►
From YouTube: OpenSSF Identifying Security Threats WG (June 21, 2023)
Description
Meeting notes: https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E
The purpose of this working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
B
B
B
Yep,
so,
although
I
think
you
know,
we
I
mean
we're
coming
off
the
AI
working
group,
I
guess
nascent
working
group
hoping
to
be,
but
there's
already
other
folks.
In
particular
the
I
mean
OS
has
got
a
small
work,
but
in
particular
there's
an
Alf
Ai
and
data
Foundation.
It
has
a
group,
that's
doing
security,
so
hey
wait.
B
C
B
C
B
D
B
Are
we
doing
that
last
week?
Yeah,
that's
so
last
week,
all
right,
so
let
me
I'm
sure
we
can
do
more,
but
the
problem
with
that
is
that
they
people
are
basically,
if
you
just
type
it
in.
If
you
type
it
in
then
people
don't
type
in
their
names
all
the
time
or
and
if
you
and
if
you
do
the
the
Shaded
versus
fully
dark,
it
doesn't
really
translate
to
markdown.
E
D
B
B
A
B
A
E
B
E
D
A
D
B
Actually,
if,
if
I'm,
if
I
may
real
quick
yeah,
so
I
actually
have
separately
briefly
talked
with
hurt
as
well
he's
basically
trying
to
you,
know,
I
think
you're
trying
to
get
get
things
started.
One
thing
he's
really
interested
in
is
trying
to
figure
out
how
to
do
more
than
just
present
raw
numbers,
but
you
know
how
can
we,
you
know
be
I
mean
I
I,
do
think
that
presenting
important
numbers
is
useful
all
by
itself,
but
but
he'd
like
to
have
something.
That's
a
little
more.
B
You
know
hey
this,
you
know.
Is
this
good?
Is
this
bad
and
I
I
think
what,
after
some
brief
discussions
when
I'm
coming
away?
What
he's
coming
away
with
is
trying
to
convert
this
if
nothing
else,
to
a
comparison
to
other
projects
kind
of
score,
so
you
know
I,
don't
know
if
30
days
is
slower
fast
as
a
response
to
vulnerabilities,
but
if
almost
everybody
else
does
it
in
two
you're
doing
it
in
30.
That's
not
so
good.
A
B
Would
be
that
that's
exactly
right
now
and,
and
you
know
I
could
easily
imagine,
maybe
you'd
be
better
if
you
grouped
them
by
you
know,
say
maybe
among
all
python
projects
or
whatever,
but
I
I
I.
Think
the
notion,
though,
is
you
know
you
know
how
do
how
do
we
convert
a
raw
number
into
something
that
provides
more
information?
And
while
there
are
other
ways
to
do
it,
I
I
do
think
that
Zero
versus
one
can
one
developer
more
versus
more
than
one.
A
The
concept
that
open
ssf
can
have
an
opinion
and
an
award
kind
of
gold
stars
where
we
think
that
certain
attributes
are
good,
so
the
idea
being
having
more
than
one
more
than
one.
You
know,
committer
it
you
get,
gets
a
gold
star.
Only
one
committer
doesn't
get
the
gold
star,
sorry,
but
then
being
able
to
like
flip
the
card
over
or
whatever
the
UI
like
thing
is
to
see
that,
oh,
you
have
47
committers,
so
you
have
one.
You
have
zero
Outlets
unmaintained.
A
B
B
C
B
Making
that
very
clear
that
it's
only
one
that's
not
ideal,
it's
like
50
of
all
the
projects
we
scan.
So,
although
that's
not
ideal,
it's
also
not
unusual
and
I
think
that
information
is
act,
makes
it
still
helpful,
even
in
the
case
where
you
don't
like
it.
Maybe
that's
bad,
but
don't
don't
have
a
cow,
don't
overreact,
because
in
fact
this
is
a
common
situation.
I.
