►
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
A
C
B
A
B
Am
on
some
project,
I
mean
I,
have
had
some
projects
in
the
project
update
about
that
point.
If
I
forgot
something,
please
add
the
project
that
I
forgot,
probably
especially
because
it
is
the
first
meeting
for
the
this
new
year.
For
me,
I
honestly
forgot
the
last
one.
It's
like
I
could
not
join.
I
was
honestly
on
vacation
and
I
am
in
technical
in
the
notification.net.
E
A
D
Yeah,
my
name
is
Dan
Cohn
I
work
for
saving
Skype
yeah
I've
got
about
10
years
before
I
worked
since
I've
got
about
10
years,
Dev
experience
and
equally
as
much.
Cyber
security
experience
basically
got
hacked
from
an
early
early
on
in
my
career
and
kind
of
wanted
to
start
making
things
secure
since
so
yeah.
Just
really
here
to
listen
and
see
where
I
can
help.
B
B
C
I
have
the
high.
This
is
one
hour
Hey
Luigi.
So,
regarding
the
virtual
maintenance
Summit,
we
were
supposed
to
send
the
emails
to
the
participants,
the
invited
participants
asking
them
to
like
book
their
time
and
and
yeah
I
mean
so
the
official
email
was
supposed
to
go
last
week.
It
did
not
go
for
reasons
that
was
beyond
my
control,
but
we
are
trying
to
escalate
and
and
be
able
to
send
this.
C
By
the
end
of
this
week
we
have
only
a
couple
of
days
left
but
I'm,
working
with
kahil
and
Rory
right
now
to
send
the
email.
So
we
have
kind
of
a
yeah
escalation
back
by
about
a
week,
but
I
mean
yeah.
We
are
getting
back
on
track
other
than
that
I
mean
next
week.
The
plan
is
to
send
the
emails
to
the
panelists,
but
I
mean
we
have
already
confirmed
with
the
panelists.
So
it's
just
a
formal
email.
That's
gonna
go
to
them.
C
The
real
critical
thing
is
that
we,
the
the
date
for
the
Summit,
is
February
22nd
and
it's
like
almost
just
about
a
month
away
and
we
still
haven't
sent
emails
to
the
participants,
although
they
have,
some
of
them
have
been
notified
in
like
back
channels
or
private
channels,
but
I
mean
we
haven't
seen
the
official
email,
which
is
a
collective
failure.
But
we
are
trying
to
fix
that
together.
B
All
right,
oh
I'm,
not
sorry
I
was
saying
that
I'm
taking
notes,
and
probably
everyone
better
after
the
call.
Thank
you
for
the
updates.
So
at
the
moment
the
point
is
that
we
need
to
send
them
the
email
to
the
participant,
and
probably
the
mail
are
too
late.
I
mean
in
respect
to
the
summit
date
in
your
opinion,
but
you
are
on
the
I
mean
from
the
end
of
the
week.
You
probably
you
have
done
the
email,
delivery
right,
I
hope.
So,
yes,
okay,
thank
you.
C
At
this
point,
it's
under
control-
it's
just
like
because
it's
been
I
I
mean
the
original
group.
There's
I
mean
people
have
been
busy
for
the
past
couple
of
weeks,
so
I
mean
those
who
are
supposed
to
do.
It
were
just
not
able
to
do
it
in
time.
So
now,
yeah
I
mean
now
we're
just
in
damage
control
mode
and
and
getting
it
done.
That's
important.
A
B
F
Yeah,
so
we
so
we
met
for
the
first
time
this
year
last
week,
no
new
updates
on
the
Rob
is
still
still
out
of
town
and
I
know.
At
the
last
meeting
at
the
end
of
the
year,
we
had
some
notes
that
we
went
back
to
him
with
about
the
dashboards
mock-up
that
we
wanted
to
get
that
we
want
to
get
some
advancement
on.
So
we'll
just
wait
on
him
for
that.
F
F
I'm
not
I'm
not
committing
to
the
one
month,
part
I'm,
staying
down
I'm,
saying
that
in
the
next
couple
of
weeks
we'll
be
able
to
to
detail
when
that'll
happen,
hope,
okay,
I
will
commit.
The
I
will
commit
the
state
to
that.
But
but
we
are
advancing
in
that
direction.
So
so
we'll
be
able
to
look
up.
B
A
B
F
We
just
had
a
few.
