►
From YouTube: OpenSSF Identifying Security Threats WG (June 21, 2023)
Description
Meeting notes: https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E
The purpose of this working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
B
B
Yeah,
hey:
let's
have
a
white
paper:
hey,
let's
have
a
blog
post.
Let's
have
titles
for
these
things,
there's
a
lot
of
things
that
are
blog
posts.
There
are
a
lot
of
things
that.
B
Yep,
so,
although
I
think
you
know,
we
I
mean
we're
coming
off
the
AI
working
group,
I
guess
nascent
working
group
hoping
to
be,
but
there's
already
other
folks.
In
particular
the
I
mean
OS
has
got
a
small
work,
but
in
particular
there's
an
Alf
Ai
and
data
Foundation.
It
has
a
group,
that's
doing
security,
so
hey
wait.
B
We
should
talk
so
Brian's
making
the
connections
and
I
I
have
interacted
with
I've
interacted
briefly
with
Ibrahim,
but
I
haven't
interacted
with
that
particular
working
group
because,
oh
my
gosh,
there
are
so
many
things.
One
can
be
involved
in.
C
B
Well,
actually,
there's
a
whole
kids
show
with
that
premise:
Fairly
Odd
Parents.
B
B
And
and
the
thing
is
it's
a
whole
lot
like
the
old
Wiley
Coyote
Road
Runner
shows
you
know
it's
gonna
go
in
badly,
but.
C
B
D
A
Is
are
we
good?
That
was
how.
B
Are
we
doing
that
last
week?
Yeah,
that's
so
last
week,
all
right,
so
let
me
I'm
sure
we
can
do
more,
but
the
problem
with
that
is
that
they
people
are
basically,
if
you
just
type
it
in.
If
you
type
it
in
then
people
don't
type
in
their
names
all
the
time
or
and
if
you
and
if
you
do
the
the
Shaded
versus
fully
dark,
it
doesn't
really
translate
to
markdown.
E
D
B
Present
name
org.
We
can
also
do
the
pronouns
plea,
that's
an
easy
table
to
add,
but
right
now
I
am
just
focused
on
you
know
getting
something
here.
B
A
B
And
you
know
what
eventually,
the
goal
is
to
have
tooling
do
this
more,
but.
B
Ai
isn't
but
assigning
in
through
LFX,
with
your
SSO
ID
absolutely
works.
A
But
I
can
never
see
it.
I
can't
even
see
who
was
invited
to
these.
B
A
Cool
okay:
let's
see
we
don't
have
any
new
members
here
today,
project
updates
who
would
like
to
go
for
it?
I,
don't
know
if
anybody
really
wants
to
maybe
we'll
start
with
dashboard
Jay.
How
is
that
going.
E
Well,
that's
what
I
I
wish
I
had
something
different
than
last
week.
I,
don't
know
the
last
time
we
met
at
don't
we
we,
the
new,
front-end
person,
came
on
board.
We
go
back
into
the
survey
that
was
done
by
by
Mike
and
we
and
we
we.
E
You
know
that
it
was
like
I,
said
fantastic
survey,
so
we
dive
back
into
that
a
little
bit
more,
which
will
help
out
a
lot
with
how
we
organize
front-end
development
Raul
is
is
still
in
the
process
of
pushing
code
to
the
repo
so
that
that
can
be
seen
there,
but
ultimately
we're
you
know,
giving
them
time
to
to
work
and
get
some
things
done
for
us
to
be
able
to
show
the
working
group
towards
the
end
of
next
month.
A
Awesome
I
I
am
curious
for,
for
the
for
the
front,
end
Dev
who's
paying
for
that.
B
Elephants,
elephants,
oh
awesome,
cool,
that's
great
I,
just
yeah
I
know
I'm,
actually
not
sure
if
that's
open,
ssf
funds
or
another
bucket
I
don't
actually
know
what
the
is.
But
I
do
know
that
that
we
are
somehow
involved
with
paying
her
I.
E
D
A
A
Favorite
cool
okay,
so
a
couple
weeks
demo
from
sometime
in
July,
I'm,
guessing
yeah.
D
A
Cool
Amir,
it
looks
like
we're
good
for.
