards
a
better
ux,
because
the
initial
proposal
was
basically
okay.
If
I
want
to
deny
access
to
a
specific
resource,
I
will
send
it
in
the
CLI,
but
this
is
not
secret.
First
right,
the
the
best
way
to
solve
is
like
I
will
restrict
access
to
everything
and
only
allow
access
to
a
specific
specific
resources,
specific
operations.
E
We
are
evaluating
a
few
Flags,
a
few
approach
to
use
the
security
first
approach,
but
also
don't
break
everyone
and
to
use
that
approach
we
probably
actually
and
and
working
in
every
piece
of
node.js,
because
it
is
also
node.js.
We
we
need
also
reflect
those
informations
and
there
are
many
many
ways
to
bypass
the
security
that
I
need
to
handle.
You
know,
so
that's
it.
Basically
the
the
permission
system
and
we
are
currently
creating
a
threat
model
document
which
is
very
important
because
recently
we
are
receiving
receiving
a
lot
of
hacker.
E
One
reports,
and
some
of
them
is
like
designed
by
node.js
is
expected-
is
not
a
security
vulnerability,
but
it's,
but
it
is
not
documented
anywhere,
so
the
security
researchers
can't
find
it
easily.
So
we
are
creating
a
document
that
will
say
to
developers
and
security
researchers.
What
can
and
cannot
be
considered
a
vulnerability,
node.js.
B
Is
really
cool
looking
forward
to
it
Rafael
did
you
just
say
that
you're
building
the
next
release
of
node
on
your
laptop
is
it
like?
Is
our
official
node
builds
coming
from
your
laptop
and
I,
say,
there's
nothing
but
love
and
empathy
for
all
the
the
hell
that
this
represents,
but
I'm
actively
curious.
Now.
E
Actually
is
I
will
release
the
18.9
that
it
aims
to
be
released
today,
but
the
proposal
got
some
that
the
CI
is
breaking
and
currently
and
get
the
second
all
the
comments
of
the
93
comments
and
finding
the
evil
commit
and
then
I
will
drop
it
and
make
the
proposal
again
and
build
everything
and
check.
If
that's
that's,
that's
that's
correct
and
then
sent
to
the
CI,
because
the
CI
takes
too
too
too
long
and
check
other
stuffs.
You
know.
B
Makes
perfect
sense,
thanks
for
sharing
that
as
well
always
interesting
to
hear
how
people
pull
things
together?
Okay,.
A
Awesome,
thank
you
so
yeah.
So
it's
awesome
that
Raphael
you
could
be
here
and
in
the
in
future,
I'm
hoping
to
get
folks
from
from
python
Eclipse
to
kind
of
similarly
give
you
know
kind
of
quick
updates
on
on
Wednesday,
but
also
build
that
that
connection.
So,
if
you
you
know
now,
you
know
like
who's,
actually
doing
the
work
that
we're
that
we're
sponsoring.
A
So
we
do
have
a
couple
engagements
that
you
know
we
expect
to
be
announced
shortly.
I
really
want
to
tell
you
about
them,
but
we'll
wait
until
next
week
on
the
mega
side,
we've
I
think
it
was
two
weeks
ago
or
so
we
released
the
Omega
analyzer.
A
So
this
is
the
the
toolkit
that
that
we
put
together
to
basically
orchestrate
a
bunch
of
a
bunch
of
static
analysis
tools,
run
it
against
a
package
and
gather-
and
you
know
summarize
the
results
and
all
that
the
Omega
tracer
was
that
this
is
called
Tracer
from
a
couple
weeks
before
that
that
one
we're
still
trying
to
figure
out
what
you
know
what
we
really
want
to
do
with.
A
But
it
was
just
a
you
know
when
you
for
that.
One,
it
was
for
Ubuntu
packages
specifically
when
you
install
it
like
what
actually
happens
when
you,
what
sorry,
not
when
you
install
when
you
run
when
you
run
a
program,
so
you
run
or
node
or
python,
or
you
know,
LS
or
something
what
system
calls
are
actually
generated
during
that,
and
then
you
can
kind
of
query
that
and
search
it
later
on.
A
We
have
found
some
vulnerabilities
I
think
we're
up
to
10
that
we
found
that
I
think
five
are
fixed
and
we
published-
and
this
is
going
back
a
couple
months
we
published
about
90
or
so
automated
Security
reviews.
So
these
are
npm
packages
that
we
ran
all
the
tools
against
found.
