►
From YouTube: OpenSSF Identifying Security Threats WG (March 2, 2022)
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
B
Mr
dave
yeah,
I
I
think
it
was
great.
You
know
she
added
that
context
of
the
enterprise.
I
mean
obviously
she's
she's
from
ibm,
but
I
think
her
comments
would
have
been
similar
for
any
any
large
organization
frankly,
but
that
representative
of
hey,
you
know
this
is
what
we're
you
know.
This
is
the
kinds
of
issues
we're
concerned
about.
This
is
what
we're
going
to
do
next,
I
think
it.
I
think
it
was
very
well
received.
B
It
was
good
to
have
I
mean
frankly,
I
have
to
admit
I
I
it
seems
to
me.
I
mean
ibm,
has
such
a
long
history,
it's
so
large
that
I
think,
there's
a
I
don't
think
anybody
said
it,
but
I
think
there's
a
case
to
be
made.
Well,
if
ibm
can
do
this,
anybody
can
can
do
this,
because
you
know
you
know.
Oh
my
gosh.
I
can't
keep
track
everything
because
we're
a
large
organization.
Well,
I'm
not
saying
it's
easy,
but
that
doesn't
mean
you
can't
try
to
wrestle
the
snake
down.
B
It's
a
little
more
focused
than
that.
It's
when
you
look
at
the
contributions
of
the
last
year
of
the
top.
I
think
it
was
100.
I
think
it
was
the
non-npm
I
I
it's
a
little
more
specific
than
that.
Okay,
but
you
know,
but
but
the.
But
the
overall
point
was
that
there's
a
relatively
small
number
of
developers
who
are
the
mo
who
work
on
the
most
critical
work
on
many,
the
most
critical,
open
source
software
components,
critical
and
at
least
in
the
sense
of
widely
used.
A
B
Mean
the
harvard
one
focuses
on
on
how
widely
it's
used,
not
necessarily
where
it's
used
or
you
know,
or
you
know,
is
it
well
managed
or
not
they're,
just
looking
strictly
at
the
you
know,
how
widely
is
it
used,
but.
B
C
Yeah,
I
wonder
if
those
developers
would
be
interested
if
they
would
be
a
good
target
for
us
to
maybe
talk
to,
or
they
might
be
a
good
source
of
information.
Potentially,
if
that's
something
that
makes
sense,
but
I
just
thought
that
was
a
really
interesting
statistic.
I
mean
if
we
know
who
those
developers
are
they're
doing
most
of
the
contributions.
Maybe
we.
B
B
I
mean
the
the
only
data
we
used
for
that
analysis
that
wasn't
public
at
the
time
was
the
harvard
list
itself
which
we,
the
lf,
had,
but
obviously
wasn't
public.
Yet,
but
now
it
is
yeah
that
data
was
actually
just
yanked
straight
from
the.
I
think
that
was,
I
think
the
original
analysis
was
actually
done
by
mike
dolan
and
I
had
done
something
similar,
although
mike's
was
more
pointed,
so
I
like
his
better
than
my
own
yeah,
but
it
was
it's
just
using
pure
data
from
git.
B
You
know
from
the
version
control
systems
which
I
think
for
all
the
top
ones
is
get
so
you
know
it's
it's
all
public
information,
at
least
as
far
as
that
goes
now,
their
email
addresses
may
or
may
not
be
public,
but
for
the
most
part
they
are
too
and
they're
an
obvious
target
for
things.
Like
mfa
tokens
I
mean
target
in
a
good
sense.
You
know
they're.
B
E
B
B
E
B
D
B
I
think
ends
up
on
the
report
because
I
so
yeah
so
happy
to
introduce
happy
to
do
all
that
stuff,
absolutely
but
frank
nagle's,
the
the
oh.
What's
this
title
as
a
pm,
but
basically
he's
the
research
lead.
He
has
a
small
team.
B
Happy
to
you
know,
but,
and
not
only
is
their
report
public,
but
they
have
separately
posted
as
csv
files.
Their
specific
results
of
you
know
ordered
you
know
hit
for
for
each
category.
Here's
the
list
of
the
most
of
the
most
widely
used
projects
through
different
measures.
You
can
just
click
and
download.
E
B
Yeah
yeah
and
by
the
way
somebody
else
organized
that,
but
that
data
that
csv
data
is
it's
hosted
by
an
organization
who
does
this,
I
guess
as
a
primary
task
and
their
their
goal
is
to
make
sure
that
this
is
archived
and
it
sticks
around.
We
don't
want
this
data
to
go
away.
B
Okay,
I
was
only
allowed,
it
was
only
able
to
be
at
half
of
that
because
it
overlapped
with
the
my
presentation
I
felt
I
should
show
up
for
my
own
presentation,
but.
F
B
David,
the
second
half
was
similar
to
the
first
half.
There
wasn't
anything
like
that.
I
was
I
was
shocked,
but
they
are
focused
only
on
evaluating
linux
distributions,
it's
not
general
at
all,
and
I
can't
imagine
who
this
is
for
most
people
who
are
going
to
choose
a
linux.
Distro
have
already
done
that
I
mean
occasionally
you
choose
a
new
one
for
something,
but.
F
I
I
think
there
is
value
so
so
in
the
way
that
I
think
I
I
wrote
this
in
the
chat.