We
had
a
few
notes
about
the
data
that
was
being
presented
the
first
day
that
was
being
presented
and
then
some
some
points,
some
data
points
that
were
being
presented
that
we
think
should
so
so
that
there's
there
was
a
part
about
hey.
This
may
not
necessarily
be
the
view
that
everyone
should
have.
This
might
be
a
view
that
you
should
select
and
then
that
view
comes
up,
but
then
these
items
might
need
to
be
on
the
dashboard
up
front
right.
F
So
we
have
some
of
those
notes
that
we
went
back
with.
Also
there
were
notes
about.
You
know
the
the
project
that's
being
searched
for
whether
or
not
it's
relevant
to
have
all
of
that
data
for
that
specific
project
right
all
of
those
kind
of
items
right
there
that
we
went
back
with
so
so
you
know
it's,
it's
a
give
and
take
we'll
see
what
comes
up
and,
of
course,
we'll.
F
G
F
B
We
have
deprecated
it
without
a
real
new
project
or
a
software
refactoring
and
so
I'm
very
happy
that
someone
is
working
again
on
a
similar
project,
I
a
true
question,
but
from
a
user
perspective-
and
you
cannot-
maybe,
if
you
don't
have
an
answer
for
me,
don't
worry.
I
can
wait
for
more
details
in
the
next
weeks.
B
One
is,
and
this
project
will
have
an
API
that
user
can
use
to
send
a
request
without
using
the
dashboard,
because
sometimes
maybe
you
want
to
adjust
the
command
line
tool
and
the
second
question
is:
will
be
the
dashboard,
the
project
open
source.
So
technically,
everyone
can
kind,
of
course,
contribute
to
the
dashboard,
but
also
change
the
dashboard
or
adapt
to
their
own
project.
Using
then,
the
API.
F
That
is
if
those
two
are
extremely
good
questions.
The
first
one
I'll
tell
you
I'm,
not
terribly
sure
about
that
part
and
I.
Think
and
I
think
that's
that
you
might
want
to
come
inside
of
the
Sig
and
ask
that
question.
The
second
one
might
be
a
little
bit
more
involved
because
I
I,
depending
upon
the
platform
we
end
up
using
right,
because
that's
because
that
has
because
that
has
not
been.
F
We
have
not
settled
on
that.
Yet
so,
depending
upon
the
platform,
that's
being
used
that
that
no
the
the
idea
that
the
tool
itself
would
be
open
source
that
could
be
I,
think
some
parts
of
it
might
be,
but
I
but
I
think,
depending
upon
the
platform
being
used
and
how
dare
I
say
propriet
proprietary.
That
platform
is
that
part
may
not
be
but
I.
You
know,
Christina
will
expand
a
bit
about
explain
a
bit
on
that.
G
B
G
B
Okay,
yeah
I
mean,
if
I
shouldn't
be
here
and
yeah
I
mean
I
mean
yeah,
because
of
this
I
mean
I,
hope
that
this
project
can
see
can
have
a
future
because
definitely
like
to
have,
but
I
mean
definitely
buy
us
on
this
topic.
So
just
I
am
talking
just
like
the
final
user,
not
like
a
contributor
at
the
moment.
Okay,
thank
you
for.
B
G
B
B
To
fill
out
the
security
insighter,
it
was
an
interesting
exercise
in
my
opinion,
because
I
have
seen
that
in
all
all
the
repo
that
we
have
in
in
open
ssf
as
a
security
policy.
So
technically
at
the
moment,
not
all
the
report
have
a
security,
MD
or
just
a
link
to
the
security
tab
by
GitHub,
and
we
should
set
at
least
a
security
policy,
in
my
opinion,
at
least
for
the
organization.
A
generic
one
and
just
a
point
of
contact.
B
B
Another
interesting
point
is
about
Mark
Bounty,
maybe
not
for
all
the
products
that
we
have,
but
for
sure
we
have
some
projects
that
are
very
popular.
The
most
popular
probably
is
the
scorecard,
but
also
sixth
term,
that
is
related
to
open.
Ssf
is
very,
very
important
and
popular
now
and
so
having
us
a
sort
of
Advantage
should
at
least
be
discussed.
B
At
the
moment,
I
have
used
the
python
script
that
helped
me,
but
definitely
the
user
experience
is
not
so
good
and
I
repeat,
that's
good,
so
we
need
something
that
these
modules
are
friendly
and
especially
with
the
graphic
user
interface.