Nothing
and
therefore
there
was
really
nothing
to
triage
and
therefore
we
we
bundled
that
up
and
said
that
in
a
caveatic
way,
it's
safe,
because
the
tool
said
it
had
nothing
to
say
about
them.
B
We
had
we
had
one
question
on
the
chat
already
somewhere
for
the
Omega
Tracer
yeah
I
will
and
Michael
you
can
stop
presenting
them.
We
can
just
get
like
child
view
easily
on
the
perfect
look.
A
So
what
do
you
guys?
What
do
you
guys
think
what
so
so
I
guess
to
kind
of
throw
some
some
question
feed
out
there
like
a
question
like
what
should
we
be
focused
on?
What
should
we
do
next
like
is
there?
Is
there
a
critical
open
source
project
that
you're,
like
yeah,
node
and
Python
and
Eclipse
are
important,
but
this
other
thing
is
like
way
more
important.
Why.
B
Yeah,
we've
I
think
we
haven't
hired
anybody,
yet
we
have
definitely
a
few
people
in
the
pipeline
that
we're
pretty
Keen
about
so
we're
still,
you
know,
it's
I
am
constantly
reminded
that
even
even
not
my
day
job
but
my
other
other
day.
Job
hiring
takes
up
120
of
the
time
and
the
pipeline
is
hard
so
Jonathan.
If
you're
volunteering,
we
very
well,
we
accept
come
on
in
the
pay,
is
dubious.
The
long-term
career
prospects
are
challenging,
but
the
work
is
highly
valued.
Yeah
and
great
great
people.
B
Thanks
yeah
one
of
the
so
a
question
for
the
group,
since
nobody
has
any
questions,
also
asking
questions.
B
You
know:
we've
largely
been
looking
at
major
points
of
Leverage
right
now
through
the
foundations
in
part
actually
to
sort
of
back
to
Jonathan's
question
because
of
their
ability
to
turn
that
money
into
people
doing
work.
They
had
people
on
tap
who,
where
they
could
add,
they
could
hire
somebody.
You
know
we
worked
with
the
eclipse
people
they
had
somebody.
They
were
basically
ready
to
make
that
person
be
a
full-time
person
on
that
role,
and
so
there
was
a
shovel
ready
aspect
to
that.
B
That's
been
a
a
key
driver
to
what
we're
doing.
We
don't
just
want
to
be
moving
money
around
from
One
Foundation
to
the
other
and
having
it
sit
around
waiting
to
be
used.
B
B
We've
had
a
couple
of
conversations
with
other
industry
associations
where
the
list
of
top
projects
for
a
particular
industry
segment
is
different
than
what
you'd
have.
As
of
the
top
list
and
we're
thinking
about,
you
know
working
with
those
associations
to
fund
and
drive
changes
in
a
more
focused
way
and
I'd
love
to
hear
what
people
think
about
that.
F
Yeah,
so
I
think
that
it
could
be
very
interesting
to
have,
for
instance,
off
Omega
working
group
type
things
that
are
focused
on
verticals,
so,
for
instance,
the
verticals
that
will
have
the
largest
impact
To
The
World
At
Large,
like
Financial.
F
Power
infrastructure
things
like
that
I'm
wondering
and
I
I'm
sensitive
to
the
fact
that
you're
in
awkward
position
because
you're
going
to
have
big
announcements.
Next.
F
Maybe
some
of
this
is
already
inflamed.
You
can't
talk
about
it,
I
don't
know,
but
what
sort
of
verticals
are
you
specifically
considering
right
now?
What's
on
your
short
list,
I
guess.
B
So
you
mentioned
financial
services.
That
is
definitely
on
my
list.
B
B
So
I
think
that
Healthcare,
like
oh
the
thing
I
worry
about
the
most
on
Healthcare
actually,
is
that
it
wanders
very
quickly
into
that
messy
space
of
iot,
where
the
S
is
for
security,
and
you
know
I,
don't
think
we
actually
know
enough
how
to
solve
that
problem.
B
Space
and
you
know
I-
want
to
make
sure
we
stay
focused
on
things
that
are
tractable
and
so,
like
I'd
love
to
help
fix
Healthcare
I,
don't
know
that
it's
actionable
right
now,
whereas
I
feel
like
Financial,
Services,
I
understand
a
bit
better
I,
don't
know
anything
about
the
power
space
and
utility
space.
That
would
be
an
interesting
well
I,
don't
know
how
much
open
source
there
is
in
in
those
verticals
I.