You
know
we
talked
about
this
a
little
bit
at
the
meeting,
but
like
the
difference
between
these
are
facts
about
how
a
distribution-
and
you
could
you
I
mean-
I
think
you
could
extrapolate
from
distribution
to-
like-
I
don't
know
the
apaches
of
the
world
or
any
kind
of
larger
larger
than
one
project
group.
This
is
these
are
facts
about
how
how
they
run
their
process.
F
These
are
facts
about
like
durations
of
vulnerability,
exposure
and
things
like
that.
I
think
once
you
add
in
the-
and
this
is
red
or
this
is,
this
is
good.
This
is
bad
you,
because
you
don't
have
enough
kind
of
business
level
context
on
it.
You
you
wind
up,
I
mean
organizations
are
free
to
express
that
opinion,
but
I
think
that's
where
you
get
kind
of
mirrored
in
in
arguments
on
like
well.
You
know
this
isn't
meant
for
critical
systems.
B
Yeah,
I
I
I
mean
you're,
certainly
not
going
to
get
an
argument
from
me
that
metrics
are
valuable
when
making
decisions
I'll
help.
You
make
that
argument
having
having
written
a
whole
bunch
of
measure
paper
measurement
papers
for
things,
but
on
the
other
hand
I
mean
they
clearly
have
a
very
specific
focus.
For
example,
though
they
they
showed
off
and
a
lot
of
their
measures
with
things
like
here
are
detailed
measures
of
exactly
how
they've
configured
open
ssh.
B
Now
I
actually
think
that
does
make
sense
if
you're
comparing
two
different
distributions,
that's
the
primary
way
of
getting
in
for
admin.
So
measuring
that,
for
that
particular
kind
of
product
is
quite
sensible,
but
I'm
not
saying
they're
wrong,
but
what
I'm
saying
is
that
that
only
applies
for
measuring
this
particular
kind
of
product
99.999
percent
of
the
time.
This
is
not
one
of
the
decisions
you
need
to
make
it's
a
highly
focused
kind
of
decision
that
most
people
have
already
made
so
and
now
and
and
the
other
ones
that
are
more
general.
B
I
look
at
that
now.
I
only
saw
half
but
like
the
one
they
showed
off
is:
oh
look.
You
know
how
many
commits
were
in
the
last
year.
You
know,
and
zero
commits
is
red.
Well,
okay,
you
can
color
code
that
sure
I
agree
with
you.
You
can
color
code
it
does
that
mean
it's
risky,
no,
not
necessarily
at
all.
I
understand
why
you
want
to
make
it
risky.
B
I
would
agree
that
that's
worth
a
look,
but
it
basically,
I
I
leave
with
a
they're
measuring
something
that
I'm
sure
is
important
to
somebody,
but
I
it's
hard.
I
I
don't
know
anyone
for
whom
this
is
for
useful
for,
but
if
they
have
a
customer
great
carry
on
yep.
F
Yeah-
and
so
I
I
think
in
general,
like
I
support
the
idea
of
like
there
should
be
more
thinking
on
this,
because
there
probably
is
a
there
there
in
terms
of
how
to
measure
things
and-
and
you
know
I
mean
scorecard,
does
it
chaos?
Does
it
sure
try
to
do
it
like
it?
It's
all
good
stuff,
I'm
not.
B
Objecting
to
metrics,
but
the
thing
is:
if
you're,
if
you
you
know,
if
they've
got
a
great
new
idea,
great,
let's,
let's
learn
about
it,
but
they
have
a
very
specific
focus
and
that's
okay.
I
mean,
but
I
just
can't
that's
not
my
focus
and
I
I'm
I'm,
I'm
struggling
to
find
how
many
people
for
whom
it
is
to
focus,
jeff
works
and
speak
for
ibm,
but
I'm
guessing
that
choosing
between
linux
distros
is
not
top
of
mind
for
ibm.
A
Cool
cool,
all
kids
aside,
we
love
all
the
major
distro
platforms
staunchly
agnostic
because
we
support
our
customers
choice
so
whether
they're
a
suse.
F
If
the
target
was,
you
know,
I
am
a
debian
maintainer
and
I
can
see
that
fedora's
default
configuration
is
different
than
mine,
and
I
have
you
know
six
months
that
I
can
spend
kind
of
digging
into
the
differences
and
understanding
and
why
and
rational
and
be
like?
Oh,
I
totally
forgot
to
like
disable.
F
You
know,
x11
forwarding
right.
B
If
you're
making
a
decision,
this
kind
of
data
could
be
very
useful.
I'm
not
arguing
that
it's
just
that,
I
think
most
people
today,
they're
they're
overwhelmed
with
hundreds
and
thousands
of
open
source
software
components
within
their
systems
and,
frankly,
even
if
you
have
a
linux
distro
within
your
system.
Increasingly
it
looks
like
one
component,
and
you
know
you
know
I'm
sure
for
folks
talking
to
folks
30
years
ago.
B
They
say
what
the
heck,
but
you
know,
open
source
is
so
widely
scaled
now
that
this
is
just
one
of
a
very,
very
large
number
of
decisions.
So
yes,
it's
useful
information
when
you're
making
that
decision,
but
there's
so
many
other
decisions
that
need
to
be
made
that
this
it
just
doesn't.
It
only
works.
It's
such
a
narrow
problem,
so
that-
and
I
don't
mean
to
cast
shade
on
them,
not
at
all
yeah,
and
I
also
agree
that
the
whole
hey
it
hasn't
been
committed.
