►
From YouTube: Education SIG (February 8, 2023)
Description
Agenda – https://docs.google.com/document/d/18GBwvQJNcPnwxKrnp43DhBZC7K1JM0xzGkDoKh5mu8U/edit#
Slack – https://openssf.slack.com/archives/C03FW3YGXH9
Mailing List – https://lists.openssf.org/g/openssf-sig-education
Git Repo - https://github.com/ossf/education
B
B
B
E
B
F
G
B
B
B
B
D
D
So
that's
in
there
for
a
birds
of
a
feather
talk,
put
it
in
the
leadership
track,
as
had
been
suggested
in
one
of
the
previous
meetings
and
other
than
that
we
were
looking
at
getting
together
a
list
of
Partners
this.
These
would
be
like
Partners
who
survive
under
server
underrepresented
communities.
So
we
wanted
to
get
our
partners
going
and
start
putting
together
the
POC,
so
we
can
start
kind
of
like
approaching
them
for
to
see
where
we
could
fit
in
and
help
out.
D
The
other
thing
that
we
wanted
to
do
as
well
is
look
at
upcoming
conferences
and
marketing
opportunities,
so
one
of
the
ones
that
was
suggested
that's
coming
up
shortly,
was
b-sides
and
potentially
just
going
in
there,
and
the
goal
is
to
get
feedback
in
terms
of
like
which
initiatives
that
the
subcommittee
should
go
after
and
other
than
that.
We
also
wanted
to
put
together,
like
a
project
plan
or
a
kanban
board,
because
there's
a
lot
of
things
that
we
want
to
look
at,
but
we
want
to
just
get
it
all
organized.
D
That's
the
quick
update.
Oh
and
another
thing
is
this:
also.
We
wanted
to
go
ahead
and
start
going
to
some
of
the
other
working
groups
and
just
making
it
known
that
we
are
available,
because
there
might
be
opportunities
where
some
of
these
other
subcommittees
may
want
to
reach
out
to
the
same
communities
that
we
want
to
serve
so
giving
them
an
opportunity
to
to
tap
into
our
resources
as
we
build
them
up.
B
All
right,
awesome
and
I
did
get
confirmation
yesterday
that
there
will
be
an
open
ssf
day
at
Vancouver,
so
they're
going
to
open
up
a
special
cfp
for
that
at
some
point.
So
Dei
and
everybody
else
be
prepared
that
if
that
pops
up,
we
potentially
have
another
opportunity
to
submit
talks
or
have
arranged
conversations
like
with
the
Dei
birds
of
feather
suggestion
is
going
to
be.
B
All
right,
let
us
has
anyone,
had
any
opportunity
to
reflect
upon
the
pieces
of
content.
We
I
shared
Last
Call
on
January
25th.
That
Intel
has
is
able
and
interested
to
potentially
donate
to
our
efforts.
So
did
anyone
have
anything
on
that
list
that
they
wanted
to
maybe
get
a
peek
of
or
anything
you
want
to
explicitly
wanted
to
say?
No,
that's
not
interesting
to
us.
A
B
C
B
This
is
an
internal
call,
so
I'm
meeting
with
the
two
people
that
wrestle
at
the
training
program.
So
if
they're
interested,
if
like
we
say,
we
really
want
the
to
see
the
fuzzing
stuff,
I'll
say:
hey,
the
team
really
wants
to
see
the
stuff.
Can
we
get
a
copy
of
that
to
look
at
and
then
you
know,
if
there's
if
we
want
to
have
a
longer
conversation,
I'm
glad
to
set
that
up.
I
can
again
start
that
conversation
tomorrow
with
them.
C
Because
if
I
look
at
it,
I
would
say
yay
to
all
actually
all
the
topics
it
could
all
be
interesting.
I
I,
don't
know
how
much
overlap.
There
is,
of
course,
with
the
stuff
we
already
have,
but
I
think
is
very
good
to
to
see
what
they
have
are
in-depth
and
comprehensive.
It
is
so
I'm
yay
for
all
the
topics
actually.
C
A
B
And
if
I
could
get
potentially
get
a
prioritization
on
the
list,
because
what
we
would
do
is
I
can
get
access
to
the
stuff
and
we
can
look
at
it,
but
actually
before
they
could
donate
it.
It
has
to
go
through
an
Intel
legal
review
and
a
scrub.
So
that
takes
a
little
bit
of
work.