F
F
Name
like
that,
right
or
LF,
energy
I,
think
I
think
it
could
be
interesting
for
for
the
alpha
omega
team
to
pull
your
respective
companies
that
have
very
large
areas
that
they
work.
C
F
We
were
to
focus
on
one
of
these
areas,
we're
less
familiar
with,
like
iot
writ
large
and
then
Focus
smaller
on
iot
and
automotive,
iot
and
Healthcare
iot
and
satellites
iot
and.
B
C
F
C
G
F
That's
going
to
be
really,
you
know:
Financial
Services,
whatever
everyone's
talk
about
financial
services
because
there's
for
some
reason,
a
lot
of
money
in
it.
So
we
focus
on
the
love,
but
there's
but
you're
also
gonna
have
the
how
the
power-
and
you
know,
automotive
and.
H
Hey
yeah,
so
just
to
give
you
a
quick
update
on
what
another
discussion
that
we're
having
on
the
side
so
Michael
had
this
idea
of
like
bringing
in
the
open
microscope
that
I
have
this
idea
of
bringing
in
the
open
source
maintainers
and
basically
like
having
a
dialogue
with
them.
So
a
few
of
us
we're
trying
to
coordinate
about
a
virtual
event
sometime
near
near
future.
On
that
specific
thing.
H
So
we
had
our
first
meeting
yesterday
and
we
were
discussing
about
like
what's
the
scope
like
who
would
be
the
attendees
and
one
of
the
things
that
we,
the
obvious
thing,
was
we
can
focus
on
different
programming
languages,
because
people
who
develop
in
certain
programming
languages
have
specific
concerns.
But
then
we
were
also
looking
into
the
tiers
like
what
are
the
top
projects
in
the
started
programming
language.
But
then
we
also
want
to
be
representative
of
the
different
tiers
like
the
tr0123
that
are
being
identified
by
other
open
Source
things.
H
We
also
were
discussing
about
the
verticals,
so
that's
I
mean
and
and
I
think
like
there
may
be-
maybe
not
on
the
first
one.
But
if
we
like
plan
to
have
this
thing
in
the
you
know
like.
E
H
We
create
a
model
where
this
can
be
executed
in
a
regular
fashion.
Then
it
might
be
actually
judicious
to
have
a
subsequent
one
where
we
can
focus
on
a
specific
area
like
a
healthcare
or
and
and
know
about
the
pain
points.
I
mean
personal
I'm
curious
to
find
out.
I
mean
to
me
bugs
are
bugs
but
Are
there
specific
bugs
that
are
of
specific
concern
for
health
care
that
are
not
necessarily
concerned
for
Financial
or
or
otherwise.
B
I
I
get
to
your
last
point,
I.
Think
it's
less
about
bugs
and
more
about
packages
right
so
like
every
Everything
has
bugs,
as
you
correctly
point
out
right,
the
source
code
has
bugs,
and
so
there
are
generic
scanning
tools
that
can
find
things
at
scale
and
that's
what
Omega
needs
to
find
right.
Yes,
this
is
more
about
an
alpha
level
engagement.
We
can
go
in,
we
can
say-
and
this
is
where
it
gets
interesting
right.
B
Is
it
you're
talking
about
the
language
ecosystem,
so
the
package
ecosystems,
those
represent,
super
broad
leverage
points
of
Engagement
where
we
can
go
off
and
generally
toughen
up
and
Harden
their
infrastructure
or
their
solution
spaces
in
some
powerful
ways?
When
you
wander
into
the
verticals,
you
then
end
up
with
a
menu
of
packages,
and
so
then
it's
a
question
of
like
building
an
engagement
with
you
know
a
small
set,
or
maybe
even
getting
these
folks
together
in
a
room
and
saying
hey
you've,
just
identified
as
a
lucky
price.
B
Consistent
on
the
on
the
bug
is
Right
competition.
Now
we're
going
to
have
a
conversation.
How
can
we
help
you?
How
can
we
collectively
pull
things
like
that
together,
because
you
know
these
projects?
Typically,
the
maintainers
are
already
pretty
feeling
overloaded
with
everybody
else
telling
them
what
to
do
as
it
is.
How
do
we
build
an
engagement
there
that
makes
them
feel
supported,
actually
helps
improve
things.
A
I
I
think
there's
another
dimension
here,
which
is
the
the
areas
that
we're
focused
on
right
now
are
clearly
in
the
open
source
domain.
Like
there's,
you
know
it's
just
open
source
as
you
go
into
like,
let's
say
Healthcare.