Therefore,
it's
an
automatically
a
risk.
F
E
Saw
ma
mike
just
very
briefly,
I
was
wondering
if
drew,
and
I
could
quickly
bring
up
something
that
fell
off
the
admitting
agenda
at
the
end
of
previous
meeting,
partly
because
it's
very
quick
and
it's
a
bit
time
sensitive.
So
you
know
in
a
decent
display
of
of
how
fast
academia
moved
three
months
after
you
brought
up
the
topic
of
damaging
and
aggressive
bug
reports.
E
E
What
do
you
think
are
relevant
aspects
of
this
of
the
problem
that
you
brought
up,
that
we
should
investigate
and
also,
if
you
have
any
people,
you
think
we
should
reach
out
to
most
likely
in
the
vulnerability
reporting
group
that
they
could
be.
You
know
could
be
interested
in
talking
to
us
about
this
sure.
E
First
sentence:
I
have
the
same
problem:
oh
the
first,
the
first,
the
first
sentence.
I
I
don't
remember
I
was
the
biggest.
G
So
for
context
for
everyone,
it's
probably
just
worth
bringing
up
what
it
is
we're
trying
to
do,
which
is
there.
Is
this
discussion
about
these
sort
of
what
I
think
we
call
bad
bug
reports
or,
like
maybe
abusive,
inappropriate,
that's
awesome.
I
guess.
E
Jerk
being
the
key
word
here
so
yeah,
so
we're
trying
to
you
know
we
we're
a
student
looking
in
this.
You
know
this
issue
and
we're
trying
to
you
know
get
feedback
from
people.
What
do
they
think
is
the
important
you
know
what
what
is?
What
is
exactly
is
the
problem
and
whether
there
are
people
we
should
talk
to
within
ossf
since
mike
you
brought
up
this.
You
know
this
problem
a
few
months
ago.
You
know:
do
you
have
any
perspective
on
this.
F
So
I
mean
have
lots
of
perspective.
I
haven't
done
a
lot
of
thinking
about
it,
so
it's
really
important
number
one,
because,
as
we
well
selfishly
as
part
of
alpha
omega,
I
I
would
like
to
have
a
repeatable
well
articulated
process,
for
you
know,
reporting
vulnerabilities,
so
making
sure
that
we
don't
report.
You
know
that
we
aren't
jerks
when
we
report
vulnerabilities
is
important,
but
I
think
more
generally
I
mean
yeah,
so
the
feedback
that
we
got
from
from
a
couple
of
large
organizations.
F
That
is
that
this
is
actually
a
problem
and-
and
you
know
it's
falling
on
volunteers-
that
you
know
are
kind
of
doing
their
best,
getting
a
truth
that
really
weird
where
it's
coming
from
am.
F
H
B
B
You
know
what
I
I
suspect
what's
happened.
Is
it
has
it's
basically
partially
disconnected
it's
on
pause
so
anyway,.
F
We're
okay
anyway,
I'm
sorry
jeff
your
hands
up.
A
Yes,
I
was
just
going
to
mention
that
we
actually
recently
added
guidance
to
ibm
developers
and
product
managers
as
to
how
to
approach
an
open
source
community
about
a
cve
and
to
do
it
in
a
way
such
as
that.
You
are
sensitive
to
the
fact
that
you
know
it's
a
community
project
that
could
be
understaffed,
don't
show
up
and
just
expect
to
demand
action
and
get
a
fast
result.
You
know
what
kind
of
relationship
does
ib
have
with
the
community.
Are
there
existing
connections
and
house?
A
You
can
follow
to
try
and
pursue
this
and
whatever
you
do.
Don't
just
drop
a
cve
out
there
without
trying
to
give
them
courtesy
heads
up
prior
to
doing
so
so
that
you're
not
causing
fire,
drills
and
or
exposing
vulnerabilities
prematurely.
B
Would
you
be
willing,
I'm
sorry,
no
go
ahead.
Okay,
would
you
be
willing
to
donate
that
doc
or
a
summary
of
it
to
open
ssf?
In
particular,
I
be,
I
bet,
maybe
the
openness
that
vulnerability.
Disclosures
group
already
released
a
document
for
open
source
projects,
but
I
it
sounds
to
me
that
this
is
focusing
on
the
researchers,
the
folks
who
find
it,
and
I
think
that's
the
audience,
that's
kind
of
missing.
You
know
and
it's
more
than
don't
be
a
jerk.
B
A
Like
you
sealed
in
that
part,
here's
what
to
be
sensitive
about
and
to
have
an
appreciation
for,
because
trying
to
alert,
open
source
community
with
respect
to
a
cve
is
different
from
say
approaching
a
you
know,
private
enterprise
who
has
a
similar
problem.
F
B
F
I
I
mean
I,
I
think
the
the
two
naturally
are
like
they're
two
sides
of
the
same
coin,
so
having
the
coordinated,
the
cbd
guide
include,
like
you
know,
have
another
doc
or
same
doc,
different
section
but
like
have
it
be
from
the
perspective
of
the
maintainer.
This
is
your
world
from
the
perspective
of
the
security
researcher.
This
is
your
world
and
maybe
from
a
like.
I
I
don't
know
where
we're
kind
of
the
enterprise
view
like
because
they
could
be
both
but
but
focused.