B
Actually,
if,
if
I'm,
if
I
may
real
quick
yeah,
so
I
actually
have
separately
briefly
talked
with
hurt
as
well
he's
basically
trying
to
you,
know,
I
think
you're
trying
to
get
get
things
started.
One
thing
he's
really
interested
in
is
trying
to
figure
out
how
to
do
more
than
just
present
raw
numbers,
but
you
know
how
can
we,
you
know
be
I
mean
I
I,
do
think
that
presenting
important
numbers
is
useful
all
by
itself,
but
but
he'd
like
to
have
something.
That's
a
little
more.
B
You
know
hey
this,
you
know.
Is
this
good?
Is
this
bad
and
I
I
think
what,
after
some
brief
discussions
when
I'm
coming
away?
What
he's
coming
away
with
is
trying
to
convert
this
if
nothing
else,
to
a
comparison
to
other
projects
kind
of
score,
so
you
know
I,
don't
know
if
30
days
is
slower
fast
as
a
response
to
vulnerabilities,
but
if
almost
everybody
else
does
it
in
two
you're
doing
it
in
30.
That's
not
so
good.
A
B
Would
be
that
that's
exactly
right
now
and,
and
you
know
I
could
easily
imagine,
maybe
you'd
be
better
if
you
grouped
them
by
you
know,
say
maybe
among
all
python
projects
or
whatever,
but
I
I
I.
Think
the
notion,
though,
is
you
know
you
know
how
do
how
do
we
convert
a
raw
number
into
something
that
provides
more
information?
And
while
there
are
other
ways
to
do
it,
I
I
do
think
that
Zero
versus
one
can
one
developer
more
versus
more
than
one.
A
The
concept
that
open
ssf
can
have
an
opinion
and
an
award
kind
of
gold
stars
where
we
think
that
certain
attributes
are
good,
so
the
idea
being
having
more
than
one
more
than
one.
You
know,
committer
it
you
get,
gets
a
gold
star.
Only
one
committer
doesn't
get
the
gold
star,
sorry,
but
then
being
able
to
like
flip
the
card
over
or
whatever
the
UI
like
thing
is
to
see
that,
oh,
you
have
47
committers,
so
you
have
one.
You
have
zero
Outlets
unmaintained.
A
So
if
folks,
don't
like
our
where
we've
awarded
gold
stars,
they
can
say
you
know
what
I
just
show
me.
The
numbers,
don't
don't
give,
don't
give
me
your
opinions
and
that
way
they
can,
especially
throughout
the
API
they
can
make
whatever
different
decisions
they
want.
I
think
that
would
be
useful.
B
B
You
know,
I,
don't
know
if
you
might
always
presume
you
saw
the
numbers,
I
think
Jay.
You
did
too
or
basically
there's
an
incredibly
large
number
of
projects
with
exactly
one
developer.
C
B
Making
that
very
clear
that
it's
only
one
that's
not
ideal,
it's
like
50
of
all
the
projects
we
scan.
So,
although
that's
not
ideal,
it's
also
not
unusual
and
I
think
that
information
is
act,
makes
it
still
helpful,
even
in
the
case
where
you
don't
like
it.
Maybe
that's
bad,
but
don't
don't
have
a
cow,
don't
overreact,
because
in
fact
this
is
a
common
situation.
I.
B
F
A
You
know
I'll,
say
I,
think
the
rattle
here
for
a
long
time,
but
like
the
the
single
maintainer
projects,
are
kind
of
interesting
because,
like
I'm
on
the
other
end
of
it,
a
lot
of
projects
that
I
that
I
work
on
I'm,
the
only
on
the
only
Devon
and
I
would
I
think
I
would
take
offense
honestly
if
someone
called
out
my
project
as
bad,
because
nobody
else
contributed
to
it
because
I'm
like
well
yeah.
That's
what
I've
been
screaming
about.
A
Nobody
wants
to
contribute
to
this
to
it,
but
then
don't
give
me
the
you
know
a
demerit,
because
you
know
like,
if
I'm
actively
doing
something,
that's
dangerous,
or
this
obviously
best
practice
that
I
could
turn
on.
But
I
choose
not
to
fine
like
and
I
could
disagree
with
your
thing
but
like
it
like
I,
don't
go
so
far
as
to
say
like
that's
discriminatory
but
like
it
is
kind
of
like
the
person.
