►
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
B
Listening
to
one.
A
E
C
A
Cool
welcome
everybody
to
the
February
15th,
identifying
security
threats.
Working
group
meeting
I
will
be
your
host
now.
The
normal
run-through
of
kind
of
project
updates
can
certainly
talk
about
new
things.
Other
ideas.
A
That's
that's
been
that's
been
in
the
news
recently,
just
thinking
it
kind
of
does
fit
in
our
scope
and
Charter
to
think
about
like
the
security
threats
that
are
around
that
I
don't
know
if
people
have
a
lot
of
thoughts
but
just
kind
of
throwing
that
out
there
as
a
point
of
discussion.
A
Nobody
here
is
new,
so
we
don't
need
to
do
introductions
project
updates.
Who
has
a
project
that
they
would
like
to
give
an
update
on.
D
I
mean
hi
Michael
I
can
start
with
the
the
virtual
Summit
yeah
awesome.
So
we
had
a
toxicity
right.
I
mean
we
were
unsure
about
like
whether
we
would
be
able
to
have
a
critical
mass
of
people
sure
but
I
mean
so.
What
we
have
been
doing
for
the
past
one
week
was
actually
personally
connecting
with
the
people
whom
we
have
reached
before,
and
they
were
kind
of
sitting
on
the
fences
haven't
committed
and
like
get
a
confirmation
from
them.
D
So
with
that,
like
gorilla
effort,
we
have
right
now
have
gotten
acceptance
from
I,
think
14
or
15
maintainers
and
the
rest
of
us
I
mean
you
will
also
get
an
invite
and
as
well
as
the
the
other
participants.
Yes
and
yeah,
also
suggested
that
that
she
also
wants
to
participate
in
that
event.
So,
together
we'll
have
about
20
something
people,
it's
not
gonna,
be
a
friend
but
I
mean
it's
gonna
happen
at
least
that's
the.
A
D
So
at
this
point,
I'm
working
with
with
Khalil
to
basically
set
up
the
like
for
send
the
final
reminders
set
up
the
zoom
Etc.
We
also
want
to
do
a
survey
for
the
participants
about
like
what
practices
they
follow.
D
That
kind
of
gives
us
some
data
point
that
we
can
use
during
the
conversation
we
have
also
connected
with
the
moderators
I
mean
initially
we
thought
of
four
breakout
sessions,
but
because
the
participant
size
is
lower,
we
now
have
two
breakout
sessions,
so
crop
and
Bob
Callaway
would
be
like
we
have
connected
with
them.
We
have
previously
asked
like
David
to
be
there
I
mean,
but
because,
like
we,
we
have
like
downsized
a
little
bit.
D
So
that's
why
we're
limiting
it
to
two
people
and
I
I
guess
like
David,
might
appreciate
the
I
mean
you're,
welcome
to
show
up,
of
course,
and
and
but
I
mean
you
don't
have
to
like
be
burdened
with
with
an
extra
Duty.
So
so
that's
that
and
yeah
I
mean
Karim
said
that
he
knows
how
to
set
this
thing
up
in
Zoom,
so
that
we
can
have
like
a
group
session,
then
break
out
and
then
come
back
together.
D
D
Yes,
I
mean
I
cannot
give
you
two
earlier
regarding
about
being
a
moderator,
but
I
mean
because
you're
so
busy
and
we
have
downsized.
So
we
just
picked
two
others
I.
E
A
Awesome
so
Zoom
is
completely
Frozen
for
me.
Can
you
guys
hear
me.
E
A
I'm
just
going
to
keep
talking
and
pretend
that
all
is
not
Fubar
yeah.
So
so
that
sounds
great,
so
I
do
want
to
give
you
a
heads
up.
I
am
on
vacation
next
week
and
I
believe
at
10.
30
I'm
actually
like
in
we're
a
long
story.
We're
building
a
house,
so
we're
like
picking
out
stuff
so
I
probably
will
not
be
able
to
make
it
at
all
for
that
date.
But
please
please,
like
have
a
great
time
and
I
will
be
with
you
in
spirit
sure,
cool.
A
Okay,
let's
see
how
about
on
the
metrics
metrics
dashboard
yep.
A
I
had
well
sorry,
one
of
the
questions
came
from
for
for
folks
that
would
like
to
that
learn
about
this
and
would
like
to
attend.
Should
they
just
contact
you
yeah.
D
That
could
that
could
be
done.
I
mean
we.
We
welcome
more
participation.
Even
at
this
I
mean
the
more
the
better.
