►
From YouTube: Alpha Omega Project Public Meeting (April 6, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
I've
noticed
the
interesting
case
of
you
join.
You
join
one
of
these
meetings
and,
like
I
joined
like
a
half
an
hour
early
so
that
I
didn't
like
miss
it
and
it
gives
you
the
you.
A
Well,
I
think
it's
more
to
protect
yourself,
because
if
people
just
show
up
and
they're
being
recorded
and
don't
know
it,
they
might
do
things.
They'd
regret.
B
B
Oh
so
you
gotta
have
me
just
sitting
there
then.
A
Yes,
now
zoom
does
this
in
general,
but
I
think
there's
a
mission
to
the
madness.
If
you,
if
someone
starts
a
meeting
early
and
you
set
the
meeting
to
record,
that
means
that
you'll
get
the
recording.
A
A
A
A
G
People
to-do
lists
from
their
inbox
come.
A
I
I
have
a
to-do
list,
which
is
the
things
that
people
have
complete
repeatedly
said:
are
emergencies,
and
then
I
have
the
inbox
inbox,
I'm
going
to
get
to
some
day.
A
H
H
A
F
A
Thank
you
I
I
am,
I
am
trying
I
am
trying
and
speaking
of
stuff
to
be
done.
It's
actually
past
time,
michael
scovetta,
I
think
the
other
michael's
not
joining
us
today
he's
on
vacation.
Okay,
that's
what
I
thought.
G
E
So,
throw
your
throw
thoughts,
things
in
there
with
collaborative
editing
all
that,
all
that
good
stuff.
We
don't
really
have
a
like
a
lot
of
stuff
to
talk
about.
This
is
really
just
to
get.
The
conversation
started
to
kind
of
practice,
the
public
meeting.
So
this
is
the
first
one.
So
thank
you
all
for
being
here.
Certainly
if
you
have
any
questions,
if
there
are
things
that
are
either
unclear
or
that
you're
like
chomping
at
the
bit,
you
really
just
want
to
know
the
answer
to
x.
E
We
can
do
our
best
to
answer
no
guarantee
that
we'll
have
the
have
the
right
answer
or
an
answer
that
won't
change
in
the
future,
but
we'll
do
our
best
to
be
you
know,
transparent
and
open
and
all
that
stuff.
So
I
would
love
to
hear
from
from
you
all
brian.
Obviously
you
know
we,
you
know
the
things
you
want
to
throw
in.
Please
do.
We
do
have
three
open
job
wrecks,
so
we
are
starting
phone
screens
for
each
of
the.
I
think
we
have.
H
E
That
are
that
are
in
kind
of
the
in
the
hopper.
So
I'm
optimistic
that
maybe
overly
optimistic,
but
I'm
optimistic
that
we'll
we'll
land,
you
know
probably
the
lead
pm
role
first,
because
we
have
the
most.
E
Phone
screens
there,
so
so,
let's.
E
So
so
we
have
all
three
three
roles
open.
We
have
at
least
one
phone
screen
in
each
one.
I
think
the
researcher
one
we
have.
No,
we
have
it's.
We
we
have
the
we
have
like
four
phone
screens
in
lead
pm
and
I
think
two
in
researcher
and
one
in
engineer
or
somewhere
right
around
there.
I
think.
G
It's
I
think
it
was
three
in
researcher
and
on
engineer
somebody
applied
for
both
and
but
but
I'd
say
on
the
engineer
side
we
could.
We
could
use
some
more
help,
so
we
are
we've
been.
I
we've
identified
a
couple
of
other
places
that
we
will
put
the
job
descriptions
up
on
to
try
to
also
reach
traditionally
underrepresented
candidates,
we'll
we'll
keep
kind
of
tweeting
them
out
there.
G
We
could
use
people's
boosting
those
as
well,
because
I'd
say
yeah
we're
still
at
a
point
where
we'd
like
we'd,
like
more
candidates.
From
from
that,
so
they've
only
been
up
for
two
weeks,
I
think,
and
so
getting
getting.
Some
more
would
be
helpful.
I
think.
E
And
certainly
if
you
have
you
know
your
personal
networks
like
please
forward
them
over
pointing
to
the
job
rack
point
them
to
brian
or
me
or
michael
windsor
or
we'll
want
to.
E
Yes,
in
the
alpha
omega
landing
page,
I
will
post
a
link
to
it
actually
I'll.
Add
the
link
on
the
ao
page,
not
the
open,
ssf.
I
E
They're
they're
in
the
linux
foundation,
like
job
page,
has
a
jobs
page
but
yeah.
It's
also
fun.
B
Who
is
the
employer
officially
the
linux
foundation
foundation?
Yes,
yes,
does
it
follow
the
news
that
follow
the
new
new
york
law
that
requires
that
the
salary
range
get
posted.