A
The
maintainer
is
exactly
the
opposite
of
the
class
of
individuals
that
you
want
to
be
giving
the
demerit
to
well
for
a
single
single
container
projects.
They
are
the
only
person
that
showed
up
so
yeah,
but
at
the
same
time,
I
also
get
it
from
from
from
an
organization's
perspective,
if
I'm
gonna
put
something
in
a
self-driving
car
or
or
whatever
and
I
know
that
it's
just
one
one
person
behind
it.
That
should
give
me
pause
in
whether
or
not
I'm
willing
to
to
take
that.
Take
that
risk.
A
A
Another
example
would
be
I,
I,
I,
I,
I
release.
All
my
code
on
cpan
I
have
no
idea
if
this
is
true,
but
let's
just
assume
that
cpan
does
not
support
two-factor
off
in
any
way
for
publishing
packages.
I
have
no
control
over
that.
I
cannot
influence
that
as
a
maintainer.
B
Let
me
push
back,
but
only
slightly
I
agree
with
you.
You
should
not
be
penalized
because
repo
X,
let
me
not
say
cpan,
because
I
don't
actually
know
I,
wouldn't
be
surprised
that
it
did
support
it.
So,
but.
C
B
I
know
exactly
what
you're
talking
about
so,
let's
carry
on,
but
let's
say
repo
X
doesn't
support
2fa
or
hey.
You
only
have
one
project
on
one
person
on
your
project.
Okay,
from
the
point
of
view
of
the
recipient.
It
really
is
a
risk.
Okay,
it's
not
that
that's
not
relevant.
It
is,
however,
there's
a
if
there
is
a
difference,
because,
as
you
mentioned,
it's
not
something
you
can
easily
or
directly
control,
I.
B
Think
in
both
cases
there
are
things
you
can
do
things
like
take
State,
you
know
make
your
read
means
better
in
your
documentation
better.
So
it's
easier
for
people
who
might
be
interested
to
figure
out
how
to
come
on
board
for
cpan
you
can
yell
at
cpan
or
whatever
the
repo
is.
If
they
don't
support,
2fa
and
yellow
and
say,
hey
support
2fa,
but
you
can
take
steps
to
increase
the
likelihood
and
still
not
cause
the
effect.
You
want
right
right,
so
I
I
think
that
I
I
think.
B
A
D
F
D
A
And
honestly,
like
even
I
I,
don't
know
how
maintainers
are
captured
in
like
scorecards
and
whatnot
like
I,
don't
know
if
it's
just
like
someone
who
had
a
commit
merged,
like
distinct
number
of
individuals,
with
a
commit
that
they
authored
merged
in
the
past
time
frame
but
like
if
there's
only
one
person
that
actually
owns
the
merge
button,
then
there's
only
one
actual
like
I,
don't
know,
call
them
a
maintainer
or
an
owner,
but
like
there's
only
one
controller
there
and
oftentimes,
you
know
they
go
away
or
stop
caring
or
whatever
like.
B
Okay,
so
it
seems
to
me-
and
it's
Jay
so
I'm-
trying
to
figure
out
how
to
turn
this
into
an
action.
I
I
think
Jay.
What
this
suggests
and
I
bet
there's
a
whole
lot
of
little
points
like
this.
There
probably
should
be
a
link
on
like
the
metrics
dashboard
of
the
caveats
and
stick
this
on
the
caveats.
Page.
E
I
mean
we
talked
about
that
some
time
ago
about
making
sure
that
there
were
clear
definitions,
clear
you
know,
understanding
of
what
each
piece
of
data
represented
and
then
and
then,
of
course,
what
was
there?
What
wasn't
there?
Why
it
wasn't
there
all
that
kind
of
stuff?
And
we
talked
about
that
about
that
some
time
ago,
yeah.
E
Page
that
that
just
talks
about
real,
quick,
hey-
this
is
what
it
is.
This
is
what
it
isn't.
This
is
what
you'll
find
here.
This
is
what
you
won't
find
here,
and
you
know
if
you
have
a
suggestion
on
how
we
can
include
things
that
that
that
should
be
found
here
that
are
not
here.