So
we
can
just
connect.
I
mean
right
now
we
are
the
the
basically
the
flow
is
that
I'm,
connecting
personally
with
people
when
I
get
the
acceptance,
I
pass
them
to
and
he's
just
like
sending
them.
The
calendar
invites
that's
basically
that's
that
that
works.
A
A
Okay,
sorry
metrics
dashboard.
How
are
things
going.
B
Things
are
going
well,
we
we
did
hit
just
just
a
a
small
bump,
and
that
was
really
due
to
competing
priorities.
You
know
in
our
in
our
individual
work
efforts
for
our
respective
employers
so
so
that
there
were,
there
was
a
just
a
bump
there,
but
we're
back
on
track.
What
what
we're
working
on
now
is.
The
new
features
that
we
are
that
we
had
in
open
from
from
December
you
know
Rob
is
is
currently
working
on
those,
so
that
we
can.
B
We
can,
as
I
say,
look
at
look
at
those.
What
we
want
to
do
for
the
working
group,
though,
is,
is
get
a
working
demo
together.
So
that's
what
we're
actively
pushing
towards
so
that
we
can
bring
a
a
solid
demo
here
to
the
to
the
working
group.
Hopefully
you
know
in
the
next
in
the
next
couple
of
a
couple
of
Cycles
right
next
couple
next
couple
of
meetings.
B
Hopefully
we
can
do
that
shortly.
I
I,
don't
I,
don't
have
a
timetable
on
that,
but
but
I
know
by
next
meeting
we
should
be
able
to
see
another
mock-up
okay,
but
yeah
actively
working
in
a
demo
for
the
for
the
work.
Okay,.
A
So
so,
as
far
as
funding
for
the
full
implementation,
I
don't
know
if
you
guys
have
had
conversations
on
that
or
kind
of.
If
that's
something
that
narav
kind
of
owns
that
that
that's
specking
out,
but
it
would
be
just
in
kind
of
the
financial
climate
of
the
moment.
A
Know
whether
the
plan
is
for
this
to
come
out
of
the
openness
of
general
fund
budget,
which
I
can't
imagine
it
coming
from
any
place
else
and
then
be
just
running
it
up
with
with
Brian
or
Brian
or
Michelle,
to
just
make
sure
that
there
is
some
money
available
for
this
that
can
obviously
grow
over
time
or
whatever,
but
I
I
would
I
would
hate
to
have
everything
come
through
up
to
the
point
of
okay.
B
Okay,
you
know
we
could
begin
having
those
discussions
and
I.
Guess
too,
we
can
add
that
to
we
can
add
that
to
to
the
agenda
as
a
general
items
to
discuss
and
I'll
even
well.
I'll
even
add
that
even
add
that
in
here
for
for
our
next
meeting
to
begin
discussing
that,
especially
since
he's
working
on
the
mock-up
and
then
the
demo
I
can
ask
just
at
a
high
level
how
much
you
know
budget
wise.
Do
we
think
we'll
need
and
then
we'll
bring
that
back
to
the
working
group.
Very
good.
E
Yeah
I,
I,
totally
agree
and
I
I,
think
I.
Think
all
of
us
have
had
to
play
budget
games
before
so
Jay
I'm,
just
saying
what
you
already
painfully
know,
which
is
I,
think
we'll
need
to
make
sure
it's
not
just
a
hey.
Here's
a
number
but
a
you
know:
Hey
where's,
that
for
because.
C
E
He
comes
in
with
the
with
a
big
number
I
think
you
know
we
I
I
I,
think
that,
although
in
the
long
term,
we
can
make
this
big
and
amazing,
you
know
we've
already
shown
that,
with
a
very
small
amount
of
time
and
money
and
Michael.
E
Heard
that
I
might
be
talking
about
him,
so
you
know
I
think
that
if,
if
people
are
starting
to
get
worried
about
funding
that
doesn't
mean
that
that
that
kills
this
it
just
means
we
need
to
escape.
We
may
need
to
control
the
scale
a
little
more
carefully
and
I.
Think
that's
totally
doable.
You
know,
oh
okay,
maybe
we
don't
you
know
have.
Maybe
we
don't
try
to
reproduce
every
every
build
on
the
first
version
of
metrics.
C
C
E
F
That
was
me
David
I,
just
thought
I
would
quickly.
Add
it
on
I
was
just
reviewing
the
notes
from
the
last
meeting
and
my
apologies
for
not
being
able
to
make
the
last
few
just
the
timing.