B
I
I
would
suggest
they
be
two
separate
docs,
because
you
don't
want
to
read
you
know
if
you're
in
one
role
you
don't
want
to
have
to
read
the
other
one,
but
within
the
same
group
and
coordinate
it
same
repo
same
yeah,
something
like
that
where
they're
coordinated,
I
think
would
be,
would
be
good
now.
E
E
B
E
Sure
he's
gonna
love
that
and
and
in
general
yeah
we're
gonna
go
out
and
ask
a
bunch
of
questions
to
open
to
maintainers
have
been
on
receiving
end
of
sort
of
negative
attitudes.
But
if
anyone
is
you
know
of
those
folks
in
the
meeting
or
even
after
the
meeting
offline,
if
any
interesting
or
relevant
observation
that
they
think
we
should
be
aware
of.
E
You
know
in
terms
of
the
specific
things
we
should
be
looking
for
or
asking
or
be
aware
of,
I
guess
both
drew
and
I
are
very
interested
in
hearing
more
opinions
about
this,
and
I
know
people
sometimes
have
very
strong
opinions
about
such
things.
G
And
one
thing
that
I
want
to
be
clear
on:
like
we're
really
interested
in
best
practices
for
sure
and,
like
you
know,
maybe
helping
to
to
define
what
that
is,
but
also
we
really
want
to
characterize
how
big
of
a
problem
it
is.
You
know,
what's
the
scope,
how
frequent
is
it?
How
are
people
jerks,
you
know,
so
that's
a
part
of
it.
That
is,
you,
know,
kind
of
a
data
gathering
element
and
having
connections
to
the
kinds
of
people.
You
can
ask
those
questions
too
would
be
really
helpful.
So
just
one.
B
B
And
now
how
are
people
jerks?
I
can
give
you
a
few
specific
examples.
Others
may
see
some
others,
but
some
a
couple,
quick
ones
I
see
is
very
much
entitlement.
You
know
I
sent
you
an
email,
send
me
a
million
dollars.
Why
aren't
you
haven't
you
sent
it
yet?
B
You
know
the
the
the
sense
of
I
did
anything
at
all.
Therefore,
I
expect
you
to
you
know.
Give
me
money,
give
me
things
when
that
was
never
on
offer,
and
you
know,
and
so
on.
Another
thing
that
I've
often
seen
is
gross
misunderstandings
of
what's
a
vulnerability,
both
the
ella,
the
elephant.
Apache
have
elephant
apache
have
already
whined
to
each
other,
not
wine,
but
you
basically
the
oh
look.
It's
another
report
that
our
source
code
is
visible
to
the
public.
B
Okay,
there's
a
remarkable
number
of
people
where
they'll
report
that
hey
source
code
visible
to
public
your
email
addresses
are
public.
B
The
you
know,
your
website
has
a
misspelling,
you
know
it's
just
you
know
not
a
vulnerability
is
I
need
like
in
the
negative
e,
not
a
vulnerability
for
for
a
lot
of
these,
and
I
I
think
part
of
it
is
that
there's
a
and
several
folks
who,
I
think,
in
many
cases,
are
not
primarily
english
speakers
who
think
that
reporting
something
that
claiming
a
vulnerability
is
a
quick
way
to
make
some
money.
B
And
it's
not.
You
know,
and-
and
it
mentioned
the
not
necessarily
english
speakers,
because
I
think
their
struggle
to
understand
the
materials
that
they're
reading-
it's
not
being
spoon,
fed,
yeah
and
bug
bounty's,
doing
programs
to
encourage
this.
F
I
I
would
say
just
kind
of
unreasonable
timelines.
You
know
not
not.
You
know
from
from
my
perspective,
like
working
with
the
project
as
being
different.
So
so,
if
I
report
a
vulnerability
to,
I
don't
know
a
bank
or
toyota
or
my
employer,
you
know
I
expect
a
certain
level
of
commitment
that,
like
that,
you
know,
there's
a
promise
because
they're
selling
the
thing,
if
I
report
the
same
vulnerability
to
is
odd.
F
Perhaps
my
expectations
should
be
different,
but
I
don't
know
that
that's,
but
at
the
same
time
people
use
is
odd
in
critical
systems.
So,
like
I,
I
think,
there's
an
argument
there
on
like.
Should
there
be
different
expectations
when
reporting
things
to
a
pure,
open
source
project
versus
a
commercially
backed
open
source
project?
What
is
90
days
just
have
we
just
accepted
as
an
industry
that
90
days
is,
is
the
number
does
that
apply
in
all
except
extreme
cases,.
B
Yeah,
I
I
I
don't
think
that
there's
one
number
that
will
always
make
people
happy,
but
I
think
you
know
I
expect
you
to
think
this
fix.
This
tonight
is
often
not
reasonable,
so
so
how's
this
we
can
at
least
say
so.
I
added
this
to
our
notes.
Entitlement,
not
a
vulnerability
and
ridiculous
time
frames.
F
Yep
and-
and
actually
just
I
mean
so
when,
when
I
was
talking
with
with
this
other
party
that
was
describing
this,
they
they
used
the
word
threats,
and
I
don't
know
if
they
meant
threats,
threats
or
like
just
being
kind
of
a
bully
digging
into
that,
and
actually
seeing
like
you
know,
because
you
you
know
when
you're
on
the
internet,
nobody
knows
you're,
you
know
who
you
are,
people
are
people
are
jerks
in
facebook
forums.
Why
wouldn't
they
be
jerks
when
they're
reporting
vulnerabilities
and
at
what
point
you
know
like?