Please
send
message
to
boom
right
and
probably
probably
do
do
that
I
mean
that'll
help
solve
that
problem.
Because
caveats
is
like
you
can
add
those,
but
you
know.
E
Like
I
said,
all
I
mean
all
that
spawns
from
what
what
that's
that's.
That
survey
is
great
and
David's
right.
There
were
a
couple
of
Revelations
that
came
out
of
it,
that
that
lends
itself
to
say
well
wait
a
minute.
What
exactly
are
we
showing
here?
How
does
this
differentiate
from?
What's
already
out
there.
C
A
Cool
speaking
of
dashboards,
do
we
think
so
the
Cur,
the
current
metric
metrics,
that
openness
after
work
hasn't
been
updated
in
a
long
time?
Does
that
make
sense
just
to
redirect
that
link
someplace
else,
I'll.
F
C
B
C
B
A
Totally
totally
good
awesome,
let's
see,
what's
next
anything
else
on
dashboard.
A
Cool
Security
reviews,
Amir,
are
we
all
the
bugs
have
been
fixed
right.
All
the
build
nonsense,
stuff.
D
So
that's
my
update
earlier
in
the
meeting.
I
was
messing
around
a
little
bit
on
the
repo
and
it
looks
like
the
that
little
hyphen
in
front
of
organization
when
you
go
to
the
markdown
generator
process.
For
some
reason
it's
just
not
it's
not
getting
that
in
there
still
so
I
think
this.
D
The
automated
test,
due
to
the
same
problem
we
had
with
with
the
other
one.
D
A
The
top
of
the
animal
file
looks
like
they
were
so
so
sorry,
there's
a
so
PR
88
right.
Yes,.
D
So
this
this
right
here,
the
python.
A
D
B
D
A
D
A
You
do
that
it
should
generate
it
or
you
can
obviously
modify
yourself
and
if
you
want
me
to
review
and
approve
or
merge
or
whatever
like
we
can,
we
can
get
some
of
these
updated.
Okay,
88
the
pr
was
88.
The
bug
is
87.
D
Cool
yeah,
okay,
so
yeah.
This
should
hopefully
fix
that
then,
and
then
I'll
continue
to
kind
of
clean
up
the
repo
a
little
bit
I
do
still
plan
on
kind
of
going
through
it
a
little
better
and
cleaning
it
up
some
more,
especially
as
the
dashboard
develops
more
because
I
know
that
the
content
will
be
feeding
into
it.
So
we'll
definitely
want
to
make
sure
everything
is
looking
good.
There
we're
capturing
everything
that
we
want
in
a
way
that
works.
D
So
so
yeah
I'll
finish
getting
this
repo
updated
and
then,
as
as
we
talk
more
about
the
dashboard
in
the
coming
meetings,
we
can
see
if
there's
better
ways
to
align
the
data
we
capture
with
what
the
what
the
output
is
intending
to
look
like
at
the
end,
but
yeah,
hopefully
yeah
once
we
get
these
other
ones
in
there
and
I
think
yeah.
The
I
still
really
want
to
go
in
and
clean
up
that
core
infrastructure
initiative,
stuff
and.
E
D
It
out
and
or
parse
it
out,
rather
so
yeah
overall
so
far,
so
good
and
yeah
I'll
retest
it
with
the
now
with
the
new
code
to
Auto,
generate
it
correctly
and
test
it
out
again
and.
A
A
Cool
Luigi
threats
paper:
you
want
to
chat
about
that.
A
little
bit.
F
Yeah
I
have
some
updates:
okay
about
the
security
side
and
the
version
1.6
or
true
point
something.
We
need
to
Define
this
in
short,
I've
merged
the
trooper
requests
made
with
Jonathan
in
for
the
in
the
executing
sites.
Now
the
security
size
is
definitely
more
oriented
to
help
well,
the
maintainers
and
the
researcher
to
have
more
information
about
automated
tool
and
how
the
researcher
can
open
pull,
request
or
issue
or
how
they
maintaining
one
to
be
involved
in
this
kind
of
brushes.
F
It
is
quite
basic.
You
can
also
Define
the
sub
path
and
you
can
add
comment
for
human
that
want
to
read
the
file,
so
the
scanner
can
scan
and
but
also
look
in.
The
maintainer
cannot
comment.