So
I
don't
want
to
tell
them.
I
want
50
things.
I
want
to
kind
of
say,
here's
our
list,
and
you
know
as
we
get
them
done.
They
can
turn
them
over.
C
Coding,
secure
development
and
security
from
management,
I
think
those
are
actually
the
most
interesting,
maybe
security
for
management,
even
more
as
we
have
already
identified,
we
have
a
gap,
you
know
the
others.
We
do
have
already
something
but
yeah,
maybe
still
it's
good
to
see
what
they
have
and
again
to
enrich
and
yeah.
B
A
B
B
G
But
in
a
nutshell,
we
have
both
a
preliminary
body
of
knowledge
that
we
have
been
putting
together
based
on
inputs
from
to-do
group,
other
organizations.
Oh
and
I'm.
Sorry
abishay
asked
the
right
question:
the
fintech
open
source,
Foundation
Finos,
which
is
also
a
part
of
the
Linux
Foundation
and
primarily
Financial
membership.
Finos.Org
I,
would
encourage
everybody
to
to
go
and
sign
up
for
our
newsletter.
G
Take
a
look
at
it,
but
we
do
want
to
ultimately
build
both
a
body
of
now
knowledge
that
any
organization
could
could
be
able
to
take
a
look
at.
It
will
be
open
source
but,
of
course,
aim
towards
our
membership
to
say
we
want
to
get
started
on
a
journey
in
open
source,
we'd
like
to
establish
an
ospo
open
source
program
office.
You
know
one
of
the
things
we
need
to
do
and
that
should
ultimately
break
down
into
organization
policy,
personas
roles
and
responsibilities.
G
Excuse
me,
and
security,
of
course,
is,
is
part
of
that.
So
as
we
delineate
areas
of
study
and
education
to
be
included
in
what
we
come
to
consensus
around
for
a
body
of
knowledge,
we
also
want
to
translate
that
into
potential
new
training
and
certification
routes
as
well.
And
then
we
have
also
introduced
a
open
source
maturity
model
which
is
kind
of
a
version.
G
One
new
pilot
efforts
and
we
envision
a
Continuum
where
you
could
come
into
open
source
Readiness,
go
through
training,
establish
your
organization,
establish
the
policies,
Implement
security
governance
and
move
from
open
source
utilization
to
open
source
contribution
and
then
ultimately
be
evaluated
against
that
maturity
based
on
based
on
your
compliance
with
the
body
of
knowledge.
And,
of
course,
openssf
is
the
right
place
to
come
for
all
things
open
source
security
and
want
to
incorporate
that
and
I
was
excited
to
be
able
to
get
involved
with
the
Sig
open
to
any
questions
happy
to
discuss.
B
A
G
D
G
C
G
C
Yeah
exactly
and
you
know,
I
also
build
their
own
security
champion
and
maturity
program.
So
I
think
it
sounds
a
bit
the
same,
but
probably
not
if
I
understood
it
correctly.
But
that's
why
you
know
I
was
asking
like
hey.
Could
you
have
some
more
info?
Maybe
there's
also
areas
that
I
can
enrich.
You
know
your
what
you're
doing
so
yeah.
G
Absolutely
and
Glenn
you
bring
up
a
good
point.
Our
first
go-around
in
terms
of
education
is
what
you
might
consider:
education,
awareness,
organizational
education
and
then
building
off
of
that
that
with
say
specialty
training
for
developers.
There
may
be
security
tools
that
we
include
in
that
developer,
training
or
say
the
the
ospo
lead
themselves.
May
may
have
some
additional
security,
dashboard,
training
or
awareness
of
s-bombs
or
something
along
those
lines
that
that
get
built
in
so
they'll
be
there'll,
be
I,
think
opportunities
for
layering
that
education.
D
Yeah,
a
gym
may
or
may
not
be
aware,
because
I
also
I
also
attend
a
lot
of
like
the
two
degree.
For
those
who
don't
know
what
to
do
is
related
to
hospitals.
Just
kind
of
like
a
community
for
ospas
and
I
know
one
of
the
potential
things
that
they
might
be
working
on.
This
year's
close
to
the
collaboration
with
openssf,
and
so
that
might
be
like
a
a
good
point
to
to
bring
those
discussions
as
well.
B
And
then
I
don't
know
if
you
have
come
across
them
in
your
travels
yet
Jim.
