►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
Welcome
everybody
to
the
september
15th,
identifying
security
threats,
working
group
meeting
and
yeah,
so
I'm
sharing,
sharing
my
screen
so
feel
free
to
add
anything
to
the
agenda
that
you'd
like
to
talk
about
things
that
are
top
of
mind
for
me,
are
metrics.
A
Security.Nd
then
we
can
talk
about
anything
else
that
you
guys
want.
It
looks
like
it'll,
probably
just
be
the
four
of
us
today,
so
yeah
so
go
throw
whatever
else
you
want
on
the
agenda.
We
can
keep
it
open
on
the
metrics
dashboard
status.
Let's
basically,
I
haven't
had
time
to
do
to
do
anything
with
this
I
did.
I
did
interview
a
couple
people
for
one
reason
or
they
they
didn't.
I
didn't
look
like
those
those
are
going
to
go
forward.
A
I
have
a
basically
an
outsourcing
firm,
that's
available
that
I
can
use
if
we
really
need
to
it's
more
just
that
things
like
executive
orders
and
alpha
omega
are
taking
up
all
the
all
the
the
air
in
the
room.
So
I
don't
know
when
I'll
be
able
to
get
to
this.
It's
not
super
critical,
like
nothing's,
going
to
break
anytime
soon,
so
we'll
probably
revisit
after
maybe
after
november.
A
A
A
So
if
you
guys
have
any
feedback
on
it,
either
conceptually
or
on
the
details
it
does,
the
proposal
has
has
changed
a
bit
from
from
two
weeks
ago,
so
the
biggest
changes-
let's
just
do
it
here,.
A
A
Which
is
this
guy,
so
this
is
this:
is
a
team
and
a
project?
That's
already:
it's
been
out
there
for
a
while
it's
funded,
they
have
a
dev
team.
This
is
part
of
linux
foundation
and
we're
looking
to
use
this
to
build
the
triage
portal
into.
So
there
would
be
lots
of
additional
development
work
here,
but
it'll
be
at
least
the
proposal.
In
my
mind,
right
now
is
for
to
be
it
to
be
managed
by
the
existing
lfx
team.
A
Supplemented
with
additional
resources
that
that
open,
ssf
would
bring
openssf
would
still
be
on
the
hook
for,
for.
A
There's
still
a
lot
of
stuff
for
us
to
do
on
omega,
but
it,
but
it
does
keep
us
from
having
to
build
a
system
from
scratch
that
at
least
some
part
of
which
already
exists,
and
conceptually
does
the
same
thing
that
we're
a
lot
of
the
same
things
that
we
want
to
do.
Does
that
make
sense?
C
Yeah,
I
would
say
so
amir
here:
I've
worked
a
little
bit
with
the
lfx
platform
before
and
it's
definitely
it's
a
good
platform
and
there's
a
lot
of
infrastructure
there
already.
So
you
know
why
recreate
the
wheel
and-
and
you
know,
use
that
existing
platform
so
yeah.
I
I
think
it's
a
good
idea.
Okay,.
D
I
think,
even
if
you
know,
even
if
that's
not
forever,
I
mean
whatever
the
case
is.
I
think
that's
a
really
smart
idea,
just
starting
with
the
bulk
of
the
kind
of
like
actual
intelligence
behind
this
project.
First
and
like
getting
the
results
and
all
that
and
just
you
know
getting
it
somewhere.
D
A
Cool
something
that-
and
this
is
where
I've
been
a
little
bit
careful
not
to
attach
alpha
omega
to
the
executive
order,
requirements
or
guidance
or
expectations
or
whatever,
because
I
think
that
the
two
there's
a
venn.
D
A
And
they
do
meet
in
the
middle
somewhere.
One
of
the
places
that
they
meet
is,
in
my
opinion,
the
need
for
organizations
that
use
lots
of
open
source
to
be
able
to
have
some
security
assurance
about
the
open
source
that
they
use
today.
A
The
only
thing
that
the
99.999
of
organizations
do
is
check
for
cves
and
upgrade
when
they
omega
both
alpha
and
omega,
both
provide
an
additional
signal,
which
is
that
something
proactively
has
been
run
and
a
third-party
organization
can
attest
to
the
fact
that
the
results
were
generated
authentically.
A
So
what
this
would
really
mean.
So
there's
a
project
called
skim,
which
is
a
you
can
think
of
it
as
a
a
database
of
metadata
about
a
a
database
containing
metadata
about
activities
that
took
place
against
a
thing.
So
it's
so
it's
super
general
just
like
a
database,
but
skim
would
have
a
fact
like
zlib
was
scanned
by
x
and
no
critical
vulnerabilities
were
found.
A
Or
something
something
like
that,
similarly,
for
alpha,
one
of
the
like
the
outputs
of
this,
could
be
a
obviously
the
like.
A
The
write-up,
but
also
a
skim
entry
for,
like
a
review
of
this
part
of
zlib,
found
three
issues
all
fixed
in
the
something
like
that,
and
I
don't
know
how
to
make
that
kind
of
machine
consumable.
A
E
Just
a
question:
a
scan,
a
project
to
find
vulnerabilities
very
good
in