So
my
The
Next
Step,
probably
is
to
try
to
understand.
If
the
ssf
112
a
global
security
policy,
then
every
project
can
change
it,
maybe
but
at
least
a
minimum
message,
a
minimum
tax
which
would
happen
every
project
that
we
have
and.
B
And
then
finish
to
to
fill
out
the
security
inside
for
these
three
projects,
so
we
can
test
them.
We
can
see
if
people
find
them
helpfully
and
I
mean
they
can
find
helpful,
and
then
we
can
try
to
continue
to
spread
the
security
inside
around
the
other
open
source
project
yeah
for
the
first
display.
Yes,
it
definitely
helped
me
to
see
some
lack
of
compliance
best
practice.
I,
don't
know
how
to
define
this,
but
it's
normal.
It
happens
source.
B
D
D
Then
we
were
working
on
on
an
identity
project,
so
we
were
like
suddenly,
oh,
we
need
to
fix
this
and
I
think
like
yeah,
it's
like
the
five
iterations,
but
also
I,
think
that
the
struggle
was
finding
things
within
things,
so
we
we'd
fixed
it
our
end
but
then
still
found
that
actually
yeah,
it's
kind
of
I
think
that
for
us
was
was
where
the
time
was
spent,
but
yeah
the
actual
from
an
app
yeah
upset
point
of
view.
You
know:
yeah,
circling
Keys
is
a
horrendous
time.
That's
great.
A
D
D
We
found
was,
and
if
well
we
had
like
a
Linux
coin
Miner
that
we
found
with
in
life
cycle
a
few
days
ago.
It's
not
not
the
the
coin.
Miner
isn't
actually
out
the
blue,
but
what
was
interesting
is
that
it
was
only
thing
ESET
and
a
couple
of
other
I've
asked
actually
that
note
that
flagged
it
as
malicious.
D
We
found
that
it's
actually
getting
pulled
from
a
git
lab
user.
That's
kind
of
got
various
versions
of
this
coil
Miner
and
go
in
Java,
and
it
was
just
quite
interesting
for
us
that
it
wasn't
like
it
was.
The
method
of
delivery
was
different,
so
quite
a
lot
of
antiviruses
weren't,
actually
picking
it
up.
Strangely
enough.
D
D
B
D
B
D
It's
a
direct
link
yeah,
so
it's
so
I've
sent
an
abuse
email.
So
you
get
that
and
actually
they'll
pull
down
the
repo,
at
least.
So,
if
you
know
hopefully,
then
that's
fixed,
but
it's
yeah,
it's
just
very
intro
like
it
wasn't
like
our
security.
Researchers
were
like.
Well,
we
find
quite
a
lot
of
these.
It's
not
that
interesting.
You
know
as
in
the
binary,
but
it
was
just
the
delivery
method
was
like.
Oh
okay.
D
You
know
it
got
picked
up
by
our
system,
because
it's
not
that
that
far
different,
you
know
they
they
check
the
payload
once
it
was
called
in,
but
but
yeah
it's
just.
It
was
just
quite
an
interesting
bit
of
oh
okay,
just
a
way
of
circumventing
a
lot
I
guess
what
what
a
lot
of
antivirus
are
looking
for
is
actual
malware
signatures
right,
so
they're
not
going
to
find
that
in
the
python
file,
because
it's
pulling
the
yeah.
C
D
Much
I
mean
it's
it's
basically,
someone
will
point
you
to
so.
Their
thing
is
so
it
kind
of
goes
a
bit
deeper,
but
once
you
actually
find
a
pre-built
of
the
binary,
it's
the
The
Miner
it's
using
is
cortex.
So
it's
trying
to
install
a
miner
for
cortex
crypto
on
on
your
on
on
your
on
on
your
machine,
but
essentially
it's
it's
yeah.
It's
just
standard,
like
you
know,
fishing.
You
know
fishing
techniques
of
you
know
here,
here's
a
binary
come
and
get
it.
D
D
So
but
I
could
imagine
that
the
way
it's
set
up
is
that
it
doesn't
actually
matter
really
the
delivery
method.
You
know,
so
you
could
probably
Point
people
to
this
same
Repository
through
email
phishing.
You
could
probably
do
it
through
various
attack
vectors
because
because
essentially
it's
just
to
get
lab
repo
right.
A
B
My
question
is
the
point
is
that
when
apparently,
the
packages
seem
to
be
malicious,
so
the
code
and
the
request
that
these
packages
did
yeah,
in
my
opinion,
they
environment
issues.