How
much
opens
like?
What's
the
what's
the
the
Venn
diagram
of
kite
for
all
of
healthcare
software?
How
much
of
that
is
commercial?
A
How
much
of
that
is
is
actually
true
open
source,
and
can
we
do
we
want
to
lean
into
the
the
edges
of
the
open
source,
Venn
diagram
there
I,
don't
know
the
answer
I,
maybe
it's
all
open
source
and
I'm,
just
just
ignorant
of
it,
but
I
I
think
that
that's.
A
F
Well,
even
if
they
are,
you
know
that
is
their
business
selling.
This
thing
that
thing
runs
software,
that
software
runs
open
source.
It
just
does
right
and
right,
and
so
they
should.
She
says
intentionally
judgmentally,
be
concerned
about
the
security
of
their
devices.
If
Only
from
a
monetary
business
model
point
of
view,
so
whether
they're
willing
to
go
on
the
record
and
say
yes,
we
are
having
conversations
with
Alpha
Omega
and
the
Michaels
around
the
software
that
we've
run.
F
They
should
certainly
be
willing
to
have
conversations
with
you.
If
there
is
an
organization,
that's
going
to
be
out
there
working
to
secure
the
software
that
they
are
using
and
doing
it
not
by
using
up
their
objects
right,
so
I
think
that's
something
that
they
should
at
least
be
having
conversations
and
being
able
to
say
hi
I'm
from
Google.
We
want
to
talk
to
you
hi
I'm,
from
Microsoft.
We
want
to
talk
to
you.
B
Naming
names
right
either
in
a
vertical
or
members
of
the
vertical
right.
The
these
large
organizations
that
consume
large
amounts
of
Open
Source
have
a
default
policy
of
let's
not
tell
the
world
what
we
use,
because
that's
just
painting
a
Target
on
our
back
right.
It's
not
even
unreasonable,
it's
entirely
rational
thinking,
but
having
an
aggregator
of
some
industry
Association
or
a
working
group
or
whatever.
So
imagine
if,
let's
say
that
there
is
nobody's
stepping
up
from
I'll
pick
one
Automotive
iot
great.
B
If
there
was
a
sub-working
group
of
Automotive,
iot
folks
start
identifying
what
the
common
things
were,
because
we
got
members
from
various
places
that
do
something
like
that
right.
You
know.
We
now
have
an
anecdotally
relevant
set
of
things
to
go
off
and
think
about
and
talk
about,
and
we
should
start
engaging
with
those
in
a
way
that
allows
the
various
vertical
members
and
participants
to
still
sort
of
not
have
a
Target
pain
on
their
back.
B
F
Yeah
I
I
do
a
lot
of
work
with
finosh
the
financial
services
open
source
Foundation,
including
lead
their
open
source,
Readiness
working
group,
even
in
a
Chatham
House
Rules,
completely
non-recorded
sort
of
situation.
F
We
have
a
very
difficult
time
getting
people
to
talk
about
what
they're
running
and
how
so
I'm,
very
aware
of
and
sympathetic
to
the
challenges
that
you
will
have
there,
but
I
think
you
totally
nailed
it
going
to
them
meeting
them
where
they
are
in
their
space,
where
they
feel
most
comfortable
rather
than
asking
them
to
come
to
you
that's
going
to
get
you
the
best
results,
and
even
if
it's
just
an
exploratory
conversation,
I
think
that
can
be
really
helpful
to
for
Alpha
Omega,
to
figure
out
what
its
priorities
will
be
going
forward
as
it
starts
to
you
know,
really.
C
B
Yep
so
Vicky
I
take
two
things
out
of
this.
One
is
you're
right
that
we
should
talk
to
our
own
internal
vertical
folks,
who
are
probably
connected
into
various
places
and
start
seeing
what
they
have
to
say.
I
like
that
one,
we
will
take
an
action
on
that
and
we
I
think
our
reasonably
well
connected
to
the
financial
services
verticals
already,
not
actually
through
Finos,
but
there
are
at
least
because
you
know,
there's
always
at
least
one
or
two
of
these
organizations.
B
We
can
certainly
engage
with
both
if
anybody
on
this
call-
or
you
know
of
somebody
who
has
a
meaningful
presence
in
some
other
industry,
vertical
ISAC
or
whatever,
we
would
love
intros
right,
we'd
happy
to
have
these
conversations
and
start
team
those
up
and,
as
you
say,
I
think
it's
like
just
showing
up
and
having
a
conversation
and
getting
to
know
them
instead
of
building
trust
one
day
at
a
time,
it'll
take
time
to
do
that.