There
is
just
one
open
issue
that
is
important
at
the
moment.
How
we
want
to
handle
a
reference
for
the
daytime
of
the
security
insights.
I
need
to
talk.
I
would
like
to
talk.
I
mean
I
want
to
talk
with
Jonathan
about
this
because
honestly
I
understand
his
point.
F
F
It
I
am
working
still
on
my
version,
I
mean
on
my
Google
Drive,
but
it
is
public
the
link
it
is
in
the
channel
and
now
I'm
writing
about
the
process
where
I
have
seen
how
we
have
previously
brought
that
document
and
we
explained
thread
but
also
suggest,
or
try
to
suggest
some
improvement,
especially
for
the
packet
management
maintainer.
F
But,
for
example,
for
the
process,
where
I
mean
reading
blog
post
and
especially
one
bike,
video
I
guess
it's
hard
to
have
suggestions
just
for
the
packet
manager
system.
We
I
mean
there
are
some
security
suggestions,
also
for
the
maintainer
or
for
the
company
that
want
to
download
the
third
party
packages
and
so
for
now.
I
am
not
writing
I'm.
F
Just
at
the
draft
paragraph
for
the
mitigation
on
the
proposal
solution
or
just
because
it
is
easier
to
communicate
with
the
packages
managed
system,
it
can
be
more
difficult
to
communicate
with
the
community
that
need
to
maintain
something
that
can
be
a
company,
but
also
an
organization
or
an
open
source
project
just
download
the
packages.
So
for
that
part,
probably
I
will
ask
help
and
tag
people.
F
F
F
But
in
this
way,
I
cannot
have
the
people
in
the
contact
if
I
share
just
the
magic
link
without
invite
the
person
I
cannot
tag
the
person-
oh
good
job,
yes,
yes,
this
is
my
problem,
but
just
a
minor
problem
and
it
is
so
I
am
presenting
to
write
it.
There
are
some
new
suggestion:
I
did
I
am
editing
the
document
not
directly
on
the
document,
but
just
using
the
suggestion.
So,
if
you
don't
find
the
edit
is
because
our
in
this
suggestion,
editor
I
hope
that
people
can
see
them.
F
The
document
is
public
with
editor
privilege
for
everyone,
because
I
know
that
I
can
revert
everything
yeah
and
the
link
is
in
the
channel.
Other
updates,
no
new
updates
about
the
security
policy,
but
I
need
to
write
to
the
attack
this
week.
I
hope
that
they
finish
down
call
I,
yeah
I
filled
out
at
least
the
security
insight
partially
or
the
security
side.
While
they
choose
light
in
the
presentation
that
someone
asked
me
to
fill
out.
F
Probably
you
I
was
on
vacation
that
day,
yup
yeah
for
the
security
insights,
I
written
that
one
of
the
blockers
that
we
have
is
the
security
policy.
I
mean
it
was
the
the
the
square
where
we
asked
to
the
attack
for
help,
and
one
of
the
help
that
we
need
is
to
have
a
way
to
approve
a
security
policy
that
bought
up
an
ssf
like
and
Linux
Foundation
like,
and
this
is
not
easy
agreed.
A
Yeah
on
the
dock,
so
so
the
the
the
the
link
to
the
draft
update
dot.
It
looks
like
I,
don't
know,
I,
don't
know
how
this
this
works
doesn't
make
any
sense
to
me,
but
all
of
the
images
have
all
of
the
words
gone.
C
D
B
A
A
F
Yeah
about
the
topic
I
asked
or
I
dreamed
to
ask
I
don't
know
about
if
we
have
a
channel
for
AI
topic.
Machine
learning
in
Linux
for
in
okay
I
am
not
able
to
find
it.
F
So
if
someone
can
invite
me
or
tag
me
in
the
channel,
because
I
would
like
to
introduce
this
document
to
the
AE
slash
machine,
Learning,
Channel
I
think
that
today,
topics
totally
different
I
have
I
start
to
read
some
documents,
and
now
we
are
seeing
the
first
research
about
this,
for
example,
that
sometimes
the
open,
AI
trageddp
can
suggest
you
type
of
squats
the
package
or
something
similar.
