►
From YouTube: Alpha Omega Project Public Meeting (July 20, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Folks,
we
could
start
in
about
two
minutes
or
so
there
is
a
public
meeting
notes
document
at
the
top
of
the
invite
for
this
meeting.
That
you're
you're
welcome
to
go
in
and
add
yourself
and
add
topics
or
anything
else.
A
All
right,
let's
get
started,
welcome
everybody
to
the
july
20th
public
meeting
for
alpha.
Omega
purpose
of
this
meeting
is
to
basically
answer
any
questions.
Talk
about
what
we've
what
we've
been
up
to,
but
this
is
better
when
it's
interactive,
so
if
you
have
questions
or
things
burning
feel
free
to
feel
free
to
you
know,
we
can
spend
most
of
the
time
chatting
about
stuff
like
that.
If
you
have
a
short
deck,
I
think
michael
windsor
should
be
here
so
when
he
joins.
A
He
can
you
know
pop
in
and
talk
as
well,
brian,
you,
you
know.
Obviously
anybody
associate
with
the
project
welcome
to
taking
me
to
slides
so
without
further
ado.
If
you
do
have
things
that
you
want
to
talk
about
and
not
forget,
you
can
add
them
to
the
deck.
Add
them
to
chat
whatever
or
just
just
kind
of
start
talking.
A
That
was
my
welcome
project
updates,
so
hiring
we
are
still
hiring
still
attempting
to
hire
hiring
is
we've
learned
is
more
challenging
than
we
than
we
thought
it
would
be
when
we,
when
we
set
out
here,
so
we
still
have
three
roles
available.
The
lead
pm
security,
engineer
and
security
researcher.
We
are
pursuing
candidates
in
these
and
are
looking
at
alternative
models
to
to
resource
these
earlier.
A
But
if
you
or
anyone
you
know
is
interested
in
applying
for
these,
please
send
them
to
the
to
the
link
on
openssf.org
and
you
know,
share
with
your
networks
and
things
like
that.
So
I
really
appreciate
that
the
right
now,
I
think
the
biggest
impediment
to
moving
faster
is
hours
in
the
day.
So
more
people
means
more
hours.
A
On
the
alpha
side,
so
I
hope
you're
all
aware
that
we
announced
node
back
in
is
it
april
just
a
couple
months
ago,
so
openjs
robin
jyn
posted
an
update
on
kind
of
where
they
are
so
there's
a
link
to
that
in
the
deck,
encourage
you
to
to
read
that
and
then
at
at
the
open
ssf
day
last
month
in
austin,
we
announced
similar
engagements
with
python
and
with
eclipse
so
they're,
both
a
similar
dollar
amount.
A
I
think
the
the
second
two
or
400k
each
and
doing
kind
of
similar,
similar
things.
So
this
is
a
starting
to
become
a
pattern.
A
Node
posted
another
progress
report
up
to
our
github
page,
so
the
alpha
omega
page
under
open
ssf
and
we'll
probably
use
that
as
the
model
for
the
other
ones
going
forward.
Just
to
be
clear,
neither
python
nor
eclipse
have
like
actually
received
the
money,
yet
we're
working
through
the
paperwork
and
things
like
that.
So
we
probably
expect
the
first
update
to
probably
be
september.
A
A
On
the
omega
side,
I
know
I
promised
a
tool
chain-
I'm
sorry
it
is
still
pending
and
it's
just
pending
legal
approval
for
distributing
a
docker
image
that
contains
code
ql,
because
codeql
is
not
open
source
and
the
image
that
and
the
repository
that
we
want
to
distribute
is
open
source.
I
just
want
to
be
super
super
clear
that
I'm
not
like
trying
to
re-license
something:
that's
proprietary
as
open
source
or
anything
like
that.
So
it's
just
purely
with
that.
A
We've
had
a
couple
vulnerabilities,
though
even
in
advance
of
of
hiring
so
node
released
an
update
on
july
7th,
with
a
fix
for
a
perfect
for
for
vulnerability
that
we
found
it
was
kind
of
a
simple
or
not
super
super
interesting.
But
when
node
started
up,
it
looked
for
an
open
ssl
configuration
file
in
a
hard
coded
directory,
slash
home,
slash,
iojs,.
A
Presumably,
if
it
usually
didn't
find
that
file-
and
it
continued
fine,
but
I
suspect
that
if
it
did
find
the
file,
it
would
read
it
and
you
know
use
that
as
a
configuration
for
open
ssl
which
could
be
bad,
so
they
fixed
that
super
fast,
which
was
which
was
terrific.
A
We
found
an
rce
and
js
hint.
This
was
actually
in
an
unused
build
script,
so
they
just
removed
the
script
so
that
was
fixed
in
a
commit.
We
don't
have
a
cve,
because
it
was
never
really
released
as
a
as
a
package,
and
then
we
have
three
more
actually
that's
four
more
so
two
that
are
awaiting
a
cve
kind
of
disclosure.
These
have
been
acknowledged
and
I
believe,
they've
been
fixed,
but
they
haven't
been
like
formally
packaged
and
updated.
A
So
I
need
to
follow
up
with
the
with
the
maintainer
there
and
then
two
more
that
I
that
we
distributed
yesterday
to
the
to
the
maintainers.
A
Cool
or
omega
tracer,
so
I
posted
a
note
out
on
the
slack
channel.
It
was
over
the
weekend
the
way
that
we
found
the
node.js
cbe
was
by
doing
a
system
called
trace
during
startup
during
you
know,
node
starting
up,
so
I
thought
that
was
interesting
and
perhaps
that
same
kind
of
anti-pattern
shows
you
showed
up
somewhere
else.