B
F
A
You
know
I'll,
say
I,
think
the
rattle
here
for
a
long
time,
but
like
the
the
single
maintainer
projects,
are
kind
of
interesting
because,
like
I'm
on
the
other
end
of
it,
a
lot
of
projects
that
I
that
I
work
on
I'm,
the
only
on
the
only
Devon
and
I
would
I
think
I
would
take
offense
honestly
if
someone
called
out
my
project
as
bad,
because
nobody
else
contributed
to
it
because
I'm
like
well
yeah.
That's
what
I've
been
screaming
about.
A
Nobody
wants
to
contribute
to
this
to
it,
but
then
don't
give
me
the
you
know
a
demerit,
because
you
know
like,
if
I'm
actively
doing
something,
that's
dangerous,
or
this
obviously
best
practice
that
I
could
turn
on.
But
I
choose
not
to
fine
like
and
I
could
disagree
with
your
thing
but
like
it
like
I,
don't
go
so
far
as
to
say
like
that's
discriminatory
but
like
it
is
kind
of
like
the
person.
A
The
maintainer
is
exactly
the
opposite
of
the
class
of
individuals
that
you
want
to
be
giving
the
demerit
to
well
for
a
single
single
container
projects.
They
are
the
only
person
that
showed
up
so
yeah,
but
at
the
same
time,
I
also
get
it
from
from
from
an
organization's
perspective,
if
I'm
gonna
put
something
in
a
self-driving
car
or
or
whatever
and
I
know
that
it's
just
one
one
person
behind
it.
That
should
give
me
pause
in
whether
or
not
I'm
willing
to
to
take
that.
Take
that
risk.
A
A
B
C
B
I
know
exactly
what
you're
talking
about
so,
let's
carry
on,
but
let's
say
repo
X
doesn't
support
2fa
or
hey.
You
only
have
one
project
on
one
person
on
your
project.
Okay,
from
the
point
of
view
of
the
recipient.
It
really
is
a
risk.
Okay,
it's
not
that
that's
not
relevant.
It
is,
however,
there's
a
if
there
is
a
difference,
because,
as
you
mentioned,
it's
not
something
you
can
easily
or
directly
control,
I.
B
Think
in
both
cases
there
are
things
you
can
do
things
like
take
State,
you
know
make
your
read
means
better
in
your
documentation
better.
So
it's
easier
for
people
who
might
be
interested
to
figure
out
how
to
come
on
board
for
cpan
you
can
yell
at
cpan
or
whatever
the
repo
is.
If
they
don't
support,
2fa
and
yellow
and
say,
hey
support
2fa,
but
you
can
take
steps
to
increase
the
likelihood
and
still
not
cause
the
effect.
You
want
right
right,
so
I
I
think
that
I
I
think.
B
A
D
F
D
B
Okay,
so
it
seems
to
me-
and
it's
Jay
so
I'm-
trying
to
figure
out
how
to
turn
this
into
an
action.
I
I
think
Jay.
What
this
suggests
and
I
bet
there's
a
whole
lot
of
little
points
like
this.
There
probably
should
be
a
link
on
like
the
metrics
dashboard
of
the
caveats
and
stick
this
on
the
caveats.
Page.
E
I
mean
we
talked
about
that
some
time
ago
about
making
sure
that
there
were
clear
definitions,
clear
you
know,
understanding
of
what
each
piece
of
data
represented
and
then
and
then,
of
course,
what
was
there?
What
wasn't
there?
Why
it
wasn't
there
all
that
kind
of
stuff?
And
we
talked
about
that
about
that
some
time
ago,
yeah.
D
E
Page
that
that
just
talks
about
real,
quick,
hey-
this
is
what
it
is.
This
is
what
it
isn't.
This
is
what
you'll
find
here.
This
is
what
you
won't
find
here,
and
you
know
if
you
have
a
suggestion
on
how
we
can
include
things
that
that
that
should
be
found
here
that
are
not
here.
