►
From YouTube: OpenSSF Identifying Security Threats WG (August 4, 2021)
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
B
Well,
you
know
what
I
it
looked
like:
it
was
going
to
go
much
longer
and
they
said
time's
up
we're
good
we're
done
so
nice
yeah,
so
yeah
it
was
a
different
foundation.
It's
the
it's
the
what
it's
the
movie
industry
foot,
one
aswf!
So
they
you
know
the
the
guy
who's
leading
it
is
who's.
Doing
a
lot
of
the
who
who's
covering
a
lot
of
the
panel
was
from
industrial
light
and
magic
star
wars,
stuff
behind
him
that
exactly
exactly!
B
Oh
god,
you
know
my
cool
meter
is
just
nowhere
near
yours.
A
Nice,
that
is,
nice,
awesome,
okay,
so
yeah
we're
just
gonna
get
started,
so
they
were
just
commenting.
A
lot
of
folks
are
probably
on
vacation.
So
next
this
this,
the
next
time,
we'll
probably
be
super
light,
so
really
just
wanted
to
kind
of
go
through
kind
of
major
projects.
A
Talk
a
little
bit
about
hiring.
I
have
a
new
project
idea.
I
just
wanted
to
kind
of
throw
out
there
to
see
what
see
what
sticks
and
then,
obviously,
if
you
guys
have
any
other
anything
you'd
like
to
talk
about
edit
in
the
chat
this
can
be.
We
have
an
hour
for
discussion,
so
we
can
do
whatever
we
want
so.
First
off
for
security
reviews,
amir
any
news
or
anything
of
interest.
To
note.
C
On
that
one,
nothing
new,
nothing
new
and
exciting.
Just
a
lot
of
the
cleanup
has
been
done,
which
is
nice
and
yeah.
I
haven't
done
too
much
updating
in
the
last
two
weeks:
okay
cool,
let's
just
say,
however,
I'm
actually
real,
quick,
I'm
looking
at
year,
one
there's
one
pull
request
from
february.
A
Take
I'll
take
action
on
that
today.
I'm
thinking
of
just
actually
just
closing
that
the
projects,
the
impacted
projects
were
deleted
from
npm
like.
B
A
Delete
like
shift
delete
so
there's
actually
while
interesting.
It's
not,
it
will
never
be
actionable.
I.
D
A
Yeah
this
was
the
the
dependency
confusion,
backdoors
that
that
that
went
in.
C
Yeah
and
then
regarding
the
security
md,
I
know
we
discussed
it
a
little
bit
in
the
last
session.
I
was
wondering
if
you
all
wanted
to
discuss
a
little
bit
further
today.
A
Let's
do
it
yeah
welcome
matt,
so.
A
Take
on
it
yeah
did
you
have
to
let
you
want
to
start
with.
C
Or
or
just
well,
I
thought
some
of
those
resources
that
you
uploaded
were
pretty
good.
I
thought
that
that
that
initiative
that
trey
waters
won
was
definitely
a
good
start
because
it
had
you
know
a
lot
of
the
kind
of
those
basic
building
blocks.
You
know
so
that
we're
not
recreating
the
wheel
here
and
we
can
build
on
something
you
know
to
if
we
wanted
to
include
you
know
more
meta,
more
yammer,
more
metadata
opportunities,
but
I
thought
at
least
as
a
starting
point.
C
I
thought
it
was
pretty
solid
and
then,
when
just
thinking
about
a
little
bit
about
how
we
would,
I
guess,
announce
this
or
advocate
for
it.
One
thought
that
came
to
mind
was
just
basically
doing
a
blog
post
saying
you
know
this
is
an
opinion
almost
like
an
opinion
piece
saying
that
you
know
security.md
is
a
good
practice.
This
is
what
we
think
should
happen.
This
is
some
resources
we
put
together
in
our
working
group
and
you
know
just
put
it
out
there.
I
don't
I'm
that's
just
a
thought.
C
I'd
obviously
love
to
hear
everybody
else's
thoughts
and
ideas.
Those
are
just
some
initial
ones
that,
from
our
last
discussion.
C
Well,
yeah,
it's
just
a
tough
line
to
walk,
because
you
know
I
guess
we
have
there's
so
many
different
opinions
here
and
whatnot
so
and
things
for
things
to
be,
I
guess
formally
endorsed.
There
is
quite
a
long
process
to
it.
So
I
almost
wonder
if
an
opinion
piece
would
be
better.
Just
saying
you
know
hey
based
on
some
discussions
that
we've
been
having
and
looking
at.
What's
out
there.
C
You
know
we
think
having
a
security,
md
file
and
all
of
all
the
oss
repos
on
github
is
a
good
practice.
It
should
contain
this.