A
Yeah,
I
think,
from
a
legal
perspective,
I
think
we're
actually
in
ca,
but
the
the
ranges
are
posted
anyway.
H
I
was
just
gonna
request
if
y'all
had
any
like
great
job
boards,
that
your
organizations
are
using
to
source
candidates,
I'd
love
and
to
know
we've
got
liz.
As
michael
said.
We're
posting
these,
in
other
other
places,
to
make
sure
that
we're
getting
a
nice
good,
diverse
range
of
applicants.
But
it's
been
a
minute
since
I've
done
engineering
hires.
So
if
there's
a
board
that
you
like,
please
please
share.
E
And
this
is
also
I
mean
we
haven't
restricted.
Geography
at
all,
so
worldwide
is
the
is
the
at
least
the
initial
we'll
have
to
figure
out
time
zones,
and
you
know
things
like
that
as
we
go
forward.
But
it's
you
know.
Geography,
geography
and
for
mode
is
well
good.
A
Yeah,
I
do
wonder
how
we'll
handle
that
if
for
the
pm
role-
but
you
know,
but
what
michael
said
is
absolutely
right-
there's
no
location
requirement.
C
G
All
right,
we
could
talk,
we're
not
quite
ready
to
announce
our
first
alpha
engagement,
but
we're
kind
of
getting
getting
the
ducks
in
the
road
to
be
able
to
announce
that
it'll
be
support
from
us
in
the
form
of
a
financial
commitment
to
resource
somebody
at
a
another.
G
Two
different
different
service
providers
of
the
organization
to
help
with
security
reviews,
as
well
as
some
specific
bug
fixes
and
a
project
that
is,
is
fairly
high
profile
fairly
in
need
of
those
services,
and
so
we're
excited
to
get
that
out
and
we've
started
some
conversations
with
some
others
as
well.
I
don't
even
want
to
say
which
language
ecosystem
it's
in,
because
then
it
would
be
kind
of
obvious
who,
but
but
we're
gonna
try,
I
think,
with
our
first
wave
of
alpha
engagements
to
cover
multiple
different
language
communities.
G
Think
of
it.
That
way,
I
know,
folks,
are
very
tribal,
so
we're
obviously
not
gonna
be
able
to
cover
all
the
major
ones,
but,
but
I
think
across
those
three
we'll
try
to
cover
three
different
language
ecosystems.
The
thing
that's
been
front
of
mind
for
us,
as
we've
talked
about
this
sorry
to
pivot,
away
from
the
job
thing
I
felt
like
that
was
that
was
done,
but
we
can
return
to
that.
G
The
thing
that's
been
at
least
for
for
me
in
our
conversations
about
about
these
kinds
of
engagements,
is
that
we
remain
focused
on
capacity
building.
First,
coming
to
these
projects
with,
you
know
very
an
open
mind
towards
well
tell
us
what
you're
doing
and
what
would
be
helpful
to
you
not
trying
to
dictate
to
them.
G
You
know
you
have
to
use
these
standards
or
or
have
a
you
know,
standard
template
for
how
these
things
happen,
but
to
listen
and
and
try
to
meet
some
immediate
needs
with
an
eye
towards
getting
into
a
better
spot
long
term.
The
second
thing
is
and
like
aligned
with
with
that
is
it's
important
for
us
not
to
to
be
perceived
as
being
the
security
team
of
last
resort
for
other
people's
open
source
projects,
not
to
be
the
one
who's
in
perpetuity
funding
the
security
team?
G
If
we
are
funding
stuff,
something
somebody
to
be
on
the
security
team
or
to
provide
support
for
them,
it
should
be
about
kind
of
demonstrating
the
value
of
it,
maybe
getting
past
a
few
hurdles
for
the
the
core
team,
but
otherwise,
hoping
that
you
know
we've
kind
of
got
this
plate
spinning
on
the
top
of
a
pole
and
now
that
the
ecosystem
that
it
serves
can
keep
it
spinning
after
after
we
got
it
started.
G
So
so
that's
been
on
our
mind
as
we're
thinking
about
how
to
craft
these
engagements
and
actually
very
open
to
questions
about
that
or
ideas
that
you
all
might
have
about
ways
that
we
might
structure
those
engagements
or
the
the
way
that
we
spend
money.
Those
kinds
of
engagements
to
to
have
to
have
maximum
impact.
On
that.
E
G
Yeah
and
michael
feel
free
to
fill
in
any
details.
I
it'll
be
the
resource
for
for
nine
months,
potentially
extendable,
but
but
for
nine
months,
two
firms,
one
of
which
will
be
assistive
to
the
security
team,
the
other
which
will
be
working
on
high
criticality
security
holes,
both
of
whom
have
been
a
part
of
that
language
ecosystem
in
the
past.