So
let's
get
that
long
call
started
now.
F
Yeah,
that's
I.
Don't
currently
have
those
contacts
but
I
I
may
have
some
externally
and
just
you.
F
With
it,
but
I
do
know
that
Wipro
has
a
number
of
people
who
are
embedded
in
those
spaces.
Eric
may
have
more
information
on
that
he's
been
at
one
pro
far
longer
than
I
have
and
has
a
lot
more
contacts
across
the
organization
to
know.
You
know
where
they're
focusing.
F
Have
a
very
strong
Healthcare
practice,
and
so
we
will
have
a
number
of
people
who
can
have
some.
G
B
And
the
offer
doesn't
have
that
the
offer
does
not
expire
so
we're.
You
know
we're
keen
to
do
no.
C
B
B
B
F
G
B
That
or
or
what
would
the
term
you
be
used
like
aggressive
non-compliance
and
with
apologies
to
anybody
who
works
in
the
insurance
industry,
which
I'm
sure
is
its
own
set
of
challenges,
and
so
on
right
but
wow?
That
is
what
a
web
we
have
Tangled
we've.
B
All
right,
well,
that
was
productive
conversation
appreciate
it
always
open
for
more
on
that
any
other
topics
of
thought
and
again
just
encouraging
people
to
be
as
provocative
or
entertaining
as
you
choose.
C
B
Unsurprisingly,
the
top
end
projects
have
relatively
few
sort
of
zero
days
lying
around
waiting
for
somebody
to
fix
it
and
have
a
fair
amount
of
attention
on
them.
And
so
is
this
one
of
those
things
where
it's
not
the
fat
head
or
the
long
tail,
but
the
sort
of
medium
torso.
B
Where
you
know,
should
we
move
down
the
list
and
find
the
second
100
most
important
projects
that
are
probably
not
quite
getting
the
star
attention
that
the
others
are?
Is
there
a
phenomenon
there
of
like
one
of
the
top
things?
Then
all
the
attention
is
there
but
turns
out
that
it's
not
the
Super
obscure
package
in
the
XK
CD
diagram,
but
it's
something
sort
of
somewhere
in
the
middle
that
everybody
kind
of
uses
and
no
doesn't
pay
much
attention
to
right.
F
C
F
Of
security
testing,
could
you
pick
a
random
hundred
further
down
the
step?
Run
the
script
see
what
happens
right.
I
mean
I.
B
Think
we
do
that
we
kind
of
do
that
already.
That's
what
Omega
is
it's
about
automation
at
scale.
What
I'm
talking
about
is
a
more
alpha-like
engagement
which
right
now
you
know,
given
that
we
don't
have
a
full-time
security
researcher
involves
us
saying:
hey.
If
we
gave
you
money,
how
would
you
turn
that
money
into
security
for
your
foundation,
project
or
whatever?
And
usually
the
answer
has
been
pretty
crisp
like
we'll?
Do
this
this
and
this?
B
That
would
say,
oh
well,
we
would
hire
somebody
to
do
like
these
three
things
to
go
off
and
security
on
this
project
fix
our
build
infrastructure
because
damn
and
you
know
then
go
off
and,
like
you
know,
sponsor
a
whole
bunch
of
bug,
fixes
that
we
have
that
are
holding
us
back
or
whatever,
and
you
know
I'm,
just
imagining
what
a
sort
of
per
project
engagement
might
look
like
where
it's
not
quite
the
foundation,
they
don't
have
all
the
sort
of
infrastructure
and
resources
around
it.
B
So
you
know
again
I'm
just
spectating
as
to
what
it
might
look
like
when
we
start
playing
down
at
this
level
and
it's
in
many
ways
connected
back
to
the
verticals,
because
once
we
get
to
the
verticals,
the
the
action
is
going
to
tend
to
play
out
more
in
terms
of
an
individual
project.
And
a
group
of
you
know:
Loosely
coupled
maintainers,
rather
than
a
foundation
and
hiring
infrastructure.
F
And
I
think
that
that's
a
really
interesting
question,
but
there's
a
meta
question
even
before
that,
which
is
locating
that
those
things
right.
You
talked
about
the
fat
head
and
the
skinny
tail,
and
you
know
what's
in
the
middle
and
that's
kind
of
where
I
was
going
with
my
my
thoughts
like
how
can
you
identify
things
in
that
middle
and
so
what
if
you
were
to
take
like
a
hundred
from
the
middle?