Please
send
message
to
boom
right
and
probably
probably
do
do
that
I
mean
that'll
help
solve
that
problem.
Because
caveats
is
like
you
can
add
those,
but
you
know.
E
Like
I
said,
all
I
mean
all
that
spawns
from
what
what
that's
that's.
That
survey
is
great
and
David's
right.
There
were
a
couple
of
Revelations
that
came
out
of
it,
that
that
lends
itself
to
say
well
wait
a
minute.
What
exactly
are
we
showing
here?
How
does
this
differentiate
from?
What's
already
out
there.
C
A
F
C
B
C
B
A
D
D
D
B
D
A
D
A
D
Cool
yeah,
okay,
so
yeah.
This
should
hopefully
fix
that
then,
and
then
I'll
continue
to
kind
of
clean
up
the
repo
a
little
bit
I
do
still
plan
on
kind
of
going
through
it
a
little
better
and
cleaning
it
up
some
more,
especially
as
the
dashboard
develops
more
because
I
know
that
the
content
will
be
feeding
into
it.
So
we'll
definitely
want
to
make
sure
everything
is
looking
good.
There
we're
capturing
everything
that
we
want
in
a
way
that
works.
D
So
so
yeah
I'll
finish
getting
this
repo
updated
and
then,
as
as
we
talk
more
about
the
dashboard
in
the
coming
meetings,
we
can
see
if
there's
better
ways
to
align
the
data
we
capture
with
what
the
what
the
output
is
intending
to
look
like
at
the
end,
but
yeah,
hopefully
yeah
once
we
get
these
other
ones
in
there
and
I
think
yeah.
The
I
still
really
want
to
go
in
and
clean
up
that
core
infrastructure
initiative,
stuff
and.
E
A
F
Yeah
I
have
some
updates:
okay
about
the
security
side
and
the
version
1.6
or
true
point
something.
We
need
to
Define
this
in
short,
I've
merged
the
trooper
requests
made
with
Jonathan
in
for
the
in
the
executing
sites.
Now
the
security
size
is
definitely
more
oriented
to
help
well,
the
maintainers
and
the
researcher
to
have
more
information
about
automated
tool
and
how
the
researcher
can
open
pull,
request
or
issue
or
how
they
maintaining
one
to
be
involved
in
this
kind
of
brushes.
F
It
is
quite
basic.
You
can
also
Define
the
sub
path
and
you
can
add
comment
for
human
that
want
to
read
the
file,
so
the
scanner
can
scan
and
but
also
look
in.
The
maintainer
cannot
comment.
There
is
just
one
open
issue
that
is
important
at
the
moment.
How
we
want
to
handle
a
reference
for
the
daytime
of
the
security
insights.
I
need
to
talk.
I
would
like
to
talk.
I
mean
I
want
to
talk
with
Jonathan
about
this
because
honestly
I
understand
his
point.
F
F
But,
for
example,
for
the
process,
where
I
mean
reading
blog
post
and
especially
one
bike,
video
I
guess
it's
hard
to
have
suggestions
just
for
the
packet
manager
system.
We
I
mean
there
are
some
security
suggestions,
also
for
the
maintainer
or
for
the
company
that
want
to
download
the
third
party
packages
and
so
for
now.
I
am
not
writing
I'm.
F
Just
at
the
draft
paragraph
for
the
mitigation
on
the
proposal
solution
or
just
because
it
is
easier
to
communicate
with
the
packages
managed
system,
it
can
be
more
difficult
to
communicate
with
the
community
that
need
to
maintain
something
that
can
be
a
company,
but
also
an
organization
or
an
open
source
project
just
download
the
packages.
So
for
that
part,
probably
I
will
ask
help
and
tag
people.
F
F
F
But
in
this
way,
I
cannot
have
the
people
in
the
contact
if
I
share
just
the
magic
link
without
invite
the
person
I
cannot
tag
the
person-
oh
good
job,
yes,
yes,
this
is
my
problem,
but
just
a
minor
problem
and
it
is
so
I
am
presenting
to
write
it.