G
So
it
was
kind
of
turnkey
for
us,
which
is
which
is
good
but
we'll
still
stay
involved,
monitoring
progress
on
a
monthly
basis,
and
if
we
feel
like
you
know,
the
the
funds
aren't
being
spent
well
or
the
outcome,
isn't
what
we'd
like
to
see
then
we'll
work
with
the
open
source
project
that
we'd
be
funding
this
with
to
kind
of
go?
Is
there
a
way
to
to
change,
perhaps
change
out
those
vendors
or
change
the
the
expectations
and
the
like?
G
But
but
it
is
with
a
commitment
to
to
a
certain
dollar
amount
to
spend
with
that
project.
We're
not
we
we
wouldn't
just
show
up
and
like
turn
the
the
valve
off,
we
would
just
ask
for
it
to
continually
be
iterated,
at
least
while
we're
doing
this
experiment
and
I'd
say:
that's
probably
the
structure
we'll
do
for
the
other,
like
the
next
two
that
we
do
as
well.
E
And
I
would
also
expect
that
the
next
two
might
look
very
different
operationally
from
what
we
do
for
the
first
one.
B
Quick
question
quick
comment:
question
nine
months
is
two
disclosure
cycles
for
any
vulnerability
right
because
everyone
in
90
day
disclosure
timeline,
plus
you
know
a
month
to
get
spun
up
right-
is
that,
yes,
that
that
is
in
line?
So
what
what
are
these
companies
actually
doing?
Can
you
clarify
a
little
more.
E
So
this
trying
to
be
careful
here,
vulnerability
reports
come
in
yeah.
A
lot
of
these
things
come
in
it
takes
them
a
lot,
it's
painful
for
them
to
triage.
They
don't
have
enough.
E
You
know
they
don't
have
enough
people,
it's
so
assisting
them
number
one
to
just
like
help,
pick
up
all
the
vulnerability
reports
that
are
on
the
floor
and
figure
out
what
bucket
to
put
them
in
and
how
to
you
know,
fix
some
of
them
and
things
like
that
also
improving
the
process
so
that
that
is
more
done
more
efficiently
over
time
and
they
catch
these
things
earlier.
They
catch
it
themselves.
Things
like
that,
so
it's
not
as
much
about
managing
the
vulnerability,
any
particular
vulnerability
as
it
comes
in
throughout
the
cycle.
E
It
is
about
making
the
machinery
of
how
the
project
works
better,
but
it
I
mean
so
so
it's
a
mixture
of
like
the
meta
part
as
well
as
the
on
the
ground,
because
they
do
have
vulnerabilities
today
that
need
so.
G
B
E
E
A
bit
focused
on
one
project,
but
but
remember
so
purpose
of
alpha
is
to
give
the
project
what
they
need.
So
in
this
particular
instance,
we
think
we're
giving
them
what
they
need.
They
think
that
we're
giving
them
what
they
need.
That
was
that
was
the
yeah.
How
we
came
to
this
for
another
project.
It
may
be
completely
different.
E
They
may
just
need
security
training
for
their
their
kind
of
new
contributors
as
they
onboard
and
assistance
in
setting
up
ci
cd
and
it's
in
a
code
audit
for
this
portion
of
their
code
base
or
whatever
it
is,
and
those
things
are
all
kind
of
on
the
menu
of
services
that
we
think
that
we
can
that
we
could
provide,
but.
B
E
I'm
trying
I'm
trying
to
be
really.
It
would
be
so
much
so
easy
to
just
talk
specifics
next
time
we
have
this
meeting.
We
will
be
talking
specifics,
okay,
cool!
Thank
you.
E
Oh
yeah
yeah,
so
we
want
to
be
super
transparent,
like
once
we
get
started.
We
really
just
don't
want
to
pre-empt
like
press
releases.
E
A
That's
true
about
that.
I
think.
First
of
all,
we
don't
want
to
steal
from
press
releases
and
also,
while
we're
discussing
some
organizations
there's
you
know
in
some
cases
we
need
to
have
contracts
where
there's
things
signed
and
we
can't
announce
things
when
that's
actually
not
been
agreed
to.
So
I
I
know
michael
wants
to
say
more
and
he
he
will
say
more
once
he's
left.
What's
the
what's
he's
allowed
to.
E
H
Yeah,
I
think
I'll
take
a
stab,
and
so
you
know
to
david's
point.
We
don't
have
ink
on
paper
yet
so
we
don't
want
to
spill.
You
know
anything,
but
you
know
once
inc
is
on
paper
there
there's
a
strong
sort
of
collaboration.
H
I
think
that's
going
to
be
happening
between
our
new
lead
program
person
for
alpha
and
the
teams
that
will
be
brought
on
as
contract
support
and,
of
course,
the
the
maintainer
teams
of
this
particular
project,
and
then
the
idea
is
that
those
groups
will
be
reporting
out
on
at
least
a
monthly
basis,
perhaps
more
frequently.