This
is
a
template
that
we
put
together
something
along
those
lines.
I
think
if
we
want
to
build
it
out
further,
maybe
into
something
more
formal
like
this
structured
security
md.
That
would
obviously
involve
probably
a
little
bit
more
of
a
coordinated
effort
before
we
really
put
something
out
there
as
an
opinion
piece.
So
again,
these
are
all
just
kind
of
thoughts
that
I'm
spitballing
out
there.
B
I
guess
the
question
here
is
what
is
really
needed
in
my
mind
that
the
most
important
thing
is:
how
do
I
contact
if
I
find
a
vulnerability?
You
know
in.
B
Or
email
list,
or
something
that's
the
most
important
second
most
important,
maybe
is
some
sort
of
you
know
it's
a
very
different
kind
of
use
is
the.
Why
do
I
think
this
is
secure?
You
know
security
information,
you
know
what
what
you
know,
what
I
I
would
call
it
an
insurance
case,
but
basically
it's
the.
Why
do
I
think
it's
secure
sure
it's
well
what's
called
an
assurance
case
and
supposed
to
yeah
there
you
go.
Why
do
I
think
it's
secure?
B
The
typical
name,
for
that
is
a
formal
name,
is
an
insurance
case
by
the
way.
So
I
would
put
the
word
insurance
case
in
there
yeah
insurance
case.
E
E
But
I
can
go
through
it,
I
mean
it's
all.
The
things
are
trying
to
address
the
executive
order.
So
most
most
most
people
in
cloud
native
space
and
again
we're
supposed
to
be
focused
on
on
on
open
and
cloud
is
our
future.
You
know
no
doubt
about
that.
There's
lots
of
automation
already
present
and
but
you
know
you
hit
the
nail
on
the
head:
it's
about
first
access
to
existing
information,
so
we
need
a
road
map.
E
So
to
me
it's
saying:
here's
that
information
we'd
like
to
know
from
an
auditing
standpoint
from
an
executive
order,
security,
compliance
standpoint
and
if,
if
there's
information
about
both
manual
or
automated
processes,
include
that
as
well.
E
So
clearly
there's
a
broad
picture
that
we
need
to
enable
and
connect
with
being
developed
in
our
sister
groups
and
sibling
groups
in
the
open
ssf.
We
should
do
that.
If
there
are
information
we
can
provide
definitively,
that
can
be
used
by
that
automation
to
do
lookups,
to
do
content
information
to
open
up
issues,
to
send
notifications
to
people.
You've
got
to
bat
you
sas
scanning
gas
scanning,
whatever
notify
these
people
contact,
these
people
produce
reports.
E
But
it's
you,
can
you
can
create
different
profiles?
You
say
here's
the
minimum
table
stakes
but
at
least
have
a
vision
for
how
it
could
be
used
and
submit
that
vision
to
people
and
let
them
decide.
You
know
that's
what
that's
what
you
do
and
we
should,
and
if
other
projects
are
you
know,
could
use
this
information.
Let's
add
that
and
and
show
how
it
connects
together,
connective
tissue.
A
Would
it
would
it
be
helpful
to
dive
deep
on
this?
I
mean
we
can
do
this
right
now
and
come
out
with
like
come
up
with
a
with
a
made-up
spec
yeah.
It
doesn't
matter
what
what
it
is
and
then
iterate
on
it,
because
I
I
agree
with
everybody
but
like
I.
I
think
it
would
just
be
useful
to
like
make
it
up
as
we
go
and
and
and
and
for
you
know,
for
the
next
45
minutes.
E
I
mean
that's
the
cloud
native
way,
you
know,
put,
you
know,
put
put
the
kitchen
sink
in
there,
put
it
out
there
and
for
review
and
comment
as
an
issue
in
github
and
that's
cloud
native.
I
mean
that's
it.
It's
iterative,
you
know
open
an
issue,
you
know,
create
and
create
your
mvp
create
your
mvp
and
let
it
you
know.
B
C
B
To
open
up
the
the
working
group
notes
page
here.
A
There's
there's
a
link
to
to
the
issue,
but
for
for
collaboration.
C
All
right
link
to
the
security
policy.
If,
if
there
is
one.
B
Yeah,
do
we
want
to
be
concrete
and
say
if
it's
a
security.md
file,
that's
a
markdown
file,
give
me
the
names
of
the
headers
and
the
subheaders
and
then
describe
what
would
go
in
there.
I
I'd
say.
A
A
B
Okay:
okay,
vulnerability,
reporting
how
to
report
a
vulnerability,
email
address,
okay,
address,
yeah.
E
Yeah,
I
think
security
practice
is
broad,
we'll
probably
end
up
breaking
it
down
into
sub
topics.
I
mean
there's
the
both
like
the
you
know.