A
So
right
now
we
are
running
every
ubuntu
package
through
this
kind
of
similar
tracer,
and
what
we're
doing
is
we're
actually
capturing
the
full,
the
full
s
trace
log
for
each
binary
in
each
package.
So
we
have.
A
I
just
ran
this,
so
I
should
have
the
number
now
we
have
6
200
packages
done.
Those
should
all
be
at
that
github
repo,
I'm
obviously
going
to
move
that
over
to
openssf.
Once
this
advances
a
little
bit
further,
it's
possible
that,
after
we
do
all
this
work,
we
realize
that
nope.
This
was
just
a
really
rare
one
off
and
there's
nothing
to
see
here,
in
which
case
we've
learned
something
but
probably
not
super
useful.
You
know
to
continue
or
expand.
C
Hello,
sorry,
it
was
a
little
bit
late.
It's
all
good
yeah,
so
we're
super
happy
to
welcome
sos.dev.
C
This
program
was
originally
funded
by
google
to
basically
really
create
a
fund
to
help
reward
individuals
who
were
making
improvements,
fixing
bugs
notably
security
bugs
in
open
source
projects,
and
we
see
it
as
a
natural
fit
to
the
alpha
mega
effort.
The
sos.dev
folks
who
have
been
administering
this.
Some
combination
of
working
group,
people
and
googlers
agreed
so
we're
sort
of
we're
joining
forces.
There's
not
a
lot
of
impact
to
anything.
That's
happening
right
now,
but
we
see
an
opportunity
to
kind
of
increase
the
visibility.
C
Many
people
have
not
even
heard
of
sos.dev
and
for
it
to
just
be,
as
I
said,
a
natural
extension
of
what
we're
already
doing
within
alpha
making.
We
will
evolve
it
as
we
figure
out
more
and
learn,
but
this
is
where
we
are
today.
I
certainly
hope
you
know
hoping
that
people
will
say
what
what
is
that
thing
great.
Let
me
go
and
learn
more,
so
please
go
to
sos.dev,
see
a
bit
more
there
and
don't
hesitate
to
come
back
with
feedback
as
well.
A
So
I
think
at
each
of
these
public
sessions
we
get
the
question
like
how
can
I
participate
and
the
this
is
what
we
got
right
now,
so
we
do
expect
this
to
expand
and
get
better
over
time
and
have
more
specific
areas
that
that
folks
can
contribute.
A
But
you
know,
obviously,
with
sos.dev
now
being
a
part
like
if
you're
interested
in
finding
vulnerabilities
in
open
source
go
and
do
it
not
that
you
couldn't
have
done
it
before,
but
now
you
can
do
it
and
get
a
little
bit
of
cash
out
of
it.
So
you
know
encourage
folks,
to
you
know,
leverage
sos.dev
the
security
tools
as
soon
as
the
open
the
omega
tool
chain
is
is
out.
Please
contribute
run
it
test.
A
It
improve
it
all
that
the
underlying
tools,
practically
all
of
them,
are
open
source
anyway
and
even
code
ql.
The
rules
are,
I
believe
the
rules
are
all
technically
open
source
contribute
to
those
run
them
test
them
like
just
help.
A
Advance
tooling,
in
general,
join
the
discussion
in
either
the
alpha
omega
slack
channel
or
any
of
the
working
groups,
particularly
the
critical
projects
working
group,
since
both
alpha
and
omega
take
their
their
list
fundamentally
from
from
the
critical
projects,
you
know,
having
a
better
idea
of
what
is
critical
means
that
we
can
focus
our
limited
funds
and
and
energy
on
on
the
ones
that
really
matter.
C
You
could
kill
the
kill,
the
presentation,
michael
so
that
we
can
see
people
nice,
perfect.
C
Just
so
the
participants
know
if
nobody
asks
a
question,
we'll
start
asking
questions
of
the
participants.
It's
an
equal
opportunity
questioning
I'm
here.
You're
smiling,
therefore
you're
in
a
good
mood
and
you've
had
some
sort
of
pre-morning
stimulant
as
needed.
What's
going
on
question
just
tell
us,
what's
going
on
your
end
of
the
world.
D
Hello
good
morning,
hi
everybody.
Thank
you
so
much
for
that
for
the
fantastic
update
and
yeah
real.
I
think
the
the
sos
is
is
definitely
a
good
move.
We've
been
working
with
sos
folks
and
they
definitely
seem
very
keen
on
you
know
fulfilling
that
mission
of
getting
getting
support
to
the
people
who
are
doing
this
kind
of
work,
so
so
nice
job
on
that
yeah
yeah.
No,
everything
is
sounding
really
good.
D
C
Well
so,
instead
of
a
question,
perhaps
an
update
from
what's
happening
in
austin,
I
mean
you
guys
are
obviously
immersed
in
the
same
problem
domain.
We're
we're
partners
in
this
journey.
What's
going
on
with
you
folks
and
you
know
big
deal
but
like
just
what
top
of
mind
to
you
totally.
D
Yeah,
we've
actually
had
a
pretty
busy
week
this
weekend
last
we
released
about
four
to
five.
I
think
it
was
audit
results
for
a
bunch
of
different
projects
and
thankfully
I
we
were
able
to
do
a
lot.
So,
within
the
last
two
weeks
we've
had
about
41
security
improvements,
18
18
of
those
are
cves,
one
of
which
is
a
criticals
ve
and
six
high
and
11
moderate.