E
And
that's
precisely
why
the
lead
pm
role
for
alpha
omega
is
so
is
so
important,
because
right
now
we
are,
you
know
folks,
like
brian
and
david
and
myself
and
michael
windsor,
like
we're
all
like
very
much
split
between
lots
of
different
responsibilities
and
alpha
omega
is
is
an
important
one,
but
it
is
one
of
lots
of
important
things
having
the
lead
pm
like
focus
exclusively
on
alpha
omega
and
like
moving
this
project
forward.
E
I'm
super
confident
that
this
will,
you
know,
accelerate
our
ability
to
to
you
know,
have
a
you
know
a
cadence
and
a
drum
beat
of
these
kind
of
new
engagements
and
following
up
and
measuring,
and
doing
all
the
things
that
we
know
we
need
to
do
so.
You
know
I'm
I'm
hoping
that
we're
kind
of
at
that,
where
we're
approaching
the
inflection
point,
where
we
kind
of,
can
ramp
up
and
and
show
the
show
the
value
of
what
what
I
think
this
can
deliver.
I
So
one
of
the
questions
and
brian-
and
I
you
and
I
talked
about
this-
is
a
part
of
maybe
the
second
step
of
this
to
to
help
these
projects
that
are
getting
this
support
in
in
triaging.
Their
existing
vulnerabilities
also
have
the
information
necessary
to
assist
users
or
consumers
who
have
been
exposed
to
the
vulnerability
remediate
their
issues
themselves
so
stage
one
is
helping
the
projects
right
fix
these
issues.
G
Michael,
do
you
want
to
take
this
first?
I
know
you
asked
me
but
and
I'll
give
my
take,
but
I
think
I
think,
as
the
original
author
of
the
the
white
paper
I
I
know
you
addressed
this
yeah.
E
E
This
isn't
about
things
like
that,
but
but
whether
or
not
so
if,
let's
just
say,
log
for
j,
so
so,
let's
rewind,
let's
suppose
that
we
were
engaged
with
apache
when
log4j
happened
and,
let's
suppose
they
said
help,
you
know
we
need
assistance
in
like
how
to
manage
this
process.
It
sounds
like
if
that
would
be
important
enough
for
us
to.
E
You
know
lean
in
and
help
them
where,
where
we
could,
conceptually,
though,
like
we
want
the
projects-
and
I
think
brian
mention
this-
but
we
want
the
projects
to
build
this
muscle
themselves,
because
if
they
rely
on
us,
for
you
know
a
secure
security
response
function,
that's
not
sustainable.
They
need
to
do
this
themselves
now,
maybe
the
first
time,
maybe
their
best
practices.
Maybe
it's
a
unique
event
that
it's
it's
worth
investing
in
and
just
doing
it,
but
I
would
say
we
want.
E
G
If,
if
you
were
to
articulate
a
which,
which
the
best
practices
badge
kind
of
does,
but
I
think,
there's
perhaps
even
more
ways
to
think
of
like
a
level
of
maturity,
kind
of
model
to
describe
where
an
open
source
project
is
with
its
security
practices-
I
I
you
know
most
of
them
are
kind
of
you
know
in
treadwater
mode.
You
know
yes,
they're
able
to
respond
to
to
notices
that
come
in
and
push
out
a
release,
but
but
it
strains
them
right.
G
You
know
security
scans
and
are
are
like
at
the
top
of
that
chart
right,
and
I
think
it's
going
to
make
sense
for
us
to
to
think
of
alpha
as
operating
and
and
showing
what
is
possible
with
organizations
that
are
a
couple
different
places
in
that
spectrum
rather
than
exclusively
at
one,
but
where
our
our
hope
is
that
our
impact
could
be
a
year
out
in
helping
that
project
get
from
a
lower
point
to
a
higher
point
right.
G
I
think
our
first
intervention
will
probably
be
was
with
an
organization
that's
lower
on
that
chart
than
most
and
is
in
more
need
a
kind
of
more
immediate
help,
with
a
hope
that
it
gets
them
to
above
the
treadwater
stage,
but
even
if
we
just
get
them
to
like
being
able
to
keep
up
with
with
the
things
that
come
in,
I
think
that's
still
going
to
be
a
win
in
all
cases.
G
It's
going
to
be,
you
know,
no
one
feels
like
they
have
enough
resources
in
their
security
teams,
and
I
I
I
and
I
think
I
think
the
needs
of
the
end
users
are
something
that
finally
get
met
once
you're
able
to,
for
example,
guarantee
that
all
your
projects
have
passed.
G
I
F
May
I
jump
in,
I
think
we've
finished
that
one,
so
you
mentioned
michael
that
in
our
next
call
we
will
be
having
these
you'll
be
able
to
be
more
open,
and
I
look
forward
to
hearing
more
about
that
and
seeing
how
these
things
progress.