If
you
look
at
the
cicd
processes,
you
have
processes
for
contributions,
how
that
works,
how
those
are
secure?
E
C
E
I
yeah,
I
think
it's
good
to
you,
know,
say
you
know,
I
think
in
my
mind,
they're
they're,
you
know
we're
going
to
be
providing
references
to
two
either
pros
human,
readable
things
or
things
that
reflect
artifacts.
That
can
be
used
in
automation,
they're
those
two
kinds,
but
that
will
work
itself
out
as
we.
E
And
there's
also
like
release.
What's
my
release
process,
how
is
my
release
process
secure?
There
are
and
there
you
know
what
signing
keys
are
signing
keys
and
the
methodology
for
signing
release,
artifacts.
E
E
E
E
So
you
know
there
might
be
a
case
where
people
probably
the
bombs
and
these
reference
their
bombs
or
some
if
they
use
xmls
like
that,
they
can
use
an
enter
document,
link
some
type
to
point
to
the
section
in
the
xml
document
of
the
bomb
and
say:
here's
where
you
contact
me.
You
know
those
type
of
things
right,
so
choosing
how
you
link
is
important
right.
C
And
then
calling
to
david's
point
of
the
security
assurance,
would
it
make
sense
to
also
potentially
integrate
the
security
score
cards
into
something
like
this
into
your
security.md
file?.
D
B
B
Yeah
url
pointing
security
scorecard
result.
A
Alternatively,
I
so
I
think
there
was
chat
last
time
with
time
before
about
being
able
to
kind
of
override
the
security.
So
security
scorecard
says
you're
not
using
sas,
but
you
are
so
you
you
make
mention
of
that
in
this
file
and
therefore
the
security
scorecard
picks
that
up
and
says
I
don't
know
how
it
would
know
to
trust
it.
But
let's
just
assume
a
truck,
because
I
guess
you
could
yeah
and
it
overrides
and
says.
A
Yes,
you
do
so
it's
kind
of
like
making
sure
that
we
can
provide
all
the
data
that
security
scorecard
needs
so
that
it
has
to
do
less
guesswork.
B
You
know
I,
I
actually
think
that's
its
own.
That's
almost
a
broader
issue.
Here,
it's
almost
the
current
security
practices.
I
think,
if
that's
return,
you
know,
could
provide
override
data
for
securities,
scorecards,
etc.
Right.
A
A
I,
the
the
question
I
would
ask
is
is:
is
the
fidelity
of
that
check,
not
nearly
a
hundred
percent,
and
I
think
you
could
probably
just
tell
just
by
looking
at
actual
prs
to
see.
E
If
it's
better,
I'm
glad
you're
showing
this
because
to
me
this
is
kind
of
like
you
know.
If
the
scorecard
is
our
way
to
assess-
and
these
are
the
criteria-
and
instead
of
you
know
this
to
me,
the
roadmap
is
to
disambiguate,
as
I
said
earlier,
so
anything
in
here
that
could
not
be
inferred
by
the
tooling
or
guessed
at
by
the
tooling,
I
believe,
should
be
in
a
security
md
or
like
file
to
help
the
tool
to
disambiguate.
So
the
granulator
you
have
here
is
is
fabulous.
You
know,
yeah.
E
E
A
Have
you
seen
the
salsa
framework?
Absolutely
okay,
so
I
mean
it.
It
also
well
this
this
guy.
Here
I
mean
I
mean
these
are
all
kind
of
dancing
around
the
same
like
like
thing
so
like.
I
wonder
if,
like.
E
E
How
do
we
prove
that
yeah,
my
so
here's
my
belief
system,
my
belief
system
is,
you
know
this
artifact
we're
creating
is
great,
because
we
can
we
can
dictate
what
goes
in
it
and
and
we
don't
have
to
mandate
it
or
require
it
necessarily,
but
it
can
be
used
for
our
for
our.
You
know
for
all
of
the
necessary
work
groups
you
know
to
to,
like
I
said,
the
connective
tissue,
but
over
time
I
believe
a
lot
of
information
might
be
duplicative
in
the
bill
of
materials.
E
So
it's
interesting.
I
think
the
build
materials
is
evolving.
If
you
look
at
cyclone
dx,
I
think,
and
if
you
look
at
what
you
get
from
private
scans
from
a
lot
of
companies
like
twisted
black
white
source,
they
have
a
lot
of
information
in
there.
They
just
keep
it
private.
So
I'm
just
trying
to
make
put
this
in
the
public
arena
and
give
them
a
public
place
to
put
the
same
information
now.
If
we
can
put
it
in
the
problem,
is
the
s-bam
formats
are,
are
not
lossless.
E
We
convert
between
them,
so
spdx
doesn't
have
a
lot
of
ways
to
express
a
lot
of
this.