D
These
are
just
vulnerabilities
and
you
know
denials
service,
vectors,
cross-site,
scripting,
vectors
path,
traversals
things
like
that
so
yeah.
So
we
are
just
cranking
on
all
cylinders
and
cranking
out
audits,
with
our
work
with
with
open
ssf,
with
with
google's
open
source
security,
team
and
cncf,
and
so
yeah
we're
out
here
doing
it
and,
thankfully
you
know
we're
we're
producing
results,
pretty
consistently
and
finding
vulnerabilities
at
a
pretty
hot
finding
and
fixing
vulnerabilities
at
a
really
high
rate.
D
C
Awesome,
I
love
that,
and
so
you
know,
speaking
of
the
audience,
I'm
interested
in
learning
what
happens
after
these
audits
right,
like
we've,
been
partnering
with
various
foundations,
and
the
first
thing
they
want
to
do
is
an
audit
as
well
and
we're
super
keen
to
help
that
happen.
I'm
looking
forward
to
like
the
the
journey
of
post
audit.
How
well
does
an
audit
help
an
organization
adjust
so
and
again
any
thoughts
you
have.
There
will
be
very
interesting
and
then
I'll
shut
up
and
better
people.
D
Yeah,
no,
actually
that
that's
a
great
question,
I'm
glad
you
asked,
because
I'm
actually
working
on
kind
of
getting
some
of
this
down
on
paper
to
share
with
people
so
that
they
can.
You
know
they
can
join
the
conversation,
but
I
would
say
really
there's
two
main
benefits
to
audits.
D
There's
the
immediate
post
audit
benefits,
which
are
you
know,
having
a
fixed
kind
of
focused
engagement
where
maintainers
are
thinking
about
security,
they're
working
with
security
experts
in
answering
questions
and
really
kind
of
painting
a
picture
of
their
projects,
security
posture
and
what
have
you
and
then,
of
course,
there's
the
the
fixed
vulnerabilities
and
the
beauty
is
at
least
the
way
we've
been
able
to
do.
It
is
when
it's
a
strong
collaborative
effort.
We
found
that
a
lot
of
the
bugs
that
are
fixed
are
actually
classes
of
bugs.
D
Where
you
know
folks,
auditors
are
finding
like
design
flaws
or
consistent
themes
and
so
by
working
with
maintainers
to
close
those
they're
effectively
eliminating
an
entire
class
of
bugs
and
problems
from
arising
in
the
future,
which
is
extremely
helpful
and
then
one
thing
especially
recently:
we've
been
building
fuzzers
and
integrating
projects
into
oss
fuzz
as
part
of
the
audit,
so
that
they
have
new
and
improved
fuzzers
results
so
that
their
project
is
constantly
being
monitored
too.
D
So
it's
not
just
a
one
point
in
time,
type
of
thing
and
then
lastly,
some
of
those
those
more
long-term
benefits
come
from.
As
I
mentioned,
the
improved
tooling
closed
classes
of
bugs
and
then,
of
course,
we
recommend
projects
on
a
risk-based
schedule.
D
You
know
every
you
know
if
they
have
a
huge
new
release,
ton
of
new
code
or
something
like
that
or
if
it's
something
that's
just
extremely
critical,
putting
it
on
a
basically
an
audit
schedule,
so
maybe
revisiting
it
in
one
year
or
two
years
or
however,
many
years
to
maybe
review
new
features,
green
code
and
audit
that
and
basically
continuously
provide
that
that
service
for
for
projects
so
so
yeah.
I
would
say
especially
a
lot
of
folks
that
think
an
audit's
just
kind
of
like
one
and
done
kind
of
a
thing.
D
I
think
it
can
be
if
it's
just
you
know
a
bunch
of
people
coming
in
and
dumping
bug
reports
on
a
project,
but
when
it's
done
with
a
lot
of
care
and
and
management
where
it's
a
really
a
collaboration,
we're
seeing
you
know
both
immediate
and
long-term
benefits
to
projects
awesome.
Thank
you,
yeah,
of
course,
thank
you.
E
So
I
have
a
question
about
sos
dev,
so,
which
means
this
is
a
question
from
michael
rather
than
michael,
and
so
sos
dev
looks
like
it
just
briefly
skimmed
it
only
on
this
call.
E
It
looks
like
something
that
would
be
a
really
good
way
for
people
to
be
able
to
contribute
to
this
effort,
but
the
remuneration
part
of
it
is
might
be
problematic
if
people
are
coming
from
a
corporation
where
there
could
be
conflict
of
interest,
you
know
I'm
doing
this
on
company
time
and
then
I'm
also
getting
paid
on
the
side.
So
are
there
accommodations
within
sos
dev
to
not
get
that
reward
or
to
instead
shunt
it
towards
some
non-profit
or
other
good
endeavor,
so
is?
C
It's
a
good
question.
I
don't
have
I.
I
cannot
give
you
the
authoritative
answer
I
will
find
out.
The
simplest
answer
is:
do
the
great
work
tell
us
you
did
the
work,
don't
claim
a
reward
and
then
the
money
remains
in
a
non-profit
that
is
designed
to
continue
providing
these
worth.
Now,
it's
like
the
money's.
Still
there
it's
still
going
to
a
good
purpose.
If
somebody
wanted
to
direct
the
money
to
some
particular
thing
that
actually
has
its
own
set
of
implications,
because
now
money
is
being
routed.
C
So
I
think
what
would
be
nice
is
to
value
like
you
know
what
your
reward
increases.