My
question
is
because
I
do
have
one:
it's
not
simply
a
comment,
so
my
question
is
to
confirm
that
the
frequency,
the
cadence
of
these
calls-
is
it
monthly
at
this
same
that
time
same
that
channel
or
are
there
different
frequencies.
E
I
think
right
now
draw
your
gen.
I
I
think
we
did
schedule
this
to
be
monthly,
recurring
bad
times
in
a
channel.
If
this
time
is
no
good,
we
can
change
it.
Like
you
know,
it's
just
a
calendar
invite
but
yeah.
We
we
do
want
there
to
be
a
public
public,
meaning
you
don't
have
to
be
a
member
of
open
ssf.
It's
everything,
everything's,
open
and
transparent
at
a
regular
cadence.
E
G
I
told
michael,
like
my
frame,
for
this
at
least
was
that
this
is
like
open
office
hours
right
or
you
know,
meet
us
we'll
talk
about.
What's
on
our
front
plate,
listen
to
all
of
y'all,
but
this
is
also
something
that
can
complement
the
alpha
mega
slack
channel
as
well.
So
both
michael-
and
I
monitor
that-
I
I
and
you
know
we
don't
always
post
things
that
are
still
in
flight
there.
G
You
know,
but
we
would,
if
we
wanted,
you
know
to
really
especially
seek
and
put
on
something
we
were
doing
so
that
that
to
us
between
the
slack
channel-
and
this
are
kind
of
there's
just
there's
some
people
who
prefer
to
engage
in
a
conversation
like
this,
and
I
certainly
feel
more
comfortable
being
a
little
ambiguous
about
things
in
a
context
like
this
than
I
do
on
slack.
Does
that
make
sense.
F
Anyway,
yeah
it's
a
way.
I
just
want
to
make
sure
I
was
remembering
correctly
because
my
I
do
have
a
mind
like
a
steel
sid,
and
I
just
want
to
confirm
that
it
was
something
that
I
can
look
forward
to
every
month.
Saying
you're
happy
smiling
faces.
I
So
also
for
for
michael
or
or
whomever
there's
a
short,
it
looks
like
there's
a
very
short
period
of
time
until
the
next
presentation
to
the
white
house
executives,
and
there
you
mentioned
this,
this
new
project
called
moonshot,
of
which
I'm
assuming
ao,
will
be
a
part.
Is
there
some
initial
thinking
there
you're,
like
the
bleeding
edge.
G
Yeah
again
again
trying
to
figure
out
kind
of
just
balancing
all
sorts
of
things,
and
I
apologize
for
the
vacuum
and
in
the
back,
if
that's,
if
that's
annoying,
but
finding
more
resources
for
alpha
omega
is
something
we
are
eager
to
do
active
to
do
right
now,
the
only
model
is
really
to
come
in
as
a
pure
to
the
contribution
made
by
google
and
microsoft.
G
But
this,
my
hope
is
that
if
we
successfully
do
a
few
pilots
here,
we'll
show
that
we
can
be
an
efficient
way
to
turn
additional
funds
from
whatever
source
into
measurable
step
function.
Improvements
in
these
other
open
source
projects,
and
so
in
thinking
about
some
of
the
the
the
larger
kind
of
either
funding
opportunities
or
organizations
of
funding
that
we
can
apply
to
improving
open
source
security.
G
G
Also
we
aren't
trying
to
base
either
alpha
mega
or
open
ssf
on
government
grand
funding
government
grants
we
will
opportunistically
go
for
them
where,
where
they're
available
haven't
yet
applied
to
any
of
them
in
particular,
what
we
are
trying
to
do
is
get
government
to
realize
that
they
have
a
role
to
play
in
yeah
and
and
not
just
in
raising
the
flag,
as
they
did
in
december,
around
log4j
and
hosting
that
conversation
in
january,
but
actually
putting
real
resources
in,
and
there
are
a
couple
of
signs
of
that
in
the
the
budget
that
was
just
submitted
last
week.
G
For
example,
it
resources
a
couple
of
tens
of
millions
actually
through
dhs
and
s
t,
but
that's
just
the
us
government,
there's
there's
you
know
and
and
that's
that's
a
nice
amount
and
we'll
see
what
what
happens
with
that.
But
I
don't
have
any
expectation
that
comes
to
us
in
in
a
in
a
direct
form,
but
we'll
see
where
that
goes
over
time.
We're
just
we're
not
set
up,
and
we
won't
do
government
lobbying
for
funds.
If
that
makes
sense.
I
Yeah-
and
it
was
less
about
the
question-
was
less
about
funding.
Just
the
more
about
the
timing
of
this.
I
mean
it's,
it's
essentially
four
and
a
half
weeks
away
right
before
that
that
next
presentation
and
trying
to
get
an
understanding
of
how
ao
will
fit
into
this
this
project
was
was
the
ques
was
my
question
more
anything
else.