But
after
that
the
incident
was
disclosed.
The
security
researcher
of
the
person
or
the
people
that
uploaded
these
packages
on
npm
have
added
a
messaging
in
in
non-np,
I'm,
sorry,
Pi,
Pi
and
I
had
added
a
message
in
papay
by
saying
hey.
B
This
was
just
a
test
to
see
if
the
by
touch
was
vulnerable
or
not
and
to
be
sure
that
the
hack
worked.
We
need
to
do
some
requests
to
be
sure
that
it
was
on
the
run
on
the
developer
machine
and
something-
and
it
is
an
interesting
point-
because
at
the
moment
it's
not
clear
who
is
accountable
for
a
supporting
attack.
I
mean
if
I
mean
this
kind
of
attack
was
definitely
targeting
by
torch.
B
Attack,
I
can
theoretically
show
it
to
the
security
team,
and
if
the
security
team
is
good,
probably
they
don't
need
the
POC
and
they
classify
the
report
as
critical,
because
otherwise,
if
someone
asks
for
a
POC
and
it's
very
common
in
the
disclosure
policy
that
we
have
at
the
moment
as
company,
usually,
then
you
ask
for
a
POC
at
least
to
try
to
referencing.
But
if
you
ask
for
a
poc
in
in
a
supply
chain
scenario,
without
tracking
without
attack
an
open
source
product,
you
can.
E
B
B
Have
some
companies
have
a
disclosure
policy
that
explains
how
to
communicate,
vulnerabilities
and
and
how
to
report
them?
But
we
don't
have
a
clear
procedure
for
supply
chain
attacks.
In
particular,
a
project
can
be
movable
to
a
supply
chain
attack
that
is
usually
critical,
but
at
the
same
time
in
the
project
or
the
maintainer
of
the
project
could
be
not
accountable
for
the
vulnerable
package
that
can
be
the
Independence.
A
B
D
Yeah
it's
a
good
one.
I
mean
I
can
only
speak
from
kind
of
my
own
experiences
either
you
have
it
on.
You
have
the
brief
concept
on
a
private
repo,
so
you
other
people
can't
use
it
or
I
think
like
I'm,
not
sure
if
GitHub
do
and
make
you
know
Jay's
on
the
call.
So
you
might
know
a
bit
more
about
on
the
GitHub
side
of
stuff,
but
I
know
you
get
lab,
for
example,
has
very
kind
of
defined
if
you're
a
user.
This
is
security
research.
D
You
need
to
make
it
very
clear
that
this
repo
is
for
security
research
and,
if
you
don't,
then
we
have
to
assume
that
you're
malicious,
but
even
then
like
there's,
nothing
really
stopping
somebody
pointing
to
the
raw
binary.
That's
that's
there
right,
but
I
guess
that's
that
that
would
maybe,
from
a
research
point
of
view,
would
you
need
to
build?
Would
you
need
to
put
it
into
your
raw?
B
I
mean
yeah,
I
mean
probably
you.
If
the
project
is
open
soon,
I
mean
if
you
are
lucky
and
you
have
a
dependency
that
is
up
in
stores,
but
it's
not
in
the
ecosystem,
npm
or
similar.
You
can
just
clone
the
wrapper
put
in
the
ecosystem
and
as
security
other
custom
file.
Txd
file.
Where
you
say
Hey,
you
are
not
downloading
your
own
dependency.
You
are
downloading
my
own
one,
and
so
you
are
vulnerable,
and
this
is
the
best
scenario.
B
Way
to
I
mean
maybe
npm
or
the
ecosystem.
You
can
maybe
create
a
public
record
that
it
is
clear
that
you
are
not
malicious,
but
at
the
same
time
there
is
no
way
to
know
what
how
that
package
is
used,
because
you
have
no
access
to
the
code
and
in
the
best
scenario,
I
think
that
you
can
break
the
pipeline,
at
least
so,
even
if
you
know
International,
where
it's
not
clear
how
a
researcher
can
test.
D
I'm
going
to
think
what
we
have
with
life
cycle,
but
that's
a
paid
product
right,
so
that
will
kind
of
scam,
saying
sanctifiable,
but
from
an
open
source
point
of
view,
I
mean
we've
got
OSS
index
that
that
would
give
you
a
vague
knowledge
of
dependencies
inside
we're
kind
of
we've
added
something
you
know
called
bomb
doctor
which
also
looks
for
dependencies
but
I
think
yeah,
it's
mainly
in
our
paid
products.