Just
did
not
work
out,
but
I
see
that
there
were
some
questions
about
uploading.
All
of
the
individual
reviews
from
the
impact
report
onto
the
onto
the
security
reviews.
Dashboard
I
was
able
to
see
this
table
that
generates
that
has
all
the
reviews
and
I
think
it
looks
fantastic.
F
So
I
would
be
happy
to
I
think
because
we
got
the
kind
of
the
the
template
thing
fixed,
which
was
giving
me
some
problems
last
year,
but
I
think
now
that
that's
fixed
I'll
I
will
upload
the
the
individual
projects
into
the
repo
so
that
those
are
easily
you
know
viewable
and
indexable
and
I
also
just
saw
from
the
notes
talking
about
incorporating
this
into
the
scorecards
project
and
I
just
want
to
go
ahead
and
and
suggest
that
I
think
that's
a
great
idea,
I
really
liked.
How
are.
C
E
Is
that
I
mean?
Is
that
what
you
meant
I.
F
I
mean
I
could
see
both
working
I
actually
was
just
about
to
say
that
I
thought
it
worked
really
well
with
that
initial
metrics
dashboard
that
we
had
the
metrics.openssf.org,
so
I
think
the
more
that
this
information
can
be
integrated
into
other
things
that
you
know
give
insight
into.
You
know
the
workings
of
a
project
then
I
think
all
the
better.
F
So
I
just
wanted
to
say
that
I'm
in
support
of
that
and
I'd
be
happy
to
help
how
I
can,
but,
as
I
also
said
in
the
chat
too,
it's
been
a
busy
last
couple
months
for
me,
so
I
haven't
been
able
to
be
as
helpful
as
I
wanted,
with
things
like
the
virtual
maintainer
Summit
and
the
other
efforts
going
on
in
this
working
group,
but
but
yeah
I,
just
I
also
just
want
to
you
know
thank
whoever
put
the
put
the
shout
out
in
the
last
meeting,
yeah
very
happy
about
the
report
and
all
the
work
that
was
done
in
that
and
yeah
looking
forward
to
doing
more
so.
E
All
right
there
was
a
a
discussion
earlier
and
my
apologies
I
think
it
was.
Maybe
it
was
in
the
last
one:
no,
it
wasn't
okay
and
that
that
was
basically
the
can.
We
make
this
easier
so
that
if
I
have
a
URL
about
a
project,
I
can
pretty
much
instantaneously
link
to
the
security
reviews
page.
E
G
E
Be
happy
to
do
with
that.
You
can
do
that.
G
With
like
I
mean
one
of
the
ways
that
you
could
do,
that
is
by
buying
a
domain
that,
like
mirrors
githubs,
so
in
basically
that
so
like
let's
say
github.com
right,
you
just
add
like
OSS
best,
like
you
know,
oh
oaf,
like
osbestpractices.org
at
the
beginning
of
that
domain,
and
it
would
resolve
to
a
site
that
served
that
content.
So
you
just
like
you
all
you
need
to
do
is
mess
with
your
your
your
browser
window
a
little
bit.
G
E
A
Well
so
so
I
mean
the
the
reviews
themselves
have
package
URLs
or
the
the
essence
of
the
thing
that
the
review
is
tied
to,
and
that
doesn't
work
well
for
everything
and
but
for
a
lot
of
things
it
does
so
if
you
knew
that
you
were
doing
one
of
npm
left
pad
so
package
npm
left
pad
and
then
rely
on
GitHub
code
search
to
find
that
in
the
repo
that
might
be.
That
might
be
good
enough
for
most
now.
G
A
E
In
all
honesty,
that's
not
so
so
crazy,
but.
E
A
Are
yeah
it's
like
package,
generic
and
blah
to
refer
to
like
things
that
don't
make
sense,
and
that
was
our
our
like.
We
need
to
like
fit
it
into
a
package
URL,
because
package
will
like
they
are
verified.
They
are,
are
validated
to
be
like
syntactically
correct,
but
there's
no
standard
for
like
I've,
got
a
random
web
page.
What's
the
package
URL
for
that,
like.
E
A
A
C
E
A
Right
yeah,
I'm,
saying
just
Do
the
course
great,
like
let
these
the
let
the
search
engine
figure
out
like
how
close
you
are
so
so
literally,
if
you
wanted
to
do
openssl,
you
know
your
your
search
would
be.
A
E
E
E
Yeah,
all
right
so
maybe
nmap
here,
npm
clap.