Don't
not
at
the
very
start,
not
at
the
very
end
pick.
It.
F
F
F
F
A
What
I'm
hearing
about
this
is
like
a
risk
score
which
is
being
different
than
a
criticality
score,
and
maybe
the
risk
score
is
criticality
times
scorecard
times:
dependency,
yeah,
yeah
and
then
some
sort
of
a
function
usually
throw
these
things
in
a
pot.
You
stew
it
around
for
a
while
and
you
get
a
number
and
then
you
kind
of
see
on
the
scale
of
most
critical
to
you
know:
100
000
out
whether
that
graph
looks
like
this
or
it's
just
kind
of
randomly
choppy
or
there
is
actually
a
bubble
kind
of
in
the
middle.
A
B
This
is
where
the
interesting
problem
is
right
right
now,
all
of
the
actual
work
that
gets
done
in
Alpha,
Omega
isn't
making
deals
logistically
speaking
and
generally
wasting
hot
air
right
is
Michael,
the
other
Michael
you
know
and
we're
about
to
buy
Michael
a
spiffy
new
workstation
laptop
because
security
when
I.
B
We
got
some
conversations
right,
there's
an
experiment
to
learn
there,
because
we're
going
to
want
to
have
some
muscle
around
what
a
per
project
engagement
looks
like
either
in
terms
of
like
us
doing,
research
on
them
or
us,
giving
them
money
or
whatever
and
then
connecting
this
to
sos.dev
as
well,
where
we
start
to
promote
hey
project
of
the
month,
we'd
love
to
see,
fixes
and
bugs,
and
everything
on
this
project
of
the
month,
and
we
do
so
with
their
willing
consent,
because
the
last
thing
anybody
wants
to
do
is
to
have
a
Target
pin
on
their
back
without
them.
B
C
F
A
lot
of
this
you
know
I,
was
in
the
vulnerability
disclosures
working
group
call
earlier
today
and
they
we're
finishing
up.
The
CBD
guide
for
researchers,
essentially.
F
You've
found
something
in
an
open
source
project.
You
have
no
idea
what
the
heck
to
do
with
open
source
projects.
Here's
how
you
can
approach
it
right
or
I'm.
Somebody
who
uses
open
source
I
found
a
bug.
How
can
I
it's
a
security
thing.
How
can
I
do
the
right
thing
right
and
so
they're
finishing
that
up,
so
they
can
be
done
for
next
week,
like
everyone
else,
yay
hurray
next
week,
all
this
stuff,
but
this
is
kind
of
even
the
step
before
that
right.
F
How
do
you,
you
haven't
even
found
the
project,
the
security,
yet
that
bugs
to
disclose
them?
You
just
want
to
approach
the
project
to
say:
hey
we're
going
to
be
doing
this.
We
might
put
a
Target
on
your
back.
Let's
work
on
this
together,
so
I
can
be
a
shield
and
you
don't
actually
get
hit
right.
How
do
you
start
that
conversation
and
that's
something
that
I
think
working
with
the
best
practices
working
group
to
once
you
collect
some
data?
Have
them
write
it
up
yeah,
so
it
can
then
get
publicized.
F
So
more
people
can
actually
do
the
right
thing
in
the
right
way,
rather
than
doing
like
what
is
a
hacktoberfest.
Hey
everybody
go
out
there
and
contribute.
B
B
B
From
that,
because
you
know
obvious
reasons
not
at
least
we're
just
because
he's
compiling
node
on
his
laptop
right
now.
E
Actually,
I'm
trying
to
set
up
Windows,
20
20,
actually
2020
machine
to
debug,
something
very
weird.
So
it's
even
worse,
I
guess.
I
B
Well
so
Randall
very
much
like
with
open
arms.
You
know,
if
you
don't
mind,
starting
a
couple
of
those
conversations,
I'm
literally
just
paying
us
and
say
yep.
This
would
be
a
great
place
to
start
that
conversation
we'll
show
up
I.
I
I
C
I
B
We'd
enjoy
it
we'd
appreciate
it.
Let's
not
pick
something
where
we're
going
to
step
into
either
a
holy
war
Factory
or
an
existing
holy
war
as
our
first
type
of.
I
B
C
B
I
D
A
I
Can
also
can
start
it
with
Sam
who's
like
the
most
the
de
facto
leader
of
Gen
2,
and
at
least
I
can
put
you
guys
in
touch
with
him.