A
lot
of
this
date
at
all
or
cyclone
ds.
May
so
you
know,
you
know
it's
great,
that
we're
creating
this
stop
gap,
but
so,
and
so
it
avoids
so
if
it
exists
in
a
bomb
reference
it
if
it
doesn't
put
it
in
our
artifact
absolutely,
and
I
think-
and
I
always
think
back
to
my
apache
project,
so
apache
has
processes.
So
I
can.
E
I
can
point
to
the
apache
process,
where
applicable
and
my
overriding
processes
that
build
on
top
of
that
in
my
project
at
project
level,
and
then,
if
I,
if
I'm
asked
to
do
even
further
to
go
into
my
build
processes
and
things
like
sauces
asking
for,
I
can
further
describe
those
things.
You
know
it's
a
tiered
system.
B
E
Yeah
I
mean
there's
been
quite
there's,
been
a
ask
that
I
reproduced
a
bit
of
s-bombs.
There's,
there's
two
views:
there's
the
views
of
the
s-bomb,
so
there's
the
my
my
bomb
perhaps
for
automation
for
and
then
there
might
be
the
public
version
of
it.
I
know
microsoft.
At
the
tac
last
week,
k
presented
some
things
with
these
the
I
forget
the
name
of
the
secure
coalition,
where
there's
a
blockchain
based
methodology,
and
she
was
talking
about
policies,
so
there's
actually
policies
about.
E
What's
expected
for
the
build
and
the
bomb,
and
things
like
that,
so
you
know,
I
think
that,
like
I
said
being
informed
by
the
salsa
work
being
formed
by
the
sig
store
work
and
making
sure
that
we
consider
those,
you
know
the
criteria
for
those
things,
absolutely
the
keys
that
are
used
in
sig
store
how
I
produce
those
keys.
What
which
do
I
use
oidc?
I
used
to
use
my
pr,
my
own
private
system
to
generate
ephemeral
keys.
E
A
I
mean,
I
think
so
as
a
way
to
and
not
not
to
tangent
us
too
much.
You
know
if
you
had
a
web
page
that
you
as
a
project
owner
could
go
to
and
use
like.
You
know,
cr
create
my
security
dot,
whatever
file
and
it
goes
and
it
does
the
scan
and
then
it
it
comes
in
and
it
templatizes
your
templated
thing
with
whatever
it
can
fill
in
filled
in
and
then
you
fill
in
what's
missing,
like
I'm
trying
to
think
about
how
to
make
this
easy
for
projects
to
adapt.
B
Right,
that's
my
work
and
to
be
fair.
Please
understand
where
I'm
coming
from
I've
been
repeatedly
burned
by
by
folks
trying
to
boil
the
ocean
and
what
was
needed
was
a
couple
of
fields
so
having
flexibility
is
good,
but
focusing
on
on
having
a
here's,
how
to
get
started.
That's
useful.
I
think.
E
Is
key,
I
think
that's
why
you
break
down
by
profiles?
Here's
the
basic
profile
101,
but
I
think
we
can
produce
profiles
that
you
know
incrementally
add
features
like
scorecard
requirements
likes
things
that
are
in
this
group,
things
that
are
supplied
by
this
group
that
we
have
answers
for
you
know.
C
E
I
mean
if
I
could
have
a
10
minutes
to
disambiguate
a
slide.
I
just
presented
internally
in
ibm
about
an
hour
or
so
ago.
E
You
know,
basically,
it
shows
an
end-to-end
security
and
compliance
and
continuous
compliance
process
for
all
of
ibm
service
builds,
and
I
would
probably
go
through
every
output
of
every
task
from
being
complete,
end-to-end
supply
chain
process
and
one
and
one
away
to
to
figure
out
where
I'm
required
by
government,
eventually
to
to
prove
that
to
my
customers
to
exploit
find
that
data
where
to
find
the
evidence
to
find
the
artifacts
and
all
those
things
centrally,
I'm
hoping
to
put
that
on
an
s
bomb.
A
Also
think
that
that
perhaps
doing
this
sooner
so,
the
the
time
frames
involved
in
getting
formal,
specs,
you
know
talked
about
thought
about
written
down
or
proven
is
really
long.
A
Would
it
does
it
make
sense,
as
a
kind
of
experiment
to
put
this
out
there
in
the
next
whatever
month
and
then
kind
of
use
that
to
have
the
more
productive
conversations
with
spdx.
E
A
B
Yeah,
absolutely
yeah,
there's
no
doubt
it's
it's
possible.
My
my
concern
has
always
been
the
the
the
challenge
of
making
it
easy
enough
to
use
you
might
make.
I
I
think,
with
a
little
thinking,
you
could
probably
reorganize
this
to
be
simpler.