E
E
Yeah
another
way
is
to
add
we,
we
could
add
fields
to
give
URLs
for
the
sources
and
such
when
you
know
them.
C
A
Or
well
yeah,
so
you
could
also
add
it
on
your
end.
Have
a
maybe
that's
what
you
just
said
but
like
when
you,
when
you
provide
a
project
to
best
practices.
In
addition
to
home,
page
and
repo,
you
say
what
package
arrows
are
you
distributed
under,
which
sounds
a
little
bit
like
the
security
insights
yeah
almost
spec,
yes,.
E
Although
it's
actually
a
little
bit
of
a
challenge
for
folks
that
are
like
okay,
if
you're
like
within
npm
or
Pi
Pi,
that
is
totally
doable.
In
fact,
if
you
don't
know,
if
you
don't
know
it,
something
went
wrong.
C
C
E
A
Yep
and
even
and
for
each
one,
there's
different
architectures,
which
are
different
things:
okay,
yeah,
the
the
this
one
I
I
would
I
would
suggest
just
going
to
the
GitHub
search,
keep
it
easy
and
then
refine
from
there
over
time.
This
is
gonna
be
a
hard
one
to
solve,
like
yeah.
A
Sorry
in
the
in
the
in
the
meeting
notes
you
see.
Example:
oh.
E
A
That
one
a
shot,
and
if
that
one
is,
is
it
it
only
has
to
be
worse
than
nothing
than
for
us
not
to
use
it.
E
Okay
and.
E
Be
honest,
at
least
for
the
example
that
you're
showing
here
it
actually
seems
to
work
yeah.
What's
the
type
equal
code
do
it's.
E
A
Like
when
you
go
to
a
a
just
lots
of
web
pages,
have
that,
like
oh
just
search
us
and
then
it
like,
takes
you
to
like
a
Google
search
with
like
and
site
equals.
A
E
E
A
this
is
not
a
crazy
idea,
and
so,
and
so
you
just
replace
openssl
with
whatever
it
is
that
you
would
search
exactly.
A
And
then
I'll
well,
someone
else:
don't
I'll
try
I'll
try
to
get
the
the
actual
like
path.
Mm-Hmm.
C
F
F
A
So
what
I
guess
for
okay,
so
so
for
for
Security
reviews
as
part
of
AO
we're
going
to
be
generating
these
assertions
assertion
is
a
fact,
like
you
know,
when
code
ql
ran,
it
found
zero,
critical
issues
in
this
thing,
we're
gonna,
save
those
assertions
and
then
run
policy
against
them.
Saying
we
think
a
reasonable
policy
is
that
code.
A
Ql
should
not
find
any
SQL
injection
vulnerabilities
in
in
a
thing
so
we'll
have
similar
to
the
order,
and
this
is
kind
of
the
evolution
of
the
automated
Security
reviews
that
we
posted,
maybe
80
or
90,
into
secure
reviews
last
summer.
A
A
So
that
was
that
was
my
my
first
point
and
then
the
second
was:
let's
do
the
same
thing
and
have
it
exposed
through
the
metrics,
dashboard
and
I.
Don't
have
a
strong
opinion
on
whether
it
should
go
like
assertions
to
Security
reviews
to
dashboard
or
assertions
to
both
or
what,
but
you
know,
I
I
think
having
those
two
tied
together
would
be
interesting.
A
F
Yeah,
that's
a
that's
a
very
interesting
point,
I
think
back
to
like
my
old
days
as
a
internal
auditor,
and
you
know
that
was
a
very
I
would
say
kind
of
well
controlled.
F
You
know
business
I,
can't
think
of
the
word
right
now,
but
but
yeah
we
would
have
you
know,
essentially
what
was
called
like
the
standards,
the
III
standards,
The
Institute
of
internal
auditor,
like
standards
that
you
basically
use
as
your
backbone
and
then
you
basically
publish
you
know
as
part
of
a
of
an
internal
audit
report,
what
we
would
call
like
reasonable
Assurance.
So
you
know
it
was
you
know?
F
If
something
was
you
know
if
controls
are
if
you're,
if
you
have
enough
evidence,
basically
that
they
are
following,
you
know
these
certain
standards
you
can.
You
know
say
that
you
know
we
found
that
there
was
reasonable
assurance
that
you
know
these
security
controls
are
being
followed
and
what
have
you
so
something
like
that
is
certainly
possible.
I
think
you
know
there
is
enough
resources
out.
There
I
mean
I.