He
also
runs
security
because
he
kind
of
runs
everything.
So
at
least
we
could
start
small,
but
him
and
John.
C
B
B
I
I
I
was
part
of
the
npm
best
practice.
This
thing
just
so,
you
guys
have
a
little
bit
of
background
and
I
was
talking
to
Fred
and
vegan,
because
npm
was
telling
me
you
got
to
talk
to
these
people
because
build
tools
are
getting
targeted
and
they
were
like
no
we're
doing
everything
react
is
doing
so
we
should
be
good.
I
B
A
A
If
we
have
all
of
this
data,
wouldn't
it
be
really
cool
like
I,
one
of
the
Holy
Grails
I
would
like
to
see
out
of
this
is
a
predictive
model
of
future
vulnerabilities,
because
we
have
a
lot
of
history
and
we
can
run
this
stuff
over
time
and
come
up
with
you
know.
I
mean
this
is
kind
of
what
ml
is
for
coming
up
with
a
way
to
predict
yeah.
What
is
the
likelihood
that,
given
a
project
in
its
current
state
will
have
a
vulnerability
of
some
some?
A
You
know
time
in
the
next
year
and
what
the
severity
and
and
all
that
be
of
this
based
on
you
know
everything
from
static
analysis
over
time
to
maintainers,
so
I,
don't
know
that
there's
a
there
may
not
actually
just
there
may
not
be
a
signal
there
to
find,
but
if
there
is
a
signal
to
find
it
would
be,
I
think
it
would
be
kind
of
interesting
to
find
that.
G
But
that's
the
same
thing
as
the
risk
score
right
like.
If
you
know
the
risk
score,
then
you
pretty
much
know
the
likelihood
that
bugs
are
going
to
happen.
Yes,.
G
A
A
Right
now,
but
actually
we've
been
every
once
in
a
while.
We
get
some
academics
coming
in
into
some
of
the
working
groups
and
they're
big.
They
want
to
help
and
they
have
they
have
projects
that
they
like
to
lead.
I
wonder
if
that
one
would
be
one
that
we
could
kind
of
elevate
and
put
out
there
in
case
anybody's
interested,
because
it
would
be
a
pretty
newsworthy
thing
of
this
I
think
he
meant
of
it.
B
I
feel
like
the
common
infrastructure
and
tooling
for
essentially
the
workflows
of
vulnerability,
reporting,
vulnerability
management
as
a
maintainer
like
there's
a
lot
of
Industry
tooling
for
finding
the
list
of
vulnerabilities
that
have
been
reported
about.
After
some
software
composition,
analysis
of
whatever
your
random
stuff
is
in
a
container
or
VM
or
whatever.
B
But
if
you
think
about
you,
know
the
life
cycle
of
a
world
of
researchers
and
individuals
and
people
finding
problems
potentially
zero
day
issues,
and
then
a
world
of
package
maintainers
having
to
consume
reports
right
and
everybody's,
essentially
inventing
their
own
ad
hoc
workflow
for
doing
that,
with
varying
degrees
of
security
around
it
and
varying
degrees
of
you
know,
transparency
or
visibility
into
the
whole
system
that
we
could
all
Leverage
and
so
I
just
keep
coming
back
to
this
thought
of
like
if
we
had
common,
tooling,
possibly
just
sitting
on
top
of
a
GitHub
repo
as
it's
you
know,
on
top
of
GitHub
repos
or
any
git
repo
as
it's
at
a
backing
store,
but
one
that
allowed
sort
of
you
know
communication
across
these
different
players
and
roles
in
ways
that
were
secure.
B
That
allowed
you
to
have
Clarity
around
what
you're,
sharing
with
whom
and
possibly
even
generating
useful
aggregate
metrics
about
just
how
much
information
is
Flowing
throughout
the
whole
ecosystem.
This
just
feels
like
an
opportunity
that
we
have
not
tapped
into
yet
and
I'd
love
to
hear
what
people
think.
G
A
I
GitHub
issues
are
public,
and
so
so
the
the
the
whole.
How
do
you
privately
disclose?
An
issue
is
still
still
ad
hoc.
I
mean
well,
one
model
is
to
create
your
own
repo
and
you
create
a
security
advisory,
and
then
you
give
the
other
project
access
to
it,
so
that
you
guys
can
kind
of
have
a
private
comment
stream,
but
it's
a
private
project.