F
E
Okay,
I'm
just
gonna
say
if
you,
if
you
can,
if
you
think
of,
if
you
can
think
of
specific
people
that
have
you
know
that
that
may
be
interesting
and
again
I
know
it's.
You
know.
I
don't
think
I
know
it's
like
awkward
to
tell
people.
You
know
to
send
more
spam
in
the
way
of
people.
Yeah
you're
a
good,
but
you
know
we
would
be
interested
to
be
reaching
out
to
those.
I
will
connect
you
with
with
with
a
couple
folks
sounds
great.
I
appreciate
that.
J
Cool
I've
often
wondered
about
the
difference
between
formal
and
informal
projects
when
it
comes
to
the
standards
of
behavior.
In
them
there
doesn't
seem
to
be
a
clear
distinction,
and,
but
I
think,
on
average,
the
more
formal
projects
have
better
standards
of
behavior
among
the
community.
A
David
misbehaving
again
and
bullying
yeah.
No,
I
totally
understand
and
appreciate
your
comment.
Sebastian
the,
but
this
is
true
kind
of
across
a
series
of
different,
salient
attributes
to
use
a
fancy
term
for
characteristics,
right,
more
established
projects
that
have
higher
participation
rates
and
support
from
not
just
individuals,
but
perhaps
companies
all
have
you
know,
typically,
better
documentation,
better,
more
height,
higher
likely
chance
of
better
overall
structure
and
governance
of
those
projects.
A
Better
likely.
You
know
the
higher
the
likelihood
that
they
have
a
code
of
conduct
of
some
type
and
that
they
are
more
responsive
to
their
pull
requests
and
other
common
elements,
and
so
security
would
be
a
natural
additional
element
where
you
would
like
to
think
that
the
more
formal
and
or
established,
or
and
or
mature
and
or
larger
projects
have
better
overall
characteristics
than
informal
or
smaller
or
fledgling
projects
or
projects
that
are
dominated
by
a
bdfl.
J
I
I
think,
that's
where
having
projects
collect
together
in
well
into
groups
and
that
needn't
be
a
incorporated
foundation,
but
I
think
just
having
the
larger
scale
of
participation
makes
standards
improve
just
by
sort
of
sort
of
positive
peer
pressure,
everyone's
trying
to
improve
it
and
so
outnumber.
J
The
people
who
are
just
there
to
you
know
make
it
awful
for
everyone
else.
B
Yeah-
and
I
do
think
that
there's
a
blur
many
many
of
the
multi-organization
projects
started
as
somebody's
single-person
projects.
I
mean
both
python
and
rust
were
essentially
somebody's
side
project.
That
grew
a
little
bit
so
yeah,
but
I
I
think
it
is
fair
to
say
they're
different.
Really.
B
What
I
tried
to
tell
open
source
projects
is
just
tell
me
how
to
report
it,
because
then
the
researcher
doesn't
need
it
shouldn't
a
researcher
shouldn't
be
required
to
spend
hours
and
hours
of
research
trying
to
figure
out
how
to
contact
a
project
to
report
something
I
I
don't
think
the
research
is
really
required
at
all
to
after,
or
should
be
required
to
understand
the
details
of
how
project
processes
a
vulnerability
report
either
there
should
just
be
a
way
to
do
it
in
a
reasonable
way,
and
then
they
interact
as
they
wish.
B
But
yeah
jeff,
I
I
mean
the
the
better.
Those
reports
can
be
know
if
we
could
get
those
these.
These
reporters
to
start
on
the
right
foot
of
I'm
here
to
help
you
know
omitting
the
the
all
these
problems,
oh
my
gosh,
that
would
help
so
many
people.
F
I'm
I'm
kind
of
I'm
sorry
matt
your
hand's
been
up
for
wildlife.
K
K
I
know
the
problem
that
we've
been
discussing
internally
in
ibm
and
constructing
our
own
bills
and
materials
is
basically
tracking
the
vulnerability
relative
to
to
the
to
the
build
materials
or
just
tracking
vulnerabilities
separately
and
acknowledging
that
vulnerability,
tracking
and
the
s-bombs.
The
source
code
have
different
life
cycle
and
there's
an
acknowledgement
in
both
standards.
K
Bodies,
spdx
and
cycle
index
and
specifically
cycle
index
have
been
looking
at
a
lot
because
of
a
new
vex
format
for
vulnerability,
authoring
documentation,
and
they
acknowledge
that
the
life
cycle
of
the
vulnerability
is
is
very,
can
be
very
fast
and
that
you
can
actually
say
I've
acknowledged
the
vulnerability
as
a
state.
I
acknowledge
it,
I'm
I've
investigated
or
I
am
investigating
it,
I'm
fixing
it.
You
know.
D
K
A
lot
of
different
states
it
tracks
it
through.
I
think
that
it
would
be
good
to
provide
because
we're
looking
for
our
own
guidance
in
ibm
of
what
we
should
do
for
these
things.
So
we've
come
to
a
conclusion
that,
for
like
pull,
request,
builds,
live,
builds
or
daily
builds.
K
We
would
keep
vex
reports
separate
and
and
track
the
internal
status
internally,
but
when
we
actually
publish
a
product
at
a
release
level
point
level
version
version
level
to
for
customer
consumption,
then
we
would
basically
have
us
make
sure
that
all
the
vulnerabilities
that
were
published
were
in
a
closed
state.