What
you
appreciate
appreciates
right,
and
so
as
individuals
take
time,
whereas
corporations
allow
individuals
to
take
time
and
make
fixes
in
the
small
across
this
sort
of
this
is
the
very
long
tail
of
the
problem
space.
It
would
be
nice
for
that
work
to
be
valued
and
appreciated,
so
that
people
want
to
do
more
of
it,
and
I
think
that
it
would
be.
C
A
wall
of
fame
of
like
here
are
the
contributors,
whether
they
took
money
or
not,
is
sort
of
a
separate
issue
and,
and
then
having
raised
this
conversation
up
to
another
level,
I'm
like
okay,
do
we
need
to
have
a
policy
about
conflict
of
interest,
something
like
that
and
for
now
I
think,
we're
probably
okay,
with
rely
on
the
individuals
to
sort
of
manage
their
own
ethics,
rather
than
trying
to
be
a
an
ethics
police
for
every
individual
and
every
corporation.
E
I
I
think,
if
nothing
else,
it's
at
least
worth
mentioning
on
there.
It's
like
hey,
go
check.
Your
policy
make
sure
you're
not
in
conflict
of
interest,
because
a
lot
of
developers
are
well
intentions,
but
just
aren't
as
aware
of
that
policy
right
and
so
asking
them
to
go.
Do
their
homework
would
be
great.
C
C
A
That's
why
I'm
talking,
but
I'm
on
mute,
I'm
like
everybody's,
ignoring
me
amir,
so
when
when
what
to
get
done,
there
are
big
weird
design
flaws
that
you
can
only
pull
out
by
like
thinking
hard
about
the
problem,
and
then
they
were
like
coding
flaws
that
presumably
a
tool
could
find,
but
obviously
either
wasn't,
run
or
didn't,
find
it,
and
I'm
wondering
if
there's
an
opportunity,
maybe
for
open
ssf
to
collect
essentially
like
a
wish
list
of
you
know.
A
Like
I'm
just
wondering
I
mean
I
guess
we
could
you
could
go
through
the
audit
reports
and
say:
oh
th,
this
was
this.
Was
the
change?
Oh,
if
I
would
have
just
done
this,
you
know
pattern.
I
would
have
looked
for
this
pattern.
I
would
have
found
the
issue,
but
I'm
wondering
if
there's
anything
if
there's
an
opportunity
there,
I
don't
know,
do
you
know
what.
D
Yeah,
it's
a
great
question
and
I'll
do
my
best
to
answer
to
answer
briefly
and
then
I'd
love
to
go
to
david
who's
had
his
hand
up
for
a
minute,
but
yes,
the
audit
reports.
I
mean
a
big
benefit
of
advocating
for
transparency
and
publishing
a
report
at
the
end
of
the
engagement
for
the
public
to
consume.
D
I
think
one
of
the
big
benefits
is
that
you
know
other
projects
or
project
maintainers
can
review
these
reports
and
read
them
and
almost
use
them
as
case
studies
for
oh,
you
know,
hey
they're,
doing
something
kind
of
similar
to
what
we're
doing,
and
this
is
kind
of
what
happened
and
and
we
were
able
to
to
to
make
improvements
as
a
result.
Kind
of
like
how,
like
our
work
with
on
on
on
cryo,
ended
up
actually
helping
container
d
with
with
patching
a
a
high
severity
bug
too.
D
So,
in
terms
of
like,
like
a
wish
list
of
tools,
that's
that's
a
it's
a
it's
a
good
point.
The
one
thing
that
I
know
that
we
really
try
to
to
focus
on
is
is
understanding
that
that
every
project
is
different
and
at
a
different
maturity
level,
and
that
you
know
that,
for
these
audits
to
be
effective,
it
really
has
to
be
very
catered
to
that
project
and
their
practices.
D
So
so
we
really
don't
see
a
lot
of
like
really
two
audits
kind
of
playing
out
the
same
way,
but
I'm
sure,
as
we
do
more,
you
know
we'll
probably
see
more
consistencies,
maybe
like,
for
example,
fuzzing
being
you
know,
very,
very
popular
and
a
great
tool.
You
know
to
use
for
kind
of
continuously
monitoring
project,
and
so
I'm
sure
our
methods
will
will
develop
and
we'll
have
more
data.
As
we
do
more
engagements.
B
Yes
thanks,
I
mean
two
things
one
regarding
the
the
funding
issue
I
mean
just
to
keep
in
mind
for,
for
you
and
michael,
is
allowing
people
to
let's
say
direct
funds,
or
I
hope
the
sos
would
allow
people
to
direct
funds
to
let's
say
a
charity
and
say:
okay,
I
can't
accept
it,
but
you
know
you
know
they
could
feel
the
the
benefit
that
way
and
then
the
reward,
the
the
acclaim
by
saying,
okay,
you
know
I
can't
accept
it
directly
for
whatever
conflict,
but
you
know
give
it
to
you
know
this
this
you
know
officially
accepted.
B
You
know,
501c3
charity
that
I
choose
is
one
way
to
to
handle
that
potential
conflict
of
interest,
but
the
the
question
I
actually
had
for
you
is,
you
know
it
seems
with
all
of
this
stuff
and
all
these
you
know
great
projects,
great
working
groups
at
the
open
ssf
I
mean
we've
got,
you
know
the
different
pieces
of
you
know
the
scorecards
alpha
omega
securing
critical
projects.
You
know,
how
are
we
or
how
are
you
or
you
know
all
openings
I
mean
not.