Think
of
a
lot
of
the
the
the
the
Publications,
for
example,
that
the
audit
teams
that
we
work
with
use.
F
You
know
they
use
a
lot
of
stuff
from
nist
and
a
lot
of
stuff
that
comes
out
of
the
EU
government
and
I.
Think
it's
digit,
for
example,
so
I
mean
something
like
that.
I
think,
especially
more
like
mid
to
long
term,
especially
as
we
do
more
of
these,
and
at
more
scale,
as
you
mentioned,
is
something
worth
visiting
and
talking
about.
F
Even
if
it's
you
know
something
pretty
Bare
Bones,
you
know
just
saying
like
we
generally,
you
know
use
these
things
as
our
you
know,
guidance
for
example.
You
know
there's
plenty
of
good
resources
out
there
and
and
then
you
know,
come
up
with
kind
of
some
I
guess
somewhat
standardized
language
on.
You
know
how
the
assertions
can
look
and
yeah
I.
F
Think
it's
a
I
think
it's
a
good
idea,
especially
like
you
said
over
time,
as
we
do
more
and
and
kind
of
start
to,
because
one
thing
I've
noticed,
at
least
in
my
personal
experience
with
with
auditing
open
source
projects,
is
that
you
know
no.
Two
projects
are
ever
the
same:
there's
never
like
a
standard
like
template.
We
apply
that
works
for
everybody.
You
know
I,
so
I
think
that
makes
it
a
little
harder
But,
but.
A
So
I
I
think
we
might
be
talking
about
a
slightly
different
things.
The
assurance
assertions
that
I'm
referring
to
are
the
fully
automated
ones,
so
you
basically
run
you
run.
You
know
n
number
of
tools
and
when
the
tools
all
show
effectively
nothing
interesting,
there's
nothing
to
triage.
Therefore,
you
can
make
a
statement
of
that
fact
without
having
to
have
eyeballs
on
it,
so
we're
only
going
to
get
a
subset
of
Open
Source.
A
That
will
be
able
to
make
interesting
assertions
on
or
we'll
be
able
to
make
this
code
that
this
package
looks
clean
assertions
on
the
rest.
The
best
we'll
be
able
to
do
is
a
tool
showed
something,
but
no
one
has
looked
at
it,
assertions
which
we
need
to
talk
more
about
like
what
that
you
know
like
what
that
means
and
what
evidence
we
provide
and
all.
A
A
So
that
one
was.
A
Just
fully
automated
end,
so
the
markdown
was
generated.
So
you
we
hit,
go
and
a
markdown
popped
out.
A
And
the
the
summarized
results
you
know
showed
for
for
this
one
in
particular
it
was
it
was,
you
know
when
code
12
ran,
there
were
zero
results
like
it
ran
successfully,
but
and
nothing
was
found,
detect
Secrets
found
nothing,
no
jscan
found
nothing.
Simgraph
found
nothing,
we
were
able
to
rebuild
it
and
when
we
checked
I
think
osv
or
that's
Dev,
there
were
no
vulnerabilities
found
so.
A
It
is,
you
know,
I,
don't
say
good
enough,
but
it
is
it.
A
And
you
know
it's
definitely
not
a
manual
audit
bar,
but,
and
so
the
Assurance
assertion
is
the
evolution
of
this.
Where
we,
you
know,
can
be
more
nuanced
in
the
types
of
results
we
can
change
those
things
over
time.
We
can
express
them
in
machine
readable
way,
et
cetera,
et
cetera,
okay,
so.
F
F
E
And-
and
just
just
so,
you
know,
I
have
already
quickly
while
we're
having
this
chat
added
this
a
link
to
the
security
reviews
from
Best
Practices
as
an
issue,
it's
a
1916..
E
This
is
one
of
those
wow.
It's
a
mess,
it's
not
pretty,
but
it
works.
We
can
do
it
now
from,
although
it's
not
a
pretty,
it
probably
is
a
better
matching
system
than
trying
to
match
exactly
on
the
packages
anyways.
So
this
is
not
a
crazy
idea.
Awesome.
A
A
Jay
you've
had
your
hand
up
for
a
long
time.
Sorry.
B
Oh
yeah,
what
I
wanted
to
do
is
I
wanted
to
as
a
as
a
caveat
to
what
mayor
was
talking
about
and
then
what
what
you
displayed
I
I
think.
Ultimately,
as
far
as
reviews
go
there
that
language
so
as
an
example
to
kind
of
bridge
between
what
Amir
was
saying
and
what
what
you
displayed,
even
even
in
instances
and
in
the
mirror,
I'm
saying
this,
because
I
too
worked
in
the
internal
audit.