There
are
some
new
suggestion:
I
did
I
am
editing
the
document
not
directly
on
the
document,
but
just
using
the
suggestion.
So,
if
you
don't
find
the
edit
is
because
our
in
this
suggestion,
editor
I
hope
that
people
can
see
them.
F
The
document
is
public
with
editor
privilege
for
everyone,
because
I
know
that
I
can
revert
everything
yeah
and
the
link
is
in
the
channel.
Other
updates,
no
new
updates
about
the
security
policy,
but
I
need
to
write
to
the
attack
this
week.
I
hope
that
they
finish
down
call
I,
yeah
I
filled
out
at
least
the
security
insight
partially
or
the
security
side.
While
they
choose
light
in
the
presentation
that
someone
asked
me
to
fill
out.
F
Probably
you
I
was
on
vacation
that
day,
yup
yeah
for
the
security
insights,
I
written
that
one
of
the
blockers
that
we
have
is
the
security
policy.
I
mean
it
was
the
the
the
square
where
we
asked
to
the
attack
for
help,
and
one
of
the
help
that
we
need
is
to
have
a
way
to
approve
a
security
policy
that
bought
up
an
ssf
like
and
Linux
Foundation
like,
and
this
is
not
easy
agreed.
A
C
D
B
A
A
F
F
So
if
someone
can
invite
me
or
tag
me
in
the
channel,
because
I
would
like
to
introduce
this
document
to
the
AE
slash
machine,
Learning,
Channel
I
think
that
today,
topics
totally
different
I
have
I
start
to
read
some
documents,
and
now
we
are
seeing
the
first
research
about
this,
for
example,
that
sometimes
the
open,
AI
trageddp
can
suggest
you
type
of
squats
the
package
or
something
similar.
So
I
think
that
introduce
the
AI
in
the
document
is
a
good
idea,
but
I
think
that
it
can
be
good
enough
to
be
discussing
another
Channel.
A
A
You
know
maintainers
or
consumers
or
somehow
personas
associated
with
that
it
wouldn't
be
insane
to
like
actually
have
that
content
be
part
of
the
threats
paper,
because
if
it
is
about
threat,
risk
and
mitigation
within
the
open
source
ecosystem,
that's
exactly
what
the
white
paper
is
talking
about.
So
I
I
mean
it.
It
may
be
better
published
Standalone
now,
because
AI
is
such
a
Hot
Topic
and
visibility,
and
all
that
stuff,
but
conceptually
it.
F
Yeah
I
still
I,
don't
know
if
we
should
have
or
not.
We
can
have
just
a
short
paragraph
where
we
do
a
short
summary
and
link
to
the
other
one
we
can
I
mean
because
we
are
not
interested
just
to
all
the
threat
related
to
machine
learning,
for
example,
open
source
machine
learning
projects
are
a
topic.
Machine
learning
used
by
developer
to
develop
open
source
is
another
topic
with
different
threats,
probably
so
no
opinion
at
the
moment.
I
was
just
to
say:
hey.
F
We
have
this
document
where
we
want,
where
we
have
listed
all
the
possible
threats
that
we
have
identified
in
the
open
source
ecosystem
and
we
want
to
know.
We
would
like
to
understand
how
the
machine
learning
slash
I
can
impact
this
kind
of
ecosystem,
but
just
this
kind
of
ecosystem,
so
I
just
wanted
to
launch
this
topic
in
the
channel.
Let's
see
what
happened
in
the
meanwhile
I
continue
to
write
the
the
editing.
F
F
A
Whatever
I
I'll
on
a
big,
they
usually
do
like
two
per
session,
so
I
think
we
get
it
about
twice
a
year.
Ish
so
last
week
was
identifying
security
threats,
just
update
on
like
where
we
are,
what
we've
been
up
to
what
we
have
coming
up.