E
I
I
don't
think
any
of
us
are
we're
all
aware
of
that,
and
those
conversations
will
like
will
be
discussed
like
yeah,
where
I
yeah
sorry,
I
I
don't
know
how
to
answer
that
any
better
than
brian,
like.
G
That's
the
yeah,
andrea
I'll,
follow
up
separately
with
you
on
that,
let's
see
alex,
did
you
have
your
hand
up?
Oh
sorry,
david.
A
G
A
It's
not
you
know
its
presence
and
its
activities
are
not
dependent
on
that.
At
all.
I
mean
it's
great
that
the
us
government
and
other
governments
are
noticing
the
stuff
that
we've
been
raising
and
I've
been
concerned
about
for
some
time.
I
don't,
I
certainly
don't
think,
there's
any
opposition
of
working.
I
mean,
I
think
we
want
to
work
with
anybody
who
wants
to
work
on
solving
that
problem,
but
I
think
we're
we're
just
we're
marching
forward
and
those
who
want
to
join
and
help
that's
great.
F
And
that
it
is
marching
forward
I
and
that
you
know
there
are
these
job
postings
and
everything
is
very,
very
highly
actively
moving.
That's
going
to
be
a
very
strong
story
to
be
able
to
tell
at
any
sort
of
meeting
from
here
on
out
really
so
white
house
or
otherwise.
So
I
think
there's
it
really
shows
not
only
a
lot
of
initiative,
but
a
lot
of
planning
and
a
lot
of
thought
and
I
think
that's
going
to
be
very,
very
powerful.
C
Yeah
and
one
day
I
noticed
that
is
that
they
helped
the
the
announcement
from
white
house
and
those
meetings
really
helped
the
other
people
that
doesn't
have
a
focus
on
openness
to
staff
or
security
understand
the
importance
of
it.
So
I
was
wondering
if
there's
some
other
government
body
like
the
eu
or
any
other,
you
know,
google
governments
can
help,
get
those
attentions
too
right.
G
Yeah,
you
know:
we've
had
conversations
with
folks
in
the
japanese
government
at
miti
in
the
singapore
government,
though
I
don't
think
we've
found
really
the
right
folks,
there's
the
open
forum,
europe
organization
as
well,
who
we've
spoken
at
and
and
seem
to
be
pretty
well
connected
into
at
least
the
french
government's
digital
policy
making.
So
there's
there's
these
opening
threads
to
these
and
as
well.
I
think,
even
even
in
the
chinese
government,
there'll
be
some
interest
in
in
this
as
well.
G
They're
listening,
we've
presented
kind
of
what
we're
working
on
and
where
government
funding
could
start
to
be
applied
right
now.
Most
of
these
governments
are
just
getting
excited
about
setting
up
an
ospo
which
seems
almost
like
takes
in
in
in
proper
engagement
in
this
stuff,
but-
and
we
know
that
you
know
I'll
turn
the
the
tables
back
around
somewhat
to
wipro.
G
You
know
some
of
you
are
engaged
in
conversations
with
ospos
out
there
as
well
that
we'd
like
to
get
engaged
in
with
governments
about
osbos,
so
yeah
we're
we're
trying
to
raise
the
the
flag
for
it,
but
there's
no
way
we're
gonna
be
able
to
coordinate
all
the
government.
You
know
even
even
more
than
one
government
at
a
time
to
do
a
joint
funding
on
something
unless
we're
tapping
into
some
other
process,
that's
already
underway.
G
So
we
kind
of
need
to
be
flexible
on
that
front,
and
that's
that's
that's
constantly
what
we're
thinking
about,
but
there
might
be
other
some
other
allies
too
aspen
institute,
we've
recently
reached
out
to
they've,
got
a
cyber
security
kind
of
like
working
group
with
people
like
chris
krebs
on
it,
which
seems
really
powerful
and
the
atlantic
council
and
plaintext
group,
which
is
part
of
the
schmidt
foundation.
G
Both
both
of
these
are
dc,
think
tanks,
we're
also
thinking
about
this
as
a
public
policy
issue
and
have
their
own
connections.
Oh
and
finally,
open
uk
is
making
a
lot
of
inroads
to
the
uk
government,
so
a
lot
of
it
is
still
at
the
conversation
making.
The
case
raising
the
attention
of
outside
the
typical
kind
of
nerd
policy
circles,
but
I
think
there's
progress
being
made
on
this
front.
I
do
think
the
us
will
be
the
first
to
actually
commit
real
resources
to
this
kind
of
thing,
though,.
E
I
also
think
that
that
success
will
beget
success
here.
So
as
as
we
you
know
a
year
from
now,
when
we
are,
you
know,
we've
exceeded
our
expectations
and-
and
you
know
our
you
know
can
demonstrate
the
value
this
provides.