B
B
As
a
caveat
to
what
you
were
saying
and
then
and
of
course
well,
Mike
is
even
in
the
instance
where
you
ran
a
tool
and
this
tool
has
said
that
this
thing
passed
and
you
can
provide
that
level
of
assurance
that,
because
of
what
was
ran
on
this
tool,
we
can
safely
say
or
or
within
whatever
degree
of
standard
deviation.
I
don't
know.
I
should
say
that
this
past
that
language
should
still
be
standardized
right.
A
A
If
it
has
detectors
for
SQL
injection,
then
we
will
leverage
that
as
a
bar
things
like
that,
where
it
is
not
just
like,
we
found
a
random
tool
on
the
internet
and
we
used
it
and
the
tool
didn't
explode.
So
we
said
it
was
right.
B
Yeah
well,
if
I'm
saying
that
to
a
mirrors
to
amir's
point
right,
so
an
IIA
standard
for
open
source
doesn't
exist,
that's
something
that
can
be
actually
that
that
might
be
something
for
is
well
dare
I
say
for
perhaps
the
best
practices
working
group
to
work
on
I,
don't
know,
I,
don't
know
if
it's
them
or
or
maybe
a
mayor's
working
group
that
works
on
that,
but
that
kind
of
standardization
body
might
need
to
exist,
to
standardize
how
audits
are
done
on
open
source
projects
and
then
included
in.
B
That
would
probably
be
that's
standardized
that
standardized
wording
for
instances
like
that
kind
of
assurance.
When
you
ran
that
tool
right,
there
could
be
a
section
that
says
in
an
instance
where
tools
are
random.
I
know
the
wording
is:
is
the
babe
I'm
not
going
to
go
over
the
wording,
but
what
produce?
What
gets
produces
this
document?
That
says
this?
That
says
these
specific
things
based
on
this
specific
criteria
right
and
that's,
and
that
can
be
improved
over
time.
B
That's
a
working
document
that
can
change
over
time
right,
but
perhaps
something
like
that
does
need
to
be
created
if
these
type
of
reviews,
these
type
of
artists
and
then
these
type
of
assurances
are
being
made
at
scale.
Perhaps
we
do
need
to
provide
some
type
of
standardization
like,
for
instance,
stuff.
That's
done
through
the
eye,
because
then
we
can
audit
the
audit
process,
which
and
Amir
knows
this.
B
I
can't
remember
what
it's
called
the
mayor.
Freshman
I
can't
remember
what
it's
called,
but
you
actually
pull
out
audit
reports
and
then
do
an
audit
of
the
audit
practices.
If
you
can
look
at
a
report
and
take
that
report,
pull
out
and
know
exactly
the
steps
that
were
taken
to
to
reach
that
conclusion,
then
that
report
successful.
If
you
cannot,
then
there
are
things
missing
and
I
can't
remember
what
that's
called
in.
There
is.
B
B
I
know
that's
what
it
is.
But
yes,
that's
exactly
what
it
is
other
thing,
the
other
thing,
auditing
the
auditing
practices.
You
can
then
do
that
to
them
right,
because
that's
going
to
have
to
happen
sooner
or
later,
if
you're
producing
auditing
reports,
can
you
effectively
retrace.
F
Those
steps
and
come
to
the
same
conclusion
exactly
yeah
but
I,
think
the
the
critical
thing
here
is
essentially
them
being
supported
and
done
at
scale,
but
yeah
yeah,
I
think
I'm
totally
on
the
same
page.
On
that.
A
Just
just
to
kind
of
close
the
loop
on
that
I,
fully
support
like
standards
not
going
to
wait
for
standards,
standards
want
and
will
not
happen
this
or
next
year,
so
we're
going
to
move
forward.
We
will
make
it
up
as
we
go
exactly.
A
We
will
snap
to
it.
We
will
say
yay
standards,
people,
because
they
they.
It
is
super
important,
but
it'll
be
a
de
facto
standard.
Until
then,.
E
A
A
All
reproducible,
anyway,
practically
by
definition,
because
we're
doing
this
in
the
standards
tool
chain
that
we
are
releasing
with
the
standard
tools
that
we've
released,
so
you
should
be
able
to
produce
modulo
a
signature,
The
Identical
assertion
that
we
that
we
produce.