G
A
We've
seen
and
that's
kind
of
unfortunate,
the
the
GitHub
security
advisories
is
very
much
about
you.
The
project
maintainer
have
a
place
to
do
this
stuff
yourself,
but
that
initial
reporting
so
I
think
another
another
model
that
you
could
use.
Is
you
open
up
a
public
issue
to
the
maintainer
and
say:
hey
I
found
a
security
issue.
Could
you
open
up
a
draft.
E
A
How
to
get
the
issues
in
from
the
these
issues
that
you
found
yourself,
or
is
this
stuff
that
folks,
from
the
outside.
E
I
I
don't
have
admin
permissions
to
that
people.
I
know
what
normally
happens
is
that
the
reporter
said
somehow
an
issue
or
it
might
be
a
hacker
one
report:
I,
don't
I,
don't
know
honestly,
but
what
happens
is
that
Matthew?
One
of
the
admin
containers
invites
me
to
that
report
and
invite
the
reporter
so
I
can
work
in
the
in
the
in
the
project,
apply
my
patch
and
then
the
the
reporting
can
also
review
and
test
by
by
themselves.
E
Basically,
you
know
when
we
receive
a
hacker
one
report
in
node.js
we
apply
the
the
patch
and
say:
okay,
we,
the
patch,
is,
is
on
the
way
and
you
just
need
to
wait
and
then
that's
it,
but
it
might
happen
that
in
the
next
release
the
same
bug
happens
because
we
don't
talk
about
something
that
the
security
research
has
an
idea.
You
know,
for
instance,
the
last
the
last
node.js
secret
release
missed
that
one
line
and
that
line
is
make
the
the
vulnerable.
E
The
vulnerability
is
still
active
for
some
reason:
yeah
and
that's
the
the
lack
of
hacker
one
in
my
opinion
and
dislike
I
think
the
the
security
advisor
advisor
would
solve.
B
So
I
think
just
sort
of
all
speaking
to
like
even
just
writing
down
what
we
think
the
right,
workflows,
I'm
thinking
about
it
from
the
product
manager
of
me
just
wants
to
like,
have
a
clear
sense
of
like
requirements
and
workflows
and
then
recommended
practices.
We
don't
even
need
to
be
tooling
to
start
as
long
as
we
have.
B
This
is
the
Playbook,
because,
right
now
everybody
can
evolve
their
own
Playbook
and
it
may
seem
really
good
to
them
in
that
context,
but
in
the
broader
context
of
a
lot
of
projects,
a
lot
of
people,
a
lot
of
you
know
consumers
and
Publishers
and
finders,
and
whatever,
like
that,
it's
it's
messy
and
instinctively
just
feels
like
there's
an
opportunity
here
to
do
something
interesting.
A
So
is
this
the
what
the
vulnerability
disclosures
working
group
is
working
on.
A
A
I
Can't
actually
I
can
I
can
actually
respond
to
that.
We
actually
try
to
specifically
stay
away
from
mentioning
tooling,
because
as
soon
as
we
got
into
tooling,
it
turned
into
a
huge
discussion.
So
we
specifically
tried
to
stay
away
from
tooling.
Even
we've
had
examples
in
there
and
then
yeah
it's
just.
It
really
does
turn
into
all
kind
of.
B
All
right:
well,
we
are
approaching
the
end
of
our
schedule.
Time,
I'm
gonna,
stop
asking
my
own
questions
thanks
everybody
for
coming
today,
it's
always
great
to
hear
different
points
of
view
and
perspectives.
It
helps
us
in
in
so
many
ways
really
appreciate
it.
Tell
a
friend
come
to
the
next
one,
looking
forward
to
more
conversations
and
watch
this
space
for
announcements
next
week.
B
I,
don't
know
about
the
recording.
Let
me
see
if
I
can
I
have
no
way
to
stop
the
recording.
Okay,
then
we're
not
gonna.
Do
that
I
will.
Let
me
get
the
email
address
right
for
your,
but
why
oh
I
missed
an
S
I
think
hang
on
one.
Second,
just
gonna
make
sure
I
got
it
right.
D
Yeah
I've
just
I've
just
creating
an
account
on
the
open,
ssf
Slack,
so
I
wonder
if
that'd
be
easier.
B
It's
all
made
more
complicated
by
the
fact
that
I,
don't
I'm
using
a
an
iPad
for
my
zoom
calls,
because
my
primary
conflicting
setup
does
not
all
right
I
see
all
right,
I'm
paying
you.
The
link
directly
here
should
have
that.