So
I
think
that
introduce
the
AI
in
the
document
is
a
good
idea,
but
I
think
that
it
can
be
good
enough
to
be
discussing
another
Channel.
A
I
post
a
link
to
the
channel,
we
meet
every
Wednesday,
so
we
met
earlier
earlier.
This
morning
we
are
as
a
working
group
planning,
both
a
Blog
and
a
white
paper.
The
white
paper
I.
My
understanding
is
that
it
will
focus
on
like
Ai
and
ml
risks,
unique
to
either
open
source.
A
You
know
maintainers
or
consumers
or
somehow
personas
associated
with
that
it
wouldn't
be
insane
to
like
actually
have
that
content
be
part
of
the
threats
paper,
because
if
it
is
about
threat,
risk
and
mitigation
within
the
open
source
ecosystem,
that's
exactly
what
the
white
paper
is
talking
about.
So
I
I
mean
it.
It
may
be
better
published
Standalone
now,
because
AI
is
such
a
Hot
Topic
and
visibility,
and
all
that
stuff,
but
conceptually
it.
F
Yeah
I
still
I,
don't
know
if
we
should
have
or
not.
We
can
have
just
a
short
paragraph
where
we
do
a
short
summary
and
link
to
the
other
one
we
can
I
mean
because
we
are
not
interested
just
to
all
the
threat
related
to
machine
learning,
for
example,
open
source
machine
learning
projects
are
a
topic.
Machine
learning
used
by
developer
to
develop
open
source
is
another
topic
with
different
threats,
probably
so
no
opinion
at
the
moment.
I
was
just
to
say:
hey.
F
We
have
this
document
where
we
want,
where
we
have
listed
all
the
possible
threats
that
we
have
identified
in
the
open
source
ecosystem
and
we
want
to
know.
We
would
like
to
understand
how
the
machine
learning
slash
I
can
impact
this
kind
of
ecosystem,
but
just
this
kind
of
ecosystem,
so
I
just
wanted
to
launch
this
topic
in
the
channel.
Let's
see
what
happened
in
the
meanwhile
I
continue
to
write
the
the
editing.
F
The
document
to
I
mean
following
the
issue
that
we
have
I
should
write
in
the
document
that
I
am
following
the
tissue
and
in
July
I
have
more
time
personally
to
write
so
awesome.
Yeah
and
no
other
updates.
F
I
have
a
question:
if
I
can
the
presentation
that
I
mean
it
was
made
one
week
ago,
two
weeks
ago,
not
sure
yeah,
it
was
for
what
and
what
is
the
outcome
from
well?
The
meeting
so.
A
Whatever
I
I'll
on
a
big,
they
usually
do
like
two
per
session,
so
I
think
we
get
it
about
twice
a
year.
Ish
so
last
week
was
identifying
security
threats,
just
update
on
like
where
we
are,
what
we've
been
up
to
what
we
have
coming
up.
Next,
it's
not
yeah
it.
It's
it's
more
of
an
inform
than
anything
else
to
give
them
some
visibility
into
what
we're
up
to
so
that's
what
we
did.
A
It
isn't
a
good
place
for
big
asks
or
complex
conversations,
or
things
like
that,
so
so
for
the
for
the
security
policy
thing,
those
are
better.
Those
conversations
are
better
at
Standalone,
like
agenda
topics
for
for
Tech
news.
D
I
was
just
going
to
chime
in
real
quickly
that
I
commented
on
your
draft
Luigi
but
I'd
be
happy
to
add
some
sections
or
some
data
to
the
security
audit
section
just
based
on
some
of
our
research
and
output
over
the
last
couple
years,
especially
some
of
the
the
stuff
that
has
been
essentially
funded
by
open,
SSS,
open,
SS,
so
yeah.
D
If
that
sounds
good
to
the
group,
I
can
start
putting
some
things
and
then,
if
the
group
likes
it,
I
can
I
can
continue,
adding
in
more
more
data
and
research
and
writing.
A
That
sounds
great
yeah
I
would
say,
like
you
know,
for
now:
throw
everything
in
the
dock
like
that.
That's
great
I
think
the
having
having
data
to
back
up.
Like
you
know,
a
stat
like
projects
that
have
undergone
a
security
audit
or
X
percent.