That
then
becomes
a
you
know
a
lightning
rod
for
you
know,
because
why
would
an
organization
like
build
something
else
from
the
ground
up
versus
just
accelerating
this
thing?
I
Well,
I
think
one
of
the
messages
that
would
be
successful
here
is,
you
know
we,
I
think
I've
shared
we're
involved
with
two
government
ospos,
and
what
they're
looking
for
is
a
clear
message
on
how
they
can
upskill
their
own,
the
developer
talent.
So
if
there's
a
you
know
promoting
that
that
message
that
open
ssf
can
help
upskill
their
their
developer,
resources
will
get
a
lot
of
visibility
with
with
the
government
entities.
G
Yeah,
definitely
something
that
we've
has
been
a
part
of
the
conversations
with
white
house
and
follow
up
and
and
and
with
some
of
these
others
is
look
at
the
training
materials.
We've
come
up
with
look
the
best
practices
guide,
but
best
practices
in
the
context
of
how
you
consume.
Not
just
not
just
you
know
how
open
source
projects
are
producing
code,
so
a
lot
of
that's
outside
of
alpha
mega,
but.
I
But
I
think
that's
a
little
so
they
hear
that
all
the
time,
here's
great
material,
here's
great
courses
we'll
make
this
available.
I
think
it's.
What
what
I
see
resonating
better,
is
hey
we're
going
to
provide
someone
who's
going
to
do
who's
going
to
walk
you
through
those
materials
who
we
can
do
is
an
act.
A
real
sprint
with
you
know,
providing
at
least
for
an
initial
kind
of
kickoff,
even
train
the
trainer
sessions,
as
opposed
to
we've
developed,
really
great
content.
That's
reactive!
G
Let's
follow
up
on
that
as
well.
I
know
we're
past
time
jack.
I
see
you
have
your
hand
up.
You
want
to
ask
one
last
question.
D
Hey,
I
just
wanted
to
kind
of
echo
what
andrew
said,
and
I
just
wanted
to
find
out
if
there
was
so
given
that
the
first
engagement
is
coming
up.
Has
there
been
any
talk
about?
You
know
like
standardizing
what
the
package
is
around.
You
know
providing
training
and
providing
that
kind
of
like
inroads
into
having
the
maintainers
like
upskill
themselves,
so
that
they
can
take
care
of
it.
So
it's
it's
like
the
one
part
of
it
is.
Obviously
the
funding
and
the
other
part
would
be.
D
E
That's
why
we
need
to
lead
pm
to
join,
because
so
I
think
we
want
this
to
be
more.
You
know
sustainable
and
repeatable
and
all
that
stuff,
but.
G
There's
attention
here
as
well
with,
like
you
know,
but
there's
a
tension
with
with
you
know
what
it
was
also
key
part
of
the
original
white
paper
and
what
I
think
got
some
people
excited,
which
was
that
we
weren't
coming
in
to
dictate
to
a
project
the
one
true
path
to
to
you
know:
security,
nirvana,
that
that
there
were
multiple
paths
and
we
wanted
to
be
assistive
of
that,
and
it
sometimes
just
means
I
I
might
drop
like
a
big,
a
bit,
a
big
checklist
on
you,
but
helping
you.
G
You
know
I
I
I
that
would
be
the
wrong
way
to
do
it.
Instead,
the
right
way
is
listen
how
you
might
even
use
a
different
phrase
for
a
certain
thing.
Oh
that
actually
is
code
signing
what
you're
doing
is
code
signing
zig
store,
consider
other
things
too,
but
like
like
to
lead
them
on
a
journey
rather
than
to
to
say
here's
the
one
true
way.
So
I
I
think
the
hype
there'll
be
a
hybrid
over
time
we'll
say:
here's
what's
tended
to
work
best
as
we
worked
with
this
project
in
that
project,
but
yeah.
D
G
And
that
kind
of
thing
it
also
is
a
path
for
us
to
work
with
volunteers
to
develop,
because
so
much
of
what
we're
talking
about
here,
doing
on
on
both
alpha
and
omega
is
both
high
touch,
requires
specialized
expertise
and
hard
to
be
completely
transparent
about
right.
I
I
and
so
we're
constantly
thinking
about
what
are
the
pathways
for
public
engagement
to
help
make
this
operate
as
much
like
an
open
source
project
as
we
can
and
one
thing
might
be,
a
guide
to
alpha
engagements.
I
mean
in
the
long
term.
G
Ideally
it's
like
here's,
a
here's,
a
template
for
how
you
have
that
conversation
and
the
decision
tree
or
the
options
to
provide
you
know,
and
then
this
is
something
projects
could
even
do
themselves
without
without
needing
you
know,
somebody
paid
to
come
in
and
do
that,
that
kind
of
thing
or
or
service
companies
could
do
consulting
companies.
That
kind
of
thing
yeah.