At
least.
E
B
That
would
help
you
know,
make
this
a
lot
more
palatable
if
you
can
take
it
so
that
now
see
if
you
can
make
this
so
that
it
is
easy
to
extract
for
the
other
tools
that
extract
security
data
and
I'm
thinking
about
security,
scorecard
cia
best
practices,
badge
and
salsa.
D
B
B
We've
got
to
be
specific
who's
going
to
use
it.
First
of
all,
the
security
analysis,
measurement,
evalu
evaluation
systems,
and
here
I'm
thinking
about
ci,
best
practices,
badge
security,
scorecard,
salsa,
etc,
provide
data
they
can
directly
consume.
B
Right
because,
probably
there's
not
going
to
be
one
measurement
system
for
everybody
there
isn't
now,
but
if
everybody
can
bring
okay
security,
researchers
for
reporting
vulnerabilities
right,
absolutely,
who
else
is
gonna
need?
Frankly,
I
would
put
them
first.
E
E
C
E
Yeah
yeah
cause,
I
mean
I'll,
go
back
like
I'm
very
proud
of
our
projects
that
we've
thought
of
these
things,
and
I
want
to
exhibit
them
in
this
document
to
my
customers.
So
when
they
compare
my
product
to
competing
products,
even
in
open
source,
they
know
I've
thought
of
these
things
and
I
have
a
place
to
to
show
them.
I've
had
that
a
thorough
thought
process
and
actionable
readable
human
readable
things
that
can
be
that
can
be
viewed.
A
C
E
E
B
Yeah
and
and
there's
the
sandy,
I
would
call
it
sandy
d
check.
You
know
sandy
check,
slash,
lie
detector.
A
Somewhere
up
above
cpe
is
there?
Is
there
an
alternative
to
cpe
that
has
any
usage.
B
So
I
I
would
call
this
just
you
know
a
way
to
identify
yeah
package
identifiers.
E
E
D
B
Yeah
they
are
cps
and
package
urls.
Both
work.
E
There
was
a
debate
yesterday
in
the
technical
working
group
where
they're
well
anyways.
I
won't
go
there,
but
yeah
they
their
belief
system.
There
was
a
debate
about
creating
external
links,
but
all
their
for
for
relationships
and
they
there's
there's
a
staunch
group
of
legacy
people
there
saying
that
they
they're
all
xml
namespace
based
internal
links
to
the
document
where
we
wanted
to
use
full
external
external
references
with
full
uris
and
things
like
package
urls.
But
there
seem
to
be
a
lot.
You
know.
E
Well,
even
kate
stewart
returns
and
said
we
should
be
working
on
tv
tag,
value
format
because
it's
most
highly
used-
and
somebody
made
the
point
well,
it
won't
be
tomorrow
so
but
she's
like,
but
there
seems
to
be
a
belief
system
that
you
know
super
simple
tech
value.
Does
it
all?
But
you
know
I
don't
know
it
doesn't
provide
a
lot
of
the
facilities.
It
doesn't
provide
a
signing
mechanism,
that's
built
in
like
the
xml
or
json
it
doesn't
provide.
A
Cool
okay,
so
this
one
we
definitely
need
some
next
steps.
E
B
B
C
Along
with
iterating
on
the
fields,
above,
I'm
not
exactly
sure
how
to
put
this,
but
essentially
making
sure
that
there's
one
source
of
all
the
information,
so
people
won't
see
something
in
one
place,
see
it
in
another
and
then
another
and
another
where
it
kind
of
loses
some
of
its
value.
I
guess
so
where,
where
like,
if
something
is
in
the
security.md
file,
and
it
could
easily
be
found
in
the
s-bomb,
for
example,
you
know
just
making
sure
kind
of
everything
has
one
source
in
a
way
where
things
aren't.
E
C
A
Yeah,
I
was
thinking
perhaps
the
first
cut
of
this
file
gets
created
automatically
somehow,
but
then,
if,
if
it's
good
as
is,
then
we
don't
need
to
generate
it
at
all,
we
could
just
rerun
that
function.
That
creates
the
tool
whenever
you
need
the
data.
A
A
Yeah,
I
think
I
think
that
that
single
source
of
truth,
I
think,
is
a
good
good
thing.
Aspirationally.
A
I
don't
know
how
hard
we
can
stick
to
that
without
like
okay,
so
I
you,
you
have
a
reference
to
coverity
in
your
travis
ci
file,.
E
The
implementations
are
wide
and
varied
and
they're
gonna
change
over
time.
So
yeah.
B
But
but
I
think
the
answer
is
yes,
I
mean
I,
I
can
tell
you
that
from
so.
So
let
me
pull
up
the
ci
best
practices
badge,
because
I
I
lead
it.