B
You
know,
don't
ask
brian
right
right
and
stay
on
that
view,
but
you
know
how
to
it
almost
seems
like
there
is
an
implicit
pipeline
here,
but
we
haven't
made
it
explicit.
I
mean
how
are
the
these
are
different
parts
of
the
elephant,
and
how
is
this
going
to
evolve
to
actually
some
sort
of
a
handoff
and
some
sort
of
okay?
We
found
this
vulnerability
and
then
okay,
you
know
alpha
omega,
should
fund
it,
and
this
should
do
it.
B
I
mean
it
seems
like
there
are
pieces
here,
but
they're
all
at
least
they
seem
independent
still,
and
how
can
this
evolve
to
something?
That's
more
of
a
you
know
coordinated
or
I
mean
not.
I
don't
want
to
make
this
too
bureaucratic,
but
but
somehow
that
there
is
a
pipeline
here
of
how
these
different
work
groups
are
all
fitting
together.
G
You
want
me
to
stand
mute
okay.
I
can
do
that.
No
I'll
just
give
my
take
really
quick
then,
which
is
I'm
I'm
a
pretty
firm
believer
in
small
pieces,
loosely
joined
right
and
even
I'm
a
latecomer
to
the
open,
ssf
community,
relatively
speaking
right.
G
I
just
came
in
and
parachuted
in
in
september
of
last
year
and
what
I
already
saw
as
key
to
the
success
even
to
that
point
of
openssf
was
this
kind
of
open-ended
like
hey,
show
up
and
start
working
and
if
it
makes
sense
we'll
give
you
a
space
to
to
do
it
in,
and
you
know
I
will
park
folks
under
thematically
related
working
groups
and
and
some
projects
like
alpha,
mega
or
sig
store,
actually
are
ambitious
enough,
that
they
kind
of
need
their
own
persistent
funding.
G
And
so,
let's,
let's
try
to
create
something
to
support
them.
It's
been
a
little
ad
hoc,
but
it
hasn't
been
random
right.
It
has
been
very
much
about
allowing
folks
to
be
kind
of
the
masters
of
their
own
domain
or
make
their
own
independent
decisions
about
priorities
and
and
what
to
accomplish
next
without
having
an
overarching
top-down
view
of.
G
If
this
than
that
right-
and
I
at
least
from
my
point
of
view
like
I'm
here-
to
facilitate
the
community
and
allow
for
the
thousand
flowers
to
bloom,
wherever
they're,
gonna
bloom
and
every
time
I
do
try
to
introduce
a
little
bit
of
process,
I
get
pushback
for
you
know
being
over
prescriptive.
So
I'm
I'm
gonna
go
with
the
flow
here,
a
little
bit
and
say:
let's
figure
it
out
as
we
go
at
the
same
time.
G
The
most
important
thing
is
is
having
everyone
be
aware,
at
least
of
everyone
else's
complimentary
efforts,
and-
and
I
know
that
the
the
two
michaels
are
deeply
enmeshed
inside
of
the
different
related
working
groups
and
the
like
and
are
constantly
going
well,
maybe
we'll
put
we'll
work
with
them
on
this
or
work
with
them
on
that.
So
I
think,
as
long
as
we
have
that
we
kind
of
don't
need
the
overarching
programmatic
business
process
modeling
that
otherwise
might
be
called
for.
C
There's
a
specific
workflow,
I
think,
is
poorly
addressed
today
in
the
industry,
and
I
don't
know
how
to
solve
it,
but
if
you
think
of
like
so,
you
found
a
vulnerability
right
you're
now
in
this
weird
thing,
where
you've
got
this
nasty
piece
of
radioactive
material
right,
nobody
wants
it
in
their
backyard.
C
If
you
want
to
have
this
stuff,
you're,
almost
implicitly,
unqualified
or
disqualified,
from
having
it
because
you're
trying
to
make
bad
things
out
of
it,
as
opposed
to
like
find
a
way
to
make
it
not
blow
up
the
world
right-
and
you
know
right
now,
we
are
as
an
industry,
surviving
on
some
combination
of
spreadsheets
emails,
and
you
know
personal
web
of
trust
for
communication
around
these
things,
and
we
all
know
that
at
a
certain
point
of
scale,
things
change
dramatically
in
behavior
and
become
much
less
effective.
C
We
are
approaching
that
problem
on
my
ridiculously
long
backlog
of
things
to
do
or
to
have
somebody
do
when
we
can
hire
somebody
we're
hiring
did
michael
mentioned.
We're
hiring
is
to
sit
down
with
the
folks
at
surveillance
dirt
and
the
the
vince
project
or
whatever
it's
called,
which
is
the
tool
they
use
for
managing.
You
know
vulnerability
disclosures
at
that
level.
C
Can
we
start
to
build
workflows
that
allow
us
to
create
trusts
and
communications
without
conveying
all
the
details,
but
have
information
and
then
access
manage
that
lots
of
interesting
hard
problems
there?
You
know
which
sort
of
embodied
the
ten
interesting
problems
in
computer
science,
caching
naming
and
off
by
one
errors.
You
know,
I
don't
know
if
I
I
don't
even
know,
if
I
could
tell
you
what
the
right
answer
is
right
now,
so
I
feel
like
evolving
that
before
trying
to
build,
it
is
part
of
the
journey.
B
You
know
I'm
not
saying
that
the
right
answer
I
mean,
but
I
guess
what
I'm
saying
is
that
in
some
ways
alpha
omega,
I
mean
with
this
this
great
report
from
michael
I
mean
about
you,
know
these
projects
there,
you
know
node.js
and
and
python's
our
foundation
that
they're
they're
funding,
but
in
some
ways
this
you
know,
securing
critical
projects
is
looking
at
the
critical
projects
which
then
alpha
omega
could
fund.