A
A
Let
me
attempt
to
literally
answer
the
the
question
is:
hey,
have
you
thought
about
you
know
creating
some
sort
of
you
know
process
checklist
for
alpha,
and
if
the
answer
is
that
has
been
discussed-
and
I
think
there
are
some
obvious-
you
know:
hey
get
badges
get
salsa
levels
go
work
on
scorecards,
you
know
get
a
security
audit
have
a
process
for
vulnerability
reporting.
A
I
mean
these,
I
think,
there's
a
large
number
of
things
that
could
be
create
added
and
turned
into
a
list.
But,
as
brian
has
has
stated,
the
original
statement
and
we
can
blame
michael
scavetta,
it
was,
though,
step
one
was
interact
with
the
projects.
Where
are
they?
Where
are
their
critical
needs,
because,
under
the
theory
that,
if
their
critical
need
for
security
isn't
something
we
had
originally
considered?
A
But
it
really
is
the
most
important
thing
then,
let's
start
there,
I
do
think
eventually
we're
going
to
get
to
the
point
of
because
we
we
do
want
to
fix
vulnerabilities,
but
we
also
want
to
sustain
long
term.
So
we
want
to
change
help
them
change
their
processes
to
get
better,
and
then
I
think
the
things
I
just
listed
are
ways
to
help
get
them
there.
A
You're
not
supposed
to
admit
that.
Yes,
although-
although
I
I
just
recently
dumped
because
I'm
thinking-
that's
probably
a
best
practices
working
group
idea,
so
I
already
dumped
a
draft
on
krobs
and
xavier's
inbox
of
hey.
I've
got
this
idea.
What
do
you
think
about
this,
but
yeah?
I
I
do
think
that
there's
value
with
the
openness
ssf
of
finding
you
know
ways
to
make
it
easier
for
people
to.
Oh,
we've
got
a
lot
of
cool
stuff
here
and
other
people
vlog
cool
stuff.
A
C
A
B
E
Does
anybody
feel
strongly
that
it
should
only
be
a
half
hour
meeting
perfect?
Let's.
A
A
Yeah
and-
and
I
would
say
that
we
can,
after
after
a
couple
months,
we
can
revisit
the
whole,
is
it
monthly
or
not,
but
I
think
for
right
now,
while
we're
still
trying
to
get
like
the
people
hired,
there's
a
lot
of
things
we
can't
say
yet.
B
Okay,
so
sorry
so
you're,
so
just
so
that,
like
you
know,
I
know
what
I'm,
if
I'm
telling
people
about
this
thing,
if
I'm
telling
them
the
accurate
thing
and
if
anybody
needs
to
just
run
like
don't,
let
me
hold
you
up
so
the
omega
project,
the
security
researcher
is,
is
the
security
researcher,
mostly
just
about
finding
the
vulnerabilities,
or
is
that
also
are
they
also
engaged
with
the
security
team
to
try
to
understand
the
problems
and
and
pitfalls
that
they're
experiencing
and
where
they're
struggling
or
is
their
role
purely
go
here?
B
E
It
is
here
are:
let's
call
it
important
projects,
because
critical
means
alpha
projects
more
or
less
here
here
are
make
it
concrete.
The
output
of
static
analysis
tools
against
important,
open
source
projects
sort
them
start
at
the
top
triage
them.
If
they're
real
report
them
and
or
send
a
fix,
depending
on
context
bandwidth
project.
E
So
it's
about
the
the
the
machinery
of
fixing
new
vulnerabilities,
not
cve,
checks,
not
like
the
things
that
are
kind
of
more
or
less
commodity.
At
this
point,
this
is
new
new
bones.
B
E
D
B
Correct,
yes,
yeah.
I
agree,
I
think
the
other
question
that's
gonna,
you're
gonna
run
into
at
some
point
and
just
you
might
wanna
like
let
it
ruminate
in
the
back
of
your
head
is:
do
you
let
the
researcher
that
is,
you
know
finding
all
these
vulnerabilities
if
there
are
bug
money
payouts
that
come
out
of
those
because
they
just
naturally
happen
right,
like
you
know
who,
whoever
it
is,
will
sometimes
just
pay
you
no
matter
what
you
find
where
where's
that,
and
also
like
you
know
some
of
these
stuff.
B
You
know
you're,
finding
vulnerabilities,
you
might
turn
it
into
a
code
code
query
and
get
up
as
their
bug
binding
program
too.
On
top
of
that
for
submitting,
you
know
things
that
find
because
you
want,
you
want
the
vulnerability
research
that
the
alpha
omega
project
is
doing
to
get
contributed,
backs
that
it
doesn't
just
help
these
small
projects,
but
hopefully
everybody
so
so
having
a
thought
in
that
particular
area
might
be
useful
to
consider
beforehand.
B
B
G
Thank
you,
it's
just
dave
is
what
it
is.
Slack
rave
see
you.