So,
let's
imagine
for
a
moment
that
this
file
might
be
yanked
in
by
various
tools
like
the
ci
best
practices
badge.
What
the
ci
best
practices
badge
expects
is.
B
What
is
the
value
of
this
question
and
what's
the
justification,
and
I
would
expect
that
for
a
lot
of
these,
you
know
a
brief
text
justification
with
links
to
where
do
I
see
the
evidence
so
so,
for
example,
in
the
case
of
coverity
yeah
point
off
to
the
travis
or
the
github
config
that
invokes
coverity
when
you
do
a
commit
update
and
that's
my.
B
That,
in
fact,
oh
yeah
and
and
by
the
way,
if
you
follow
that
and
maybe
another
link
that
points
you
to
oh
and
here's,
the
current
version
of
that
output.
E
Yeah,
I
was
doing
a
quick
check
against
that
paradigm.
You
know
basically
it's
kind
of
like
there's
a
security
practice
and
I
have
a
reference
to
that
practice,
either
in
automation
or
in
pros
or
both,
and
then
I
have
evidence
for
it.
So
it's
always
appearing
it's
always
appearing.
You
know,
process.
B
E
B
And
evidence
urls.
E
Yeah,
this
is
the
corollary.
It
was
referencing
earlier
when
I
had
I've
completely
depicted
our
internal
ibm,
cicd
process
for
federal
clouds,
and
I
said
I
wanted
the
ability
to
for
the
customers
to
have
a
link
to
every
output
from
every
point
in
our
cicd
process.
Every
artifact,
every
piece
of
evidence,
so
total
agreements.
B
A
E
E
A
Contributed
value,
okay,
so
for
so
so
we're
gonna
meet
again
in
two
weeks.
Do
we
want
to
try
to
have
a
a
couple
examples,
or
you
know
I
don't
want
to
go,
go
too
far
down
the
rabbit
hole
without
you
know
iterating,
but
it
might
make
sense
like
it.
A
Questions
might
more
naturally
appear
when
you
see
a
you
know,
whatever
pick
it
like
yammel
a
yamo
version
of
this
for
a
tool
for
for
a
project
yeah.
Would
anybody
like
like
to
volunteer
to
come
back
in
two
weeks
with
something
concrete.
B
I
mean
I
I
I
could
do
a
short
something
I
I
think
my
model,
I'm
you
know
my
mental
model
may
be
different
than
yours,
where
and
some
others,
whereas
we've
been
calling
it
security
md,
but
I
think
this
is
something
different.
Now,
it's
not
really.
You
know
it's
not
necessarily
a
document.
If
it's
a
true
database
schema,
it's
basically
a
telling
me
the
information
security
information
about
this
project
in
a
way
that
other
tools
can
hopefully
snag
it
instead
of
trying
to
guesstimate
it
is
that
a
fairer
statement.
E
A
E
B
B
Let's
see
here,
there's
a
track.
What's
I
have
a
conflict
that
hour,
but
if
we
can
start
one
hour
late,
basically,
this
start
the
time
10
minutes
from
now,
whatever
time
zone
it
is,
would
work
if
we
can
slip
it
one
hour
later
next
wednesday.
I
could
do
it.
I
could
do
it.
I
I
can't
do
11.
B
When's
that
wednesday
seems
to
tuesday
or
tuesday
the
same
time
that
we've
been
meeting
will
be
fine.
E
At
what
time
we're
talking
about
tuesday,
this
same
slot.
B
Same
slot,
so
1
p.m;
eastern,
which
is
what
10
a.m.
B
A
Beautiful,
I
will
send
out
a
meeting,
invite
I'll
do
it
to
everybody
on
the
call
today,
if
you're
not
interested,
feel
free
to
not
not
attend
but
okay.
That
way
that
that's
easy
and
it'll
be
for
tuesday,
the
10th
at
10
8
at
10
a.m.
Pacific,
awesome,
cool,
okay,
awesome,
okay,
moving
on
a
little
bit
so
metric
dashboard,
I
don't
have
any
updates.
I
did
see
a
couple.
I
saw
a
pr
from
you
dylan.
A
I
think
that
came
in
a
while
ago,
but
I'll
I'll
take
a
look
at
that
right.
After
this
meeting.
D
Yeah,
it's
just
a
simple
like
minimum
kind
of
which
we
call
tutorial.
I
didn't
really
know
what
was
like
what
we
were
looking
for.
So
I
just
kind
of
made
a
basic
breakdown
like
markdown
kind
of
tutorial
situation
and
then
made
some
progress
on
the
on
the
watchers
thing.
I
submitted
that
to
the
criticality
score
project
and
they're
going
to
integrate
it
there,
so
I'm
just
working
with
them
as
well.