So
I'm
just
you
know
saying
in
some
ways
you
know
I
mean
not
that
it
means
it's
great
selection,
I'm
just
saying
it's.
B
The
selection
of
these
products
like
alpha
omega
selecting
its
projects
scorecard
selecting
its
projects.
This
is
selecting
its
projects
and
I'm
not
trying
to
I'm
not
I'm
not
suggesting
a
bureaucracy.
I'm
not
I'm,
not
saying.
Okay.
We
need
to
make
this
topped
out,
I'm
just
suggesting
that
that's
what
I
mean
by
different
parts
of
the
elephant
that
you
know
how
to
informally.
B
You
know
other
than
these
sorts
of
meetings,
and
these
great
relationships
that
open
ssf
itself
is
is
creating.
This
communication
flow
is
creating
sort
of
ensure
that
there
is
this
communication
and
it
also
doesn't
look
like
well.
You
know
this
is
my
favorite
set
of
projects
and
then
I'm
leading
up,
maybe
I'm
finding
this,
and
this
is
my
favorite
set
of
projects
we'll
get
them
funded.
It
doesn't
turn
into
all
these
little
fiefdoms
right
right,
I
mean
not.
A
Yeah,
I
I
I
I
agree
so
perception
matters,
so
you
know
we
so
of
funding.
You
know
python,
eclipse
and
node
like
if
our
fourth
project
is
like
the
random
calendar.
Widget
for
an
old
version
of
joomla
like
people
are
gonna,
say
like
what.
A
Why
did
you
choose
that,
like
obviously
not
in
the
same
class
as
as
the
others?
So,
but
there
is
a
little
bit
more
method
to
the
madness.
I
guess
so
critical
projects
working
group
does
have
a
list
of
critical
projects
that
is
kind
of
the
first
filtering
like
if
we
find
something
that
isn't
on
there
now.
Maybe
it's
because
thematically
like
they
didn't
look
at
like
build
systems,
and
maybe
maybe
jenkins,
is-
is
at
the
top
of
the
actual
list,
but
not
the
top
of
their
list.
A
So
we
would
be
thoughtful
about
that,
but,
generally
speaking
like
we
do
like
that
is
our
first
filter
now.
Should
we
be
more
transparent
and
explicit
about
that?
Absolutely
do
we
do
we
want
to
be
bound
to
any
explicit
list?
Not
really.
We
want
to
have
a
little
bit
more
autonomy
than
that,
but
we
recognize
that
yeah.
A
If
we,
if
we,
you
know
if
all
of
the,
if
all
the
cves
that
we
find
in
the
next
year,
are
against
very
long
very,
very
long
tail
projects,
someone
should
ask
us
like,
what's
the
actual
impact
that
this,
that
this
funding
has
done
and
if
we
can't
articulate
that
you
know.
That
would
be
sad,
but
you
know
but
yeah
now.
I
do
think
so.
A
It's
one
of
the
things
that
I
would
like
to
do,
after
as
we
get
hiring
done
and
we
get
we
get
more
bandwidth
is
kind
of
having
a
as
a
kind
of
a
hall
of
fame
page
where
it's
like
the
things
that
we
found
and
like
specifically
like
what
we
targeted
and
why
we
chose
that
and
the
method
and
the
rationale
so
yeah.
A
But
I
do
also
agree
with
brian
that
the
you
know
letting
a
thousand
flowers
bloom
is
the
big
advantage
of
of
open
ssf,
where
you
know
for
the
most
part
until
you
ask
for
money
as
long
as
you're
generally
in
the
ballpark
of
what
your
working
group
kind
of
charter
is,
it's
like
go.
Do
it.
H
H
Hi,
I'm
monographies,
I'm
new
to
the
group
I
have
been
so.
My
philosophy
has
been
also
like
what
brian
has
been
articulating
as
in
show
up
and
and
start
working,
so
I've
been
working
with
michael
michael
one
in
in
order
of
appearance
today,
and
so
what
wait.
H
So
yeah,
so
I'm
the
ceo
of
open
refactory.
We
are
building
a
better
bug,
detection
tool,
and
so
our
tool
works
on
right
now,
java,
python
and
c.
H
So
what
I've
been
proposing,
michael-
and
that
probably
has
like
found
its
way
to
michael
too
and
also
brian-
is
that
I
or
we
want
to
scan-
let's
say
the
pipeline
repository
and
identify
bugs
and
and
and
present
the
bugs
to
the
to
the
maintainers
and
then
let
them
like
somehow
nudge
them
to
fix
the
vulnerabilities
and
and
so
on.
H
The
reason
why
we
claim-
or
we
hope
that
our
tool
can
scale
to
such
an
effort
like
the
wi-fi
repository
right
now
has
three
and
a
half
million
artifacts
or
different
things
that
are
that
are
hosted.
There
is
because
we
are
positive
rate,
is,
is
dramatically
lower
than
all
the
other
static
analysis
tools
that
are
out
there.
H
So
what
we
are
will
be
generating
is
a
lot
of
good
data,
not
necessarily
a
lot
of
noise.
Therefore,
there
can
be
like
triaging,
etc.
That
can
be
done
in
a
feasible
way,
without
bothering
people
and
in
the
end,
the
results
that
we
are
generating.