So,
if
that's
not
true
like
nothing,
is
perfect,
like
you
know,
there
are
like
non
actually
non-reproducible
things
out
there,
but
the
evaluation
of
it
should
be
98,
99
reproducible
so
well,.
E
A
No,
no,
but
there's
no
analyst
here
it.
It
is
just
with
the
tool
came
out
with
so
so
you
know
running
running
okay
tool
version
X
against
package.
Version
Y
in
this
kind
of
standardish
environment
should
give
eight
results
today
and
eight
results
tomorrow
and
eight
results
the
next
day
and
that
that's
the
kind
of
reproduction
that
I
been
referring
to.
Okay,
okay,
cool,
okay,
I
think:
we've
talked
a
lot
about
all
of
that
Luigi
anything
on
security,
insights
that
you'd
like
to
talk
about.
H
Yeah,
a
short
update,
I
am
presented
the
well
the
situation
in
some
project
that
we
have,
that
don't
doesn't
have
I
mean
they
don't
have
a
security
policy
during
the
last
stack
meeting.
So
now,
I
am
involved
in
discussion,
slash
yeah
in
the
discussion
to
write
a
security
policy
that
we
can
use
for
the
organization,
or
at
least
some
project
or
key
project
yeah.
H
Probably
the
main
issues
that
we
want
to
have
every
project
would
like
to
have
an
email
or
a
contact,
and
so
the
next
question
is
how
we
are
able
to
offer
to
the
maintainer
a
sort
of
Google
group
or
something
similar,
shared
email
that
they
can
use
to
collect
email
but
I.
So.
A
So
talk
with
Michelle
at
open
ssf
about
it
might
be
very
easy
to
get
aliases
for
you
know:
scorecards
at
openssf.org,
scorecards,
Dash
security
at
opennessf.org
to
route
to
either
a
group
or
a
DL
or
whatever
I.
G
Would
be
so,
every
single
group
wants
their
own
security
Channel.
A
Well,
if
I
I
mean
the
metric
dashboard
group,
like
the.
E
G
But
like
if
actually
okay,.
H
We
can,
but
the
some
projects
maybe
want
to
have
their
own
email
or
contact
technically,
it's
very
easy
to
solve
this
problem,
but
not
for
the
reception,
because
we
can
use
just
hey
encrypt
your
email
with
this
part
with
this
public
key
every
project
has
a
different
public
key,
but
no
one
wants
to
encrypt
them.
Yeah.
A
H
G
Like
any
of
these
vulnerabilities
accidentally,
getting
like
like
a
project,
maintainers
have
stopped
working
on
it.
The
tech
hasn't
figured
out
what
to
do
with
it.
They're
they're
ending
up
being
like
a
black
hole
that
these
these
reports
go
into
and
nobody
responds
to
them,
and
that
looks
so.
The
the
risk
is
not.
G
A
Is
let's
solve
that
problem?
When
we
get
there,
we
we
only
have
a
few
active
code
repos,
no
submitting
a
vulnerability
report
back
to
like
the
tax,
spec
repo,
it's
just
docs,
okay,.
A
H
H
G
Have
the
I
have
a
proposal
for
the
other
policy,
which
is
the
outgoing
reports
that
I've
sent
to
our
show
to
Michael
and
and
not
Brian
Bob?
G
G
A
Yep
did
you
want
to?
We
have
10
minutes
left.
Was
there
anything
else
that
we
want
to
talk
about?
We
could
use
this
time
to
talk
about
that,
because
I
think
that
about
that
policy,
but
I.
G
G
H
I
mean
just
to
align
everyone
in
this
group,
I.
G
G
G
G
G
No,
no!
That's
why
that's
why
I've
been
making
this
very
clear?
This
is
not
the
same
thing
as
what
you're
doing
this
is
very
much
not
the
same
thing.
That's
why
I
don't
I
want
this
to
be
a
separate
issue.
This
is
for
vulnerabilities
that
that
primarily
Alpha
Omega,
but
any
other
open
source
software
Foundation
working
group,
May,
identify.
G
G
Are
disclosing
the
vulnerability?
This
is
our
policy.
This
is
our
policy.
No,
no!
It's
not
it's,
not
our
reporting
policy.
This
is
our
policy
on
how
we
will
disclose
a
vulnerability
after
a
set
of
conditions
are
met
either
the
report
has
been
fixed
or
the
maintainer
has
dropped.
The
ball
like
this
is
the
policy
that
we
will
use
to
disclose
a
vulnerability,
not
report.
It.