A
Nice
job
awesome
on
hiring,
so
it's
so
it
sounds
like
we
are
kind
of
approved,
except
for,
like
the
final,
like
actual
pen
to
paper
approval
signature
thing
from
the
governing
board.
So
as
of
as
of
right
now,
I'm
gonna
start.
I
reached
out
to
two
firms
that
kind
of
do
this,
and
neither
of
them
were
interested
in
the
the
overhead
to
start
a
new
thing
or
like
a
half
a
resource.
A
So
I'm
gonna
keep
plugging
away
at
that
and
trying
to
find
somebody
interested
the
the
contract
will
be
for
between
now
and
at
at
worst,
the
end
of
the
calendar
year.
It
may
extend
beyond,
but
I
I
don't
know
like
how
long
I
have
to
actually
use
these
funds.
So
I
need
to
get
get
some
clarity
on
on
what
it
would
actually
be.
The
purpose
of
this
work
would,
though,
to
would
be,
to
you
know,
extend
improve
re.
A
You
know
actually
make
the
metric
dashboard
a
real
production
thing,
move
it
over
to
a
open,
ssf
owned,
azure
subscription
and
do
all
of
that
stuff.
So
so
this
some
of
it
is
just
clean
up
work
because
we
cut
a
lot
of
corners
to
to
get
it
out
and
other
parts
of
it
are
real,
real
new
stuff.
The
other
side
is,
you
know
we
do
have
extra
money
in
there
for
other
things.
A
So
if
we
want
to
hire
a
contractor
to
do
really
anything
related
to
our
working
group,
we
should
have
money
to
to
pay.
You
know
normal
rates
for
for
that
kind
of
work.
So
that's
good.
I
do
need
to
create
a
job
description,
though,
for
the
metric
dashboard.
I
have
a
list
of
tasks,
but
I
need
to
uplevel
that
a
little
bit
so
we
can.
A
Without
it,
without
them,
without
a
doubt,
yep,
so,
okay
cool.
So
the
last
thing
that
I
just
wanted
to
kind
of
touch
on
quick
was
an
idea
that
I've
been
mulling
around,
and
this
is
not
baked
like
many
of
my
ideas,
but
I
just
wanted
to
throw
this
out
there
to
see
what
sticks
and
just
get
thoughts.
So
internally
we
run
lots
of
tools
on
lots
of
open
source,
generating
lots
of
bugs.
A
Like
most
teams,
we
have
limited
resources
and
what
we
can
do
with
the
output
of
that
the
tools
themselves
tend
to
be
high,
false
positive.
We
don't
have
the
context,
and
so
it's
just
it's
a
painful
triage
experience.
A
So
what
I
was
thinking
was
particularly
for
security
researchers,
but
perhaps
there
are
other
other
groups
as
well.
What
if
we
basically
took
all
the
tools,
we
kind
of
collectively
have
run
it
on
all
of
the
open
source
we
can
find,
and
we
can
do
this
stuff
at
scale
to
to
infinity,
get
the
output
of
those
tools
someplace
that
the
security
researchers
can
dive
into
and
do
things
like,
you
know,
correlations
of
the
same
issue
between
different
types
of
projects
and
and
like
really
like
making
it
a
power
user
experience
for
bug.
A
Triage
yeah,
wait.
B
A
I
mean
static
analysis
fuzzers
anything
in
that
kind
of
general
category.
So
so
it's
definitely
security
tools
examining
open
source
in
you
put
it
in
a
box,
and
you
look
at
the
box.
B
Yeah,
okay,
okay,
no,
there
are,
there
are
sensitivities
in
the
past.
B
I
don't
know
that
they're
still
true,
so
this
may
be
only
hysterical
value,
but
at
least
historically,
for
example,
coverity
was
always
very
careful
to
not
post
the
results
of
security
analyses
of
open
source
software,
even
though
you
can
argue
and
correctly
that
anyone
could
get
a
tool
and
run
the
analysis
against
the
open,
the
software-
and
that
is
absolutely
true,
and
so
it's
a
little
bit
of
security
through
obscurity,
but
their
pitch
was
always
we're
trying
to
make
it
easier
for
people
to
secure
things.
B
So
there's
a,
I
think,
there's
a
sensitivity
about
this
that
doesn't
make
it
wrong.
I
think
we
just
ought
to
think
through.
Is
that
the
right
thing
to
do?
I
actually
am
sympathetic
to
the
hey.
You've
had
plenty
of
time,
but
if,
if
we're
gonna
do
it,
we
probably
ought
to
give
people
a
warning.
E
E
So
so
I
guess,
I
guess
you
know
having
attending
the
security
tools
work
group
I
worry
about
you
know.