It
is
supposed
to
be
distributed
to
the
maintainers
at
that
point,
so
that
that
that's
the
only
way
it
can
scale
there's
no
single
authority
that
can
go
over
all
of
these.
H
These
bug
reports,
however,
like
even
if
we
generate
one,
that's
three
and
a
half
million
reports
that
we're
generating
one
per
project,
but
but
anyway,
so
if
that
is
moved
to
the
so
what
what
I'm
trying
to
figure
out
so
I
we
have
just
created
a
dump
of
like
we
scan
like
100
projects
from
pipeline
repository.
I've
shared
the
data,
it's
it's
available
on
our
public
website.
H
I
shared
the
data
with
michael,
and
so
I
am
trying
to
find
out,
as
as
david
was
pointing
out
is
what
to
do
next
as
and
how
do
we
coordinate
like?
Have
you
guys?
I,
and
I,
as
I
understand
this,
you
guys
are
also
figuring
out
in
real.
F
H
As
in,
how
would
this
data
be
sent
to
the
maintainers,
how
would
the
coordination
be
done?
How
would
we
or
you
guys
be
nudging
them
into
fixing
the
vulnerabilities
and
and
so
on,.
H
Like
our
selfish
interest
is
to
make
our
brand
well
known
and,
like
everybody
knows
about
us,
everybody
thinks
we're
great.
I
mean,
of
course,
there's
that
selfish
impress,
but
at
the
same
time
there's
a
whole
lot
of
very
small.
We
don't.
C
H
Like
until
we
dig
into
each
of
these,
but
some
of
these
can
turn
out
to
be
something
bad,
but
at
itself
from
the
reports
like
I've
looked
into
the
general
reports,
there
are
many
bugs
per
project
that
needs
to
be
fixed,
maybe
not
high
security,
yet
they're,
all
we're
also
focusing
on
reliability,
compliance
etc.
Those
kind
of
stuff,
but
that's,
that's
fine,
at
least
like
these
bugs
needs
to
be
fixed
and
because
it's
a
distributed
effort.
H
If
the
maintainers
are
aware
of
it,
they
should
be
like
putting
leaders
as
part
of
their
next
release
cycle
and
and
so
on.
So
I
I
would
like
to
know
about
like
what
is
the
coordination
as
well
and
basically,
how
do
we
then
use
the
data
and
make
it
beneficial
for
the
actual
maintainers
and
overall
make
the
software
work
better.
A
So
I'll
I'll
start
there,
I
I
would
be
nothing-
would
make
me
happier
than
to
have
the
omega
side
of
this
kind
of
evaporate
out
out
of
existence,
because
the
tools
are
so
ubiquitous
and
high
quality
and
maintainers
are
fixing
that
there's
simply
nothing
left
for
us
to
to
do.
I'm
not
super
optimistic
that
that
will
happen
anytime
soon,
but
I
do
strongly
support
better
tooling
in
the
hands
of
maintainers.
We
don't
need
to
be
in
the
loop
if
we're
not
providing
value.
A
So
for
things
like
open
refactory,
and
you
know
when
we
chatted,
you
know
it's
as
I
said
this,
but
the
you
know,
other
kind
of
tooling
vendors
have
approached
us
similarly
and
said:
hey
we
have.
We
have
a
really
sharp
tool.
We
can
scan
a
lot
of
stuff.
How
can
we
partner
together
and
we're
still
trying
to
figure
that
out,
like
some
of
it
is
just
a
matter
of
just
bandwidth
like
it
takes
time
to
triage
these
things
and
to
write
a
report,
but
you
know
just
full
disclosure.
A
One
of
the
the
the
vulnerabilities
that
we
reported
yesterday
was
was
found
with
with
with
opener
factory.
So
you
know,
there's
there's
that's
one
data.
F
A
So
what
I
I
don't
know
what
the
process
should
look
like,
so
I
don't
want
to
kind
of
design
this
on
the
fly
but
being
able
to
number
one
get
high
quality,
vulnerability
reports,
validate
them,
triage
them
and
report
them
is
kind
of
what
omega
is
about
now,
whether
or
not
we
are
running
the
tool
or
we
are
just
getting
the
output
that
someone
else
ran
like
open,
refactory
or
whoever
else
it
doesn't
really
matter
like
we
don't
need
to
like
burn
the
carbon
ourselves.
A
We
can,
someone
else
can
do
it,
but
the
same
time.
The
best
case
scenario
is,
you
know
it
goes
right
back
into
because
it's
so
high
quality.
It
goes
right
back
to
a
pull
request
or
an
issue
or
events
or
something
where
we're
not
even
we're,
not
even
in
the
loop.
You
know,
unless
there's
something
for
us
to
do
so.
You
know,
unofficially,
I'm
happy
to
help
kind
of
triage
and
provide
feedback
and
I've
got.
A
I've
got
some
some
feedback
for
you
that
I'll
send
over
later
this
week,
so
yeah.
Let's
do
it,
but
it'll
take
it'll,
still
it'll,
probably
be
a
quarter
or
so
after
we
have
the
security
researcher
and
engineer
hired
before
we'll
be
able
to
like
formalize.
What
that,
what
that
process
should
look
like.
I
think.
H
Yeah
part
of
that
is,
is
also
what
what
david
was
pointing
out
as
in
so
I'm
I'm
fairly
new
to
the
this
is
the
first
time
I'm
attending
the
meeting.
I've
been
intending
to
do
that
for
personal
reasons
and
also
yeah,
I
mean
I
was
not
able
to
attend
the
last
few
meetings,
but
I
have
I'm
following
up
on
the
on
the
like
by
watching
the
videos
and
so
on,
but
I
mean
so
I
just
found
out
about
this
like
critical
pro.