Less
likely
to
have
a
critical
vulnerability
in
the
next
10
years
would
be
like
an
amazing
statistic
to
see.
D
A
Yearly
update
from
openssf,
but
it's
a
draft
throw
everything
in
okay,
cool.
C
I,
don't
know
like
whether
this
is
relevant,
but
just
a
little
bit
on
so
I
had
meetings
with
Yesenia
and
and
the
interns
they
were
showing
the
the
dashboard,
as
it
is
right
now
the
pH
portal,
as
it
is
right
now
what
we
are
seeing
is
or
what
we
have
found
out
so
so
right
now
the
data
is
not
populated
there
and
we
still
have
not
created
the
mechanism
of
so
so
the
when
we
are
updating
the
serif.
C
The
the
dashboard
is
still
not
like
populating
the
data
from
that,
but
that's
probably
going
to
be
done
pretty
soon
yeah.
What
will
probably
not
be
done
in
time
is
the
complex,
coordinated
disclosure
workflow.
The
idea
is
that
will
be
done
so
the
work
that
we'll
be
starting
to
do
from
April,
one
from
July
1.
What
we
were
thinking
of
then
go
back
to
our
triage
portal,
which
has
done
this
to
some
extent
and
then
use
that
for
now
we
still
need
to
do
some
work
so
that.
A
A
A
A
lot
of
Open
Source
projects,
charging
results
and
kind
of
owning
the
the
disclosure
from
you
know
from
from
Discovery,
through
fix,
as
an
experiment
to
see
like
how
well
does
this
stuff
scale
out.
So
that's
what
we
were
talking
about
on
where
we,
while
we
would,
we
would
like
you,
know
eventually
the
Omega
triage
portal
to
be
a
consumable
resource
for
lots
of
security
researchers.
Doing
these
kind
of
bulk
scale
analysis.
It's
still,
you
know
the
the
the
the
the
train
has
like
two
wheels.
So,
let's
you.
C
Know
just
yeah,
and
since
this
is
like
oh,
this
is
the
parent
organization
of
the
AO
in
English.
So
that's
why
I
was
bringing
this
conversation
and
we
don't
have
any
any
conversation
before
July
1
so
just
wanted
to
so
the
expectation
would
be
that
we'll
be
doing
some
extension
on
the
on
our
Triad
portal
and
making
sure
that
we
follow
a
subset
of
the
coordinated
disclosure.
So
we
won't
automate
all
of
that
stuff.
Jonathan
is
already
working
on
that.
Once
that
is
available
is
going
to
be
integrated.
C
We
are
going
to
use
that,
but
we'll
be
just
doing
just
enough
so
that
it's
workable.
We
are
working
on
the
PM,
PBR
way
of
of
reporting
bugs
and
then
we'll
be
using
that
so
the
the
work
or
the
active
reporting
is
probably
going
to
start
near
the
end
of
July
or
early
August,
as
opposed
to
like
from
July
1,
because
the
infrastructure
is
not
ready
are.
C
A
Be
there
perfect,
then
I
will
I
will
accelerate
and
make
sure
that
I
actually
deliver
my
promise
to
get
the
python
Library
updated
and
the
package
on
GitHub
packages
updated
with
the
latest
bit
so
that
it
works
as
good
as
it
can.
A
But
obviously,
if
you,
if
you
run
into
places
where
it's
spitting
out
nonsense,
just
ping
me
your
final
bug
or
whatever
and
we'll
improve
it,
I
think
right
now,
it's
probably
in
the
probably
in
the
low
90s
percent
good
and
the
places
where
it
fails
or
places
where
humans
can't
find
it
either.
So,
yes,
yes,
yeah.
C
A
All
right
anything
else,
no,
you
guys
got
six
17
minutes
back
going
once
going
twice.
Thank
you
all
see
you
in
two
weeks
wait
hold
on
wait,
wait!
Wait
before
we
do!
This
two
weeks
is
July
4th.
We're
gonna
no
show
like
fifth,
so
we
are
okay,
I'm
gonna
be
off
for
the
following
two
weeks:
the
19th
of
July
and
the
second.
So
maybe
we'll
just
do
this
now.
Is
there
anybody
that
will
be
around
on
either
July
19th
and
the
second
who
would
just
be
willing
to
run
this
run?