I
was
running
and
we
were
talking
about
printing
guidance
around
closing,
ensure
that
we
got
us
around
tracking
that
state
relative
to
these.
These
build
material
standards,
perhaps.
J
Well,
as
a
a
member
of
the
spdx
working
group,
I
can
inform
you
that
the
the
defects
reporting
working
group
has
just
been
formed
and
they
have
their
meeting
on
later
on
today.
So
if
you
want
to
see
how
spdx
can
do
it,
then
quick,
quick
suggestion
for
that.
K
K
Yeah,
I
don't
know
if
there's
overlap
with
guidance
or
tooling
or
whatever
it
might
be,
but
I
think
it
starts
here
saying
you
know
you
should
report
it
in
one
of
these
standard
formats
and
or
give
guidance
how
you
would
track
it
and
report
it
except
basically,
how
do
you
make
it
public?
How
do
you
make
that?
How
do
you
provide
lot
if
you
ever
want
to
provide
live
data
like
where
are
you
at
for
log
for
jfix?
You
know
we're
investigating.
F
G
Group
on
this,
this
is
great-
I
mean
I
think
you
know
we
want
to
definitely
continue
some
of
these
conversations,
although
maybe
we
don't
need
to
take
up
the
entire
working
group's
time
for
that,
but
these
are
great
pointers
and
we'll
we'll
probably
be
doing
some
follow
up
with
some
some
folks.
If
anything
else
learns,
though,.
E
Yeah
yeah,
if
you
again,
as
I
said,
say
it
one
more
time:
let's
stop!
If
you,
if
you
do
know
folks
that
are,
you
know,
think,
are
interested
in
continuing
this
conversation
or
you
are
interested
in
continuing
your
conversation.
You
know,
I
think
that
drew
and
I
online
presence
is
fairly
easy
to
find
so
do
feel
free
to
reach
out
to
us.
We
don't
want
to
bug
everyone
with
this,
but
do
feel
free
to
reach.
F
F
Awesome
next
topic-
and
I
I
don't
necessarily
need
an
update
but
luigi
anything
on
security,
insights.
L
Yes,
I
have
continued
to
improve
the
schema.
I
think
it
is
almost
ready-
and
probably
I
mean
I
would
like
to
coordinate,
especially
with
openssf
and
the
scorecard
team,
to
launch
it,
after
maybe
a
review
from
different
team,
just
to
be
sure
that
we
are
working
the
right
way
and
comments
and
feedback
are
very
appreciated,
because
it's
not
so
easy,
sometimes
to
see.
If
there
are
issue
I
can
share
the
link
here.
I
would
like
to
add
the
I,
as
I
everything
that
I
was
like
channel.
L
I
would
like
to
add
the
a
comment
section
for
some
properties
and
I
would
like
also
to
create
maybe
a
threat
model,
because
I
have
seen
the
scorecard
has
a
shortcut
model.
They
explain
why
they
sometimes
don't
give
you
some
points
or
similar,
and
especially
if
we
want
that
this
file
is
used
by
scanners.
We
need
to
explain
clearly
what
are
the
risks
to
use
this
file.
I
mean
the
main
risk
is
that
some
malicious
user
can
just
add
fake
information
to
have
a
high
result
or
score
in
some
scanner
or
database.
L
But
I
think
that
we
can
mitigate
this,
especially
if
we
start
to
work
with
the
score
from
zero
to
100
or
similar
to
do
to
have
a
sort
of
ponderous
approach,
and
but
yes,
I
think
it
is
almost
ready.
I
have
shared
the
comment
in
the
scorecard
channel
and
then
we
need
to
like
the
xkcd
meme.
We
probably
we
need
to
coordinate
a
launch
and
not
just
a
communication
to
the
public,
but
also
now
there
are
a
lot
of
companies
that
try
to
contribute
to
open
sf.
L
Maybe
we
can
before
launching
it.
We
can
create
an
easy
way
to
add
this
file
in
all
open
source,
wrapper
of
the
main
component
to
join
open,
sf
or
the
alpha
omega
project
that
have
important
open
source
project.
In
this
way,
my
idea
is
that
if
we
start
always
to
use
this
standard
in
the
most
important
purpose
of
project,
then
also
minor,
our
open
source
project
can
start
to
follow
us
because
it
is
like
security.txt
and.
F
L
I
mean
I
have
received
a
good
input
from
our
team
team
into
slashes
like
channel,
but
at
the
moment
my
my
personal
opinion,
of
course,
but
my
perspective
is
that
we
are
a
bit
the
ceos.
So
I.
D
L
F
You
may
want
to
just
set
up
a
meeting.
You
know
throw
something
on
the
on
the
openness
of
calendar
and
just
get
because
I
think
a
lot
of
this
slack
stuff
is
kind
of
ephemeral.
Whereas
if
I
have
something
on
a
calendar
and
it's
you
know
and
I'm
there,
then
you
have
my
attention
for
an
hour.
So
you
might
just
get
more
more
actionable
feedback.
L
Now
in
the
file,
there
are
also
the
link
to
the
list
of
dependencies.
Some
other
improvement,
especially
because
david
asked
for
a
file
that
can
use
to
add
information
to
the
the
page.
L
Of
course
it
this
file
can
help
to
automatically
fill
some
question
of
the
ci
page,
not
every
question,
but
enough,
probably
giving
a
link
that
people
can
check.
B
Well,
it
really
won't
answer
many
of
them,
but
I
think
so.