But
there
is
the
end
user
working
group
and
that
is
focused
on
open
source
consumers,
and
that
is
the
majority
of
participants.
There
come
from
large
European
and
American
financial
institutions,
in
fact
Jonathan
Meadows
from
City,
and
so
that
might
be
another
place
where
you
can
kind
of
go
and
talk
and
try
to
drum
up
some
additional
energy
for
it
as
well.
G
G
B
F
We've
we've
been
doing
initial
testing
with
some
document
translations
API
and
we
are
getting
quite
good
results.
We
hope
to
get
even
better
results
with
some
name
collaboration
with
the
product
groups.
We
maintain
those
apis
and
eventually
we
believe
that
they
will
be,
of
course,
some
work,
but
manageable
amount
of
work
to
maintain
that
over
time,.
B
Any
questions
or
comments
for
abishay
very
excited
about
this.
We
just
recently
had
the
content
translated
in
the
Japanese,
which
was
very
well
received
and
I
think
again,
more
native
languages.
We
can
get
the
content
to
the
the
broader
our
reaches
and
the
bigger
impact
we're
going
to
have
around
the
world.
F
C
Sorry,
okay,
no
I
just
had
a
question
about
versioning
and
making
sure
that
what
type
of
version
of
the
material
we
have
so
do.
We
already
have
like
a
sort
of
a
process
or
procedure
to
to
keep
track
on
what
is
being
translated
and
if
there's
new
versions
how
and
and
who
is
going
to
do
that
again.
Just
from
Curiosity
point
of
view.
F
Yeah
so
internally
we
are
doing
the
train
stations
using
a
GitHub
action
that
takes
the
content
directly
from
from
the
repository
uses,
the
translation
API
and
creates
a
pull
request
with
the
data
of
changes
from
the
previous
version,
so
that
can
also
be
contributed
and
I
know
the
foundation
has
access
to
to
the
apis
that
that
are
being
used.
So
we
can
use
that
over
time
as
well.
F
E
E
I,
don't
have
any
suggestions
for
translation
sort
of
like
around
like
if
I'm
just
living
a
vulnerability
to
a
project.
That's
a
chinese-based
project.
I've
heard
this
is
slightly
off
the
office.
For
me,
disclosure,
her
abilities
in
you,
know,
cross-language
projects.
Are
there
any
services
that
be
open
source
security
Foundation
has
around
like
hey
I
need
to
translate
this
disclosure
into
a
foreign
language?
Can
someone
help
me
and
do
so
in
like
a
not
viable
request,
but
more
like
via
private
discussion,
sort
of
Channel.
B
B
A
A
B
A
I
would
like
to
see
a
lot
more
feedback
on
the
content
in
how
we're
going
to
organize
the
content.
I
know
that
there
is
a
lot
of
potential
for
overlap
in
content.
I
think
that
some
overlap
is
okay,
because
I
think
that
there's
a
lot
of
there's
actually
when
you
start
to
look
at
it,
there's
different
points
of
view,
because
you
could
look
at
this
as
a
bug.
Bounty
Hunter,
that's
trying
to
make
money
which
is
sometimes
you
know
difficult,
and
then
you
have
like.
A
In
that
point
of
view,
which
is
different
because
you've
been
like
in
SKF,
we've
been
sitting
and
we've
been
figuring
out,
a
lot
of
our
content
is
developer.
Focused,
it's
not
so
much
like
well.
How
do
I
go
about
detecting
this?
You
know
and
like
even
figuring
out,
if
it's
a
problem,
because
now
one
thing
I've
noticed
also
talking
about
bounty
hunters,
a
lot
of
them
don't
understand
how
a
web
application
works
a
hundred
percent.
So
that's
also
interesting,
so
we're
trying
to
cover
all
these
things
and
I
think
like
feedback
on
that
would
be.
B
We
want
to
Target
first
and
then
start
to
align
for
reals
the
the
content
to
that
curriculum
and
see
where
we
have
gaps,
because
there
probably
could
be
some
stuff
like
we
could
borrow
from
things
like
the
Intel
donation,
but
they'll
probably
be
stuff
that
we
don't
have
any
content
for
and
we're
going
to
need
to
say:
hey
anyone
know
how
to
do
threat,
modeling
101.
We
need
a
class
and
we
need
you
know
a
lab.
For
example,.
A
A
B
B
There
but
yeah
I,
there's
not.