Next,
it's
not
yeah
it.
It's
it's
more
of
an
inform
than
anything
else
to
give
them
some
visibility
into
what
we're
up
to
so
that's
what
we
did.
A
A
That
sounds
great
yeah
I
would
say,
like
you
know,
for
now:
throw
everything
in
the
dock
like
that.
That's
great
I
think
the
having
having
data
to
back
up.
Like
you
know,
a
stat
like
projects
that
have
undergone
a
security
audit
or
X
percent.
Less
likely
to
have
a
critical
vulnerability
in
the
next
10
years
would
be
like
an
amazing
statistic
to
see.
D
C
The
the
dashboard
is
still
not
like
populating
the
data
from
that,
but
that's
probably
going
to
be
done
pretty
soon
yeah.
What
will
probably
not
be
done
in
time
is
the
complex,
coordinated
disclosure
workflow.
The
idea
is
that
will
be
done
so
the
work
that
we'll
be
starting
to
do
from
April,
one
from
July
1.
What
we
were
thinking
of
then
go
back
to
our
triage
portal,
which
has
done
this
to
some
extent
and
then
use
that
for
now
we
still
need
to
do
some
work
so
that.
A
A
lot
of
Open
Source
projects,
charging
results
and
kind
of
owning
the
the
disclosure
from
you
know
from
from
Discovery,
through
fix,
as
an
experiment
to
see
like
how
well
does
this
stuff
scale
out.
So
that's
what
we
were
talking
about
on
where
we,
while
we
would,
we
would
like
you,
know
eventually
the
Omega
triage
portal
to
be
a
consumable
resource
for
lots
of
security
researchers.
Doing
these
kind
of
bulk
scale
analysis.
It's
still,
you
know
the
the
the
the
the
train
has
like
two
wheels.
So,
let's
you.
C
Know
just
yeah,
and
since
this
is
like
oh,
this
is
the
parent
organization
of
the
AO
in
English.
So
that's
why
I
was
bringing
this
conversation
and
we
don't
have
any
any
conversation
before
July
1
so
just
wanted
to
so
the
expectation
would
be
that
we'll
be
doing
some
extension
on
the
on
our
Triad
portal
and
making
sure
that
we
follow
a
subset
of
the
coordinated
disclosure.
So
we
won't
automate
all
of
that
stuff.
Jonathan
is
already
working
on
that.
Once
that
is
available
is
going
to
be
integrated.
C
We
are
going
to
use
that,
but
we'll
be
just
doing
just
enough
so
that
it's
workable.
We
are
working
on
the
PM,
PBR
way
of
of
reporting
bugs
and
then
we'll
be
using
that
so
the
the
work
or
the
active
reporting
is
probably
going
to
start
near
the
end
of
July
or
early
August,
as
opposed
to
like
from
July
1,
because
the
infrastructure
is
not
ready
are.
C
A
But
obviously,
if
you,
if
you
run
into
places
where
it's
spitting
out
nonsense,
just
ping
me
your
final
bug
or
whatever
and
we'll
improve
it,
I
think
right
now,
it's
probably
in
the
probably
in
the
low
90s
percent
good
and
the
places
where
it
fails
or
places
where
humans
can't
find
it
either.
So,
yes,
yes,
yeah.
C
A
All
right
anything
else,
no,
you
guys
got
six
17
minutes
back
going
once
going
twice.
Thank
you
all
see
you
in
two
weeks
wait
hold
on
wait,
wait!
Wait
before
we
do!
This
two
weeks
is
July
4th.
We're
gonna
no
show
like
fifth,
so
we
are
okay,
I'm
gonna
be
off
for
the
following
two
weeks:
the
19th
of
July
and
the
second.
So
maybe
we'll
just
do
this
now.
Is
there
anybody
that
will
be
around
on
either
July
19th
and
the
second
who
would
just
be
willing
to
run
this
run?