Let's
talk
about
that
a
little
bit.
I
don't
think
the
scheme
is
going
to
answer
most
of
the
badging
questions.
It'll
do
a
few,
but
if
we
were
willing
to
make
some
tweaks
to
and
the
thing
is
for
the
badge
in
many
cases,
it's
not
just
do
you
do
it,
but
you
know
where's
your
evidence
and
justification
for
it.
L
Yes,
for
this
reason,
I
want
to
add
a
comment
section,
especially
for
some
property,
with
the
500
character
limit.
In
this
way,
people
are
forced
to
summarize,
of
course,
the
concept
they
provide
the
url,
and
in
this
way
there
is
enough
information.
I
have
checked
some
cia
page
answer.
L
Some
are
very
good,
very
long
answer,
but
other
are
just
link
or
the
same
link
for
the
different
answer
and
the
short
sentences,
especially
if
I
checked
kubernetes,
for
example,
a
lot
of
evidence
are
just
a
url,
it's
normal
at
the
same
time
and
for
some
question,
the
answer
is
in
the
same
policy.
For
example,
you
see
that
a
lot
of
a
lot
of
some
questions
have
the
answer
in
the
contributing
policy
or
something
similar,
and
yes,
at
the
end,
I
suppose
that
people
read
also
this
policy.
B
Now
one
thing
we
could
do-
which
I
have
I
think
we've
talked
about
in
passing,
but
we
haven't
really
raised
it
within
this
group,
and
I
think
maybe
this
is
the
right
time
and
place
to
do
that.
The
badging
has
a
number
of
very
specific
questions
about
what
is
done
or
not
done.
B
On
the
other
hand,
it
means
that
suddenly
somebody
can
provide
a
whole
bunch
of
data
to
the
badges,
at
least
if
you
want
to-
and
I
I
would
be
very
interested
and
might
be
willing
to
go
ahead
and
write
the
code
to
yank
that
data
in
the
the
issue.
For
me,
isn't
that
I'm
not
opposed
it's,
not
I'm
not
opposed
to
this.
It's
just.
B
B
F
So
it's
interesting
so
a
couple
months
ago,
this
really
smart
guy,
david
wheeler.
You
know
I
fetched
this
stress
to
us
how
important
it
is
to
keep
this
simple
and
that
simple,
always
wins
out
over
complex.
B
L
My
question
is,
if
I
mean.
L
Sorry
for
the
question
it
can
be,
it
can
seem
stupid,
but
do
you
want
to
have
in
the
security
inside
a
section
for
the
cii
page
criteria
where
there
are
written
some
answer
and
in
this
way
a
tool
can
just
fill
the
answer
for
the
cii
page
right,
yeah,
it's
open.
B
Ssf
badge,
but
yes,
that
would
be
the
that
would
be
that
that's
what
I'm
I'm
mooting
as
something
to
discuss
here
within
this
group.
L
It
is
I
mean
my
concern
is
that
for
the
at
the
moment,
if
we
create
a
scanner
that
just
drop
the
current
some
current
voice
in
the
security
inside
dot
yaml,
this
tool
can
already
fill
some
question
of
this
area,
not
every
question.
Of
course.
The
questionnaire
in
the
cia
is
very
long,
and
I
don't
know
if
a
very
long
file
for
the
first
version
is
a
good
approach.
There
is
another.
B
L
There
are
a
lot
of
questions
I
mean.
The
point
is
that
I
mean
I
don't
know
if
I
am
right
honestly,
it
is
just
a
supposition
but
security.60
work
very
well,
because
it
is
a
just
five
or
six
line,
maybe
seven
line.
Of
course
the
yamaha
cannot
be
so
short,
but
at
the
same
time
it
should
be
a
good
summary
of
the
security
standard.
L
L
Maybe
we
I
mean
the
idea
is
to
introduce
the
same
question
or
similar
question
that
can
we
can
use
also
for
the
cia
page.
By
the
same
time,
my
concern
is
the
approach
to
introduce
them
in
the
security
insights.
If
we
are
just
a
list
of
boys,
people
start
to
not
fill
the
the
form.
L
Also,
if
we
refer
to,
because
I
have
tried
to
fill
the
ci
page
question-
and
there
are
a
lot
of
questions
so
a
very
big
project,
with
a
lot
of
people
that
work
on
it
probably
can
spend
time
to
give
this
information
a
medium
project,
a
small
project,
and
I
mean
I
work
in
an
arduino.
I
can.
I
can
say
that
also
project
that
appears
like
big
are
not
so
big,
then,
and
people
have
no
time
no
knowledge.
L
B
L
I
know
yes,
and
I
have
used
an
example
to
convince
two
examples
to
convince
the
scorecard
team.
One
is
that
the
scorecard
has
already
failed
at
least
one
time
for
a
patch
foundation
that
is
not
so
small.
They
don't
use
security.md,
because
it
is
not
a
real
standard
and
we
cannot
base
this
communication
just
on
this.
One
single
policy
for
the
scorecard
so
also
eclipse
foundation,
has
a
total
different
approach
to
the
open
source.
They
don't
have
the
security.md.
L
They
don't
have
the
contribution,
contributing
policy
in
all
projects,
so,
at
the
same
time,
file
can
initially
can
offer
they
write
a
url
and
it
is
already
something
because
otherwise
you
need
to
find
the
right
policy
in
the
right
website
and
the
scorecard
can
use
this
to
reduce
the
false
positive.