A
H
Yeah:
okay:
it
is
like
the
project:
zero
disclosure,
disclosure.
G
A
And
and
just
to
to
you
know,
make
sure
nobody
like
skips
over
it.
The
the
important
controversial
part
is
going
to
be
at
what
point
do
we
throw
our
hands
up
and
say
you
know
what
it's
better,
it's
better
for
the
world
to
know
about
this
vulnerability,
even
though
it
is
not
fixed.
A
So
so
we
are
disclosing
zero
days
at
the
end
of
one
of
these
I
think
what
one
of
these
paths
we
want
to
make
sure
that
we're,
okay,
conceptually
and
and
that
we've
that
that
path
is
constrained
enough,
that
the
the
trade-off
is
is
right.
A
G
Should
be
consistent
with
the
policy
of
receiving
vulnerabilities
I.E
like
they're,
the
way
that
we
report
vulnerabilities
should
not
like
if
I
am
reporting
a
vulnerability
to
an
open
source
security
Foundation
project,
it
should
not
be
incompatible
with
the
outgoing
policy
right
like
there
should
be
there
that
they
should
be
compatible
with
one
another.
Otherwise,
if
that
looks
stupid,.
A
C
A
Please
add
them
in
the
doc
after
after
this.
This
is.
This
is
important,
good
stuff
that
we
need
to.
G
E
First
question
tax
is
going
to
ask
exactly
what
you
asked
hey.
Is
the
vulnerabilities
disclosure
group
looked
over
this?
Yes,.
A
Yeah
I
I've
been
trying
to
channel
the
tack
in
in
my
kind
of
like
objections
to
the
zero
day
pipe
so
I
think
they'll
focus
on
that
too.
G
H
Have
a
question
because,
after
project
zero
90
days
became
a
sort
of
standard
for
disclosure,
but
probably
I
mean
it
was
designed
for
software
vulnerabilities.
What
happen?
If
you
have
another
rabbit.
E
G
G
E
G
E
If
I
may
object
to
the
word
standard
here,
the
the
90
days
is
really
the
edge
case.
It's
the
longest
one
I
know
of
product.
E
Cert
the
Linux
just
grows.
Lots
of
others
have
much
shorter
time
frames
and.
G
E
C
G
I
I
think
the
the
the
the
the
rationale
that
I
heard
from
somewhere
is
either
my
conversation
with
Katie
or
someone
else.
The
reason
it's
90
days
is
because
Microsoft
originally
couldn't
get
vulnerabilities
fixed
that
fast
and
So.
Eventually,
Microsoft
really
announced,
what's
called
Patch,
Tuesday
and
Patch
Tuesday
is
once
a
month,
and
so
90-day
policy
gave
Microsoft
three
patch
Tuesdays
to
get
a
fix
out
for
a
security
effects
before
project
zero
in
public
with
a
vulnerability,
and
so
that's
why?
And
because
a
lot
of
the
vulnerabilities
that
project
zero
finds
is
in
Microsoft
stuff.
G
That's
the
policy,
they
kind
of
catered
it
to
you
know
Microsoft.
You
know
they.
There
was
a
lot
of
juggling
back
and
forth
between
Microsoft
I
mean
originally
Microsoft
hated
Google
dropping
o
days
on
them
like
there
was
a
lot
that
you
know
it
ended
up
in
I.
Think
the
project
zero
was
dropping
o
days
on
Microsoft,
ended
up
being
a
topic
as
a
part
of
a
congressional
hearing,
because
some
people
got
pissed
at
some
like
marketing.
People
at
Microsoft
got
pissed
at
at
just
project
zero
for
doing
that
to
them.
A
Just
wanted
one
more
important
point
for
the
stock.
The
automated
part
is
the
really
important
part,
so
so
so
yeah
I
think
it's
gonna
find
10,
000,
zip
slip
or
whatever
vulnerabilities.
In
the
thing,
the
idea
of
manually
contacting
and
engaging
each
of
ten
thousand
is
not
feasible.
So
the
purpose
of
the
automated
thing
is
for
certain
classes
of
vulnerability.
When
they're
done
at
scale,
is
there
a
way
to
do
it
without
manual
effort
per
project?
That's.
A
G
I'm
I'm
also,
you
asked
me
to
write
up
a
small
thing
that
said:
hey.
If,
like
you
wanted
to
have
disclosure
automated
disclosure,
how
would
you
do
it
I'm,
I'm,
working
on
that,
like
short
bullet
bullet
list
of
here's,
what
we
need
perfect
awesome.