Unfortunately,
that
would
be
thank
you.
D
It
would
be
sorry
but
yeah.
You
know
it's
basically
in
our
in
our
pay
products
that
that
we
have
that
kind
of
knowledge
of
you
know.
Oh
this
looks
a
bit
fishy
because
yeah
we
put
it
to
patent
pattern,
recognition
models,
so
maybe
that's
something
to
to
consider
I,
don't
know
whether
Microsoft
might
have
something
actually
or.
B
Nope
anyway,
yeah
I
mean
to
prevent
this
kind
of
attack
where
you
can
use
six
star
or
I
use
the
signature
yeah
you.
You
have
a
mitigation
that
you
can
implement,
but
it
is
easier.
If
you
are
about
a
business
company,
then
just
an
official
project.
You
have
more
people
that
can
work
on
the
code
and
usually
you
have
time
to
implement
best
practice.
Usually
I
mean
but
yeah,
for
example,
but
it
can
be
not
so
easy,
especially
when
they
start
and
they
start
to
become
popular.
B
Have
this
solution
implemented
there
part
of
time
and,
and
that
also
I
mean
not
friction
but
yeah.
You
need
to
work
to
maintain
your
CI
more
or
less.
This
is
the
point
and
in
general,
the
point
is
that,
from
my
perspective,
at
the
moment
we
don't
have
a
clear
way
to
communicate
the
potential
supply
chain
attack.
Probably
it
is
a
good
topic
for
the
disclosure
channel
that
we
have
so
probably
I
will
write
a
message
in
that
in
that
channel,
but.
D
Is
part
of
lift
and
that
the
idea
of
that
is
that
it
will
look
through.
You
know
your
your
pipeline
of
dependencies
and
we'll
kind
of
say
look.
This
is
vulnerable.
We
know
this
is
kind
of
vulnerable,
so
I
don't
know.
Maybe
it
might
be
a
point
if
you've
got
a
project.
Have
you
used
Lyft
at
all,
but
you
know
I
think
you
can
put
it
onto
a
GitHub
project
and
just
see
if
that
might
give
you
what
you're
looking
for
it's
free.
D
So
it's
not
like
it's
it's
open
source
that
one,
but
you
know
it's
quite
new.
It's
only
kind
of
got
released
like
like
it's
when
it's
to
win
beta,
basically
for
a
couple
of
weeks,
but
I
think
also
OSS
index
has
some
dependency
management
like
around
supply
chain.
You
know
it's
fed
intelligence
for
it,
so
it
might
be
worth
looking
at
if
you're
looking
for
something
I,
don't
know
whether
it
will
do
exactly
what
you
want,
but
it
might
can.
D
E
E
D
D
D
It
will
essentially
be
looking
at
like
the
Repository
and
and
looking
at
the
dependencies
and
kind
of
saying
well
here
is
you
know,
here's
some
vulnerable
dependencies
based
on
what
we
found
in
supply
chain,
intelligence
that
we
have
so
it's
it
lift
itself
is
it's
kind
of
like
two
different
things.
So
it's
focuses
on
so
you
know
static
code
analysis
essentially,
but
also
so,
let's
see
sorry,
it
might
be
better
if
I
give
you
the
the
bomb
doctor
link.
D
So
essentially
they
were
going
to
be
two
different
things,
but
I
think
I
still
win
yeah,
so
bomb
doctor
is
really
new
and
I
need
to
get
a
code
from
somewhere
for
someone
to
use
it.
So
it's
it's
still
in
the
early
beta.
But
let
me
let
me:
do
you
mind
if
I
have
a
chat
with
my
product
team
and
see
because
it
is
meant
to
be
a
free
tool
and
then
I'll
I'll
definitely
clarify.
B
E
B
Or
other
topic
and
discussion
I
think
no
I
don't
see
hand.
So
you
know
I
have
20
minutes
to
do
what
you
want
and
we
can
save
time.
Okay,
people
thank
you
to
join
this
meeting.
I
will
reply
better.
The
meeting
notes,
Jay
Christine,
probably
will
send
you
the
link
to
be
sure
that
I
return
correctly.
The
meeting
off
and
thank
you
to
for
joining
the
meeting,
see
you
each
week.
Bye,
bye,
bye,
okay,.