Then
we
can
continue
to
add
more
more
features,
less
question,
slash
properties.
L
My
question
is
one
of
the
questions
that
I
have
is
if
it
is
useful
to
add
a
very
easy
property
like
what
do
you
have
a
cia
page
or
what
are
the
page
that
you
have,
because
some
projects
show
some
page
in
the
redmi
md
like
code
com
or
something
similar,
and
maybe
a
similar
list
of
ways
also
in
the
jumble
can
help,
because
the
redmi
contains
a
lot
of
human
information.
L
D
F
This
can
be
a
first
approach
cool.
I
had
some
some
folks
have
their
hands
up.
I
don't
know
if
those
are
stale
hands
but
jeff
matt
and
eric.
F
M
Yeah
I
mean
I
came
in
late
to
the
meeting,
so
I
just
I
don't
want
to
eat
up
all
the
time.
It's
just
a
couple,
quick
questions
so
for
this
yaml
specific
specification
I
mean.
Is
there
and
I
put
this
in
the
chat,
but
is
there
a
potential
impediment
to
adoption
that
you
would
essentially
have
to
customize
any
application
to
leverage
it
or
is
the
hope
that
this
would
be
more
of
a
read-only
type
of
component?
M
You
know
an
obvious
follow-up
to
that.
Is
the
next
phases
of
this
project
to
write
a
more
automation
component
to
leverage
the
data.
That's
in
the
yaml
is
the
one
question,
because
I,
while
I
see
value
in
the
data
and
having
a
specification
for
anything
to
use
it,
you
know
it
needs
to
be.
There
needs
a
process
for
for
it
to
be
in
integrated
right.
So
that's
that's
the
question
that
I
I'm
curious
about
from
that
perspective
and
then
kind
of
more
broadly
in
the
metrics
aspect
of
what
we're
talking
about
from
earlier.
M
Just
a
food
for
thought
for
later,
as
you
talk
about
building
out
custom,
metrics
and
and
potentially
standardized
metrics
for
security,
is
there
a
play
here
for
incorporating
you
know
ai
and
machine
learning,
standards
and
practices
to
be
more
proactive
in
the
approach
to
how
metrics
taking
it
beyond
kind
of
a
simple
monitoring
to
a
more
broadly
capable
observability
solution?.
F
In
terms
of
automation,
I
think
the
answer
is
is
scorecards
is
kind
of
the
the
first
main
consumer.
L
Yes,
definitely
the
scorecard
is
the
the
tool
that
I
am
using
a
sort
of
main
point
or
first
point
of
contact
with
the
scanner,
but
technically
also
the
scanner
can
implement
just
a
wrapper
to
analyze
the
the
security
insight.
In
my
opinion,
it
is
helpful
for
two
reasons:
we
can
collect
evidence
or
just
having
more
information
about
open
source,
but
also
we
can
in
the
future.
If
someone
starts
to
create
a
database,
we
can
have
a
lot
of
information
of
new
standard.
L
That
start,
for
example,
if
someone
had
the
the
security
policies
in
a
different
path
or
similarly
for
people
use
a
doc
folder
instead
of
docs
folder,
and
this
can
help
us
to
standardize
the
open
source,
because
at
the
moment
we
know
that
people
write
documentation
in
a
docs,
folder
or
doc
folder
or
in
a
wiki.
But
if
we
see
the
real
number
of
these
according
using
this
file,
we
can
also
try
to
convince
people
to
adopt
a
single
approach
like
security
dot
nd.
L
It
is
a
good
approach,
but
it
is
not
the
only
one
at
the
moment,
but
if
we
see
it
is
used
by
the
99
percent
of
the
project,
we
can
maybe
create
an
rfc
convince
people
to
have
this
standard,
so
this
is
also
a
collateral
effect.
In
my
opinion,
if-
and
this
is
a
big
if
but
if
the
security
insight
becomes
a
standard,
so
we
need
to
convince
people
to
this
not
easy.
F
And
as
far
as
aiml
I
I
think
the
problem
actually
does
lend
itself
pretty
well
to
that.
If
we
have
enough
signal,
I
I
would
bet
that
some
of
the
commercial
organizations
out
there
are
already
trying
to
do
this.
I
haven't
seen
much
in
the
open
source,
space
and
kind
of
publicly
available
models
that
would
gather,
gather
a
whole
bunch
of
metrics
and
then
spit
out
the
likelihood
that
you'll
have
a
serious
vulnerability
in
the
next.
F
You
know
time
frame,
you
know
as
far
as
risk,
I
think
that's
one
of
like
the
main
bump,
there's
a
whole
bunch
of
signal
that
you
get
out
of
it.
I
think
it's
interesting.
We
should
continue
to
talk
about
it.
To
my
knowledge,
that
is
not
part
of
what
any
of
the
stuff
in
openssf
is
doing
today.
I
might
be
wrong,
but
I
just
haven't
heard
it.
F
We
are
over
time.
Thank
you
all
for
comments,
participation
all
that
we
meet
again
in
two
weeks.
It's
really
great
to
see
a
whole
bunch
of
new
folks,
and
I
apologize.
I
meant
to
do
welcome
intros
to
everybody
next
week
or
in
two
weeks.
Please
show
up.
I
promise
we'll
do
a
full
round
of
intros.
Thank
you.
All
very
much
have
a
great
rest
of
your
week
and
stay
safe.