We
could
start
if
people
are
interested
and
are
not
afraid
of
potentially
rework.
We
could
start
to
chopping
the
the
things
into
courses
and
then
aligning
the
content
we
have
and
looking
at
the
game,
nothing's
stopping
us
for
doing
that
now,
but
there
is
a
chance
that
there
might
be
rework
if
the
board
prioritizes
something
else
or
says
that
we
don't
want
to
do
that.
For
example,.
A
B
So
again,
there's
nothing
stopping
us
from
self-organizing
and
working
now
kind
of
like
how
Christina
and
Jay
are
getting
a
focus
around
a
specific
topic
area.
There's
nothing
to
stop
us
from
doing
that.
It's
just
we.
We
run
the
risk
of
things
getting
shuffled
in
priority
or
potentially
you
know
getting
gnat,
so
I
wouldn't
suggest.
We
spend
a
lot
of
time
focusing
in
on,
like
the
grants
piece
that
Sal
had
requested,
because
that's
money
and
the
board
will
definitely
have
to
approve
that.
B
B
A
Is
that
maybe
at
some
point
it
might
be
useful
to
have
like
an
SKF
meeting?
If
you
will
on
the
on
the
board,
just
because
I
I
do
so
LF
will
certify.
The
courses
is
from
my
understanding,
but
I
think
that
they're,
how
like
it
would
be
nice
if
we
had
kind
of
an
open
opinion
of
what
like
the
content
we
provide,
because
it
was
always
supposed
to
be
a
platform
in
public
domain.
G
B
Interested
in
helping
coordinate
that
and
I
will
be
glad
to
give
you
support
with
meetings
and
whatnot.
So,
okay,
if
we
want
to
have
an
SKF
meeting,
whether
it's
part
of
I,
think
definitely
part
of
this
call
for
demos.
But
if
we
want
to
have
a
specific,
dedicated,
SKF
call
and
anyone
that's
interested
in
helping
collaborate
shows
up.
B
A
C
The
first
one
that
could
be,
for
example,
after
we
made
the
call
with
Intel,
and
we
gave
them
the
short
list
and
they
actually
have
the
material
I
think
it
would
be
good
for
people
to
also
join
that
meeting
as
yeah
we're
going
to
consume
that
into
SKF,
and
we
all
have
an
opinion
about
it
or
how
to
integrate
and
see
overlap.
So
I
do
agree
with
Randall.
It
should
be
good
that
it
is
a
team
effort
and
not
yeah.
C
Only
I,
don't
know
us
three
actually,
because
yeah
it's
going
to
take
quite
some
work
right
as
well,
and-
and
we
don't
want
to
do
things
that
others
might
think
yeah
I
know
it's
not
worth
it
or
whatever
right.
So
it
would
be
nice
to
to
have
more
people
there
and
indeed,
in
an
open
space,
make
sense.
B
That
sounds
good
and
I.
Think
you
know
once
the
the
plan
has
some
attention
on
the
governing
board.
I
feel
things
will
start
to
move
very
quickly,
because
many
people
on
the
board
are
very
excited
about
education,
so
I
think
they're
going
to
want
to
start
to
see
quick
progress,
so
we
will
have.
We
will
expand
back
to
potentially
at
least
three
additional
calls
for
Focus
areas,
but
maybe
more
you
know
so
just
we'll
we'll
try
to
optimize
everybody's
time
as
much
as
possible.
C
A
B
Go
it's
a
tool
that
allows
for
kind
of
Hands-On
practicing
of
some
of
these
skills
and
reinforcing
the
concepts
that
might
be
in
other
other
things.
Glenn
had
gone
through
and
absorbed
a
lot
of
the
secure
fundamentals
class
into
SKF.
So
it's
it's.
It's
really
pretty
interesting
experience
and
it's
really
more
for
people
like
with
Hands-On
keyboard,
as
opposed
to
getting
talked
at
in
a
class
github's.
E
B
D
C
No
I
just
want
to
say
indeed
we
talked
with
xrpa
like
what
two
three
years
ago
already,
because
he
was
one
of
the
first
as
well,
and
we
still
had
the
idea
to
actually
do
something
with
code
ql
as
well
in
the
labs
in
the
training
material
that
we
have.
So
it
might
be
definitely
good
to
get
somebody
again
in
from
them
to
yeah.
Also
get
that
started
again.
I
would
say
good.