H
So
what
are
the
working
group
meetings
that
I
should
go
and
attend?
I
mean
there
is
so
I
mean
I
just
learned
about
amir's
work
and
then
I
I
think
like.
I
should
definitely
probably
like
chat
with
him
like
in
a
separate
channel
and
and
see
like
what.
F
H
D
Security
scorecards
is
part
of
securing
critical
projects
and
we
have
used
the
the
scorecard
to
give
us
insight
into
projects
yeah.
H
Okay,
but
anyway,
as
you
see
from
my
naivete's
like
the
layer
of
the
land,
is
not
not
necessarily
clear
so
yeah,
I
mean
that
that's
something
that
what
david
was
pointing
out
is
perhaps
like,
if,
like
some
sort
of
descriptions
of
like
how
these
projects
are
even
loosely
coordinated,
that
would
allow
newbies
like
us
to
find
and
the
hot
spots
like
what
like
alpha,
omega,
the
the
charter.
When
I
read
it
it
just
I
I
just
felt
like
this-
is
the
perfect
place
where
I
would.
H
I
should
just
come
and
attend
and
learn
from
you
guys,
but
at
the
same
time,
what
are
the
other
ones
that
would
be
also
tangentially
related
and
should
also.
I
should
also
pay
attention
to.
So
that's
that's.
I
think,
a
common
problem
that
that
people
who
are
new
would
have,
and
that's
what
david
has
pondered.
Yes,.
A
And
brian,
I
don't
know
if
you
have
a
more
official
answer,
I
mean
we,
we
open.
We
should
have
a
town
hall
pretty
soon
that
that
and
at
the
previous
town
halls
we
kind
of
went.
You
know
from
from
left
to
right
across
everything
that
we're
doing,
and
at
least
mentioned
it,
and
so
the
one
from
february.
You
know
it's
six
months
old,
but
you
know
that's
something
we
should
have
a
map
of
like
here's,
all
the
stuff
that's
going
on.
A
I
know
that
the
tack
is
actively
interested
in
this
similar
thing,
so
the
working
groups
are
starting
to
report
back
to
the
attack
on
what
we're
doing,
presumably
so
the
attack
and
having
have
a
full
view
of
it
and
having
them
kind
of
publish
that
out
in
some
way,
I
think,
would
would
make
sense
there
aren't
that
many
working
groups,
though
so
what
I
would
encourage
you
to
and
all
the
meeting
meeting
minutes
are
public.
So
it's
it's
not
as
easy
as
like
a
one-pager.
A
That's
just
like
here's
everything
you
know
it
it's.
It
also
evolves
over
time.
So
if
there's
something
that
you
are
specifically
looking
for
like
post
it
in
the
general
chat
and
in
slack
and
say,
hey,
I'm
interested
in
whatever
kubernetes
security
and
there's
anybody
working
on
kubernetes
security
and
someone
will
pop
up
and
say
yep
we're
doing
it
over
here.
G
Well-
and
here
is
the
one
pager
that
talks
about
at
least
what
the
working
groups
are
doing,
look
part
of
the
challenge
of
the
circus.
Is
you
know
there
are
lots
of
things
going
on
simultaneously
different
places,
but
there
are
a
couple
of
different
ways
to
try
to
aggregate
and
figure
out
where
to
where
to
focus
your
time,
because
you
want
to.
I
think
everyone
wants
to
not
waste
waste
their
time.
G
They
want
to
find
what
what's
interesting
to
them,
and
I
think
you
can
take
a
the
top
down
view,
which
is
started.
G
The
website
start
at
the
the
top
of
the
tac
github,
repo
and
cascade
downward
kind
of
you
know
it
was
a
depth
first
search
to
to
kind
of
see
what's
interesting
out
there
and
what
what
rings
the
bell
for
you
and
frankly,
I
I,
I
think,
just
just
figuring
out
what
creates
enough
value
for
you
or
to
to
that
you
start
using
it
in
your
in
your
day.
G
Job
is
a
good
way
to
turn
back
around
and
go
where,
should
I
prioritize
spending
my
time,
volunteering
and
feeding
back
upstream
too
right
so
so
anyway?
So
those
are
some
places
you
could
also
just
read
through
the
blog
we
try
to
be.
You
know,
put
a
few
things
there
each
week
of
new
things
happening
across
open
ssf.
So
if
you
want
to
see
you
know
kind
of
a
activity,
first
search
of
of
what's
going
on
that
might
be
another
way
to
go.
G
I
I
that
was
the
basic
question
right
discoverability
and
how
do
the
pieces
fit
together
and
and
that
sort
of
thing
like
where
to
get
started?
I
think
there's
probably
that
where
to
get
started,
we
could
always
do
more
with
when
people
land
at
the
website,
but
more
that
we
could
try
to
do
there,
but.
G
I'll
check
that
link
out
thanks
thanks
whenever
munowar
sorry.
C
All
right,
I
threatened
for
more
questions,
but
I
think
we've
reached
a
useful
conclusion.
Today's
conversation,
if
anybody
speak
now,
remember
for
15
minutes,
hold
your
peace
13
minutes
back
everybody
thanks
again
for
attending
coming,
showing
up
always
appreciate
to
have
either
listeners
or
conversations
or
whatever,
and
don't
hesitate
to
send
out
feedback
or
jump
onto
the
slack
channel
with
thoughts
thanks.
Everybody
thanks.
Everyone.