I
I
think
in
my
mind
there
has
to
be
a
critical
mass
of
tools
that
can
be
applied
to
the
general
space
that
produce
comparable
results.
So
I
think
the
exercise
would
be
to
show
that
at
least
three
tools
could
be
a
could
be
applied
to
produce
comparable
results
against
at
least
two
different
types
of
applications.
E
That'd
be
my
minimum
yeah
proof
proof
point
basically.
B
E
I'm
sorry
yeah,
sorry
david,
I
worry
about
what
you
said
david
in
is
that
many
of
these
tools
are
so
specialized
or
work
looks
for
specific
things
that
they
don't
produce
comparable
data
or
a
lot
of
the
really
cool
scanning
stuff
like
they
keep
it
private.
They
want
you
to
pay
for
it.
So
I
worry
about
how
much
you
know
can
be
accessed
in
the
open
source
public
domain.
B
Right
right
that
that
that's
true,
too,
and
even
if
you
run
the
open
source
tools
where
that's
not
an
issue,
there's
that
sensitivity
of
hey
wayman,
are
you
helping
the
bad
guys?
I
know
we're
short
on
time.
One
thing
that
I
had
toyed
with,
I
had
done
a
little
research
years
ago,
but
we
we
don't
have
time.
B
I
can
tell
you
some
of
the
problems
we
had,
but
I
had
toured
with
the
idea
of
trying
to
do
vulnerability,
densities
or
at
least
report
densities,
where
you
just
you
count
it
up.
B
You
divide
by
the
lines
of
code,
yeah,
okay,
there's
all
sorts
of
problems
like
it,
but
the
theory
is
that
if
you,
even
if,
if
you've
got
a
lot
of
vulnerability
reports
on
a
project,
even
if
none
of
those
vulnerability
reports
are
actually
correct,
if
there's
a
huge
number
of
them
that
suggests
a
lack
of
care
that
suggests
you're
more
likely
to
have
problems
in
general
than
without
revealing,
hey
right
here
is
this
line
this
you
know.
B
A
B
That's
right,
I
actually
did
an
analysis
years
ago.
I
never
got
the
report
released.
We
can
talk
about
that
later
about
the
problems
of
that
where
I
I
think
there
was
some
indication
that
vulnerability
densities
had
some
value,
although
they
became
if
your
project
was
very
small,
it
started
to
become
dubious.
B
Yeah
visible,
you
know
the
trade-off
of
shouldn't,
make
it
visible
and
well
I
mean,
as
matt
mentioned
the
the
whole
problem
of
you
know.
Can
you
even
make
it
visible.
B
A
B
E
I
think
I
think
that
I
mean
I
think,
that
what
a
lot
of
the
barriers
that
I'm
hoping
to
break
down,
you
can
tell
my
my
passion
and
is
that
I,
I
think,
there's
been
too
much.
I
think
there's
been
too
much
obscurity
and
too
much
money
being
made
of
the
security
space
and
not
enough
sharing
of
information
and
I'd
love.
I'm
very
pleased
that
this
group,
especially,
is
trying
to
break
down
those
boundaries.
It's
one
to
say
that.
B
C
I
bring
out
a
quick
idea
just
before
I
forget
absolutely
just
throwing
it
out
there,
because,
when
we're
talking
about
you
know
having
this
this
potential,
this
data
to
analyze
at
scale
and
stuff-
I
I
I
think
of
instead
of
making
it
public
if
we
did
some
rudimentary
analysis
among
the
work
group
and
then
if
we
have
some,
you
know
money.
For
you
know
potential
projects
we
could
potentially
hire
like
an
actual
security
firm
or
somebody
to
analyze
the
data,
but
they
would
obviously
they
wouldn't
do
it
for
free.
A
What
about
and
last
point
if
we
could
end
up
bug
bounty
patch
bounty,
triage
bounty,
you
know
so
we
we
have.
We
have
five
million
findings
in
this
thing,
as
a
security
researcher,
you're
invited
to
this
platform,
you
get.
You
know,
five
bucks,
an
issue
to
triage
it
or
or
whatever,
depending
on
how
long
it
takes
and
fifty
dollars
or
five
hundred
dollars
for
for
a
patch
and
a
grand
if
it
gets
accepted
or
something
like
that
where,
where
we
incentivize
the
crowd,
sourcing
and
pay.
E
B
E
E
A
In
other
words,
like,
oh,
I
see
you're
using
a
website.
Therefore
you
should,
I
see
you're
implementing
a
website.
Therefore,
you
should
use
this
tool.
E
E
A
As
a
as
a
shameless
plug,
but
that
that
says
you're
using
databases
and
blob
storage,
blah
blah,
it
would
be
pretty
trivial
to
add
in
and
therefore
you
should
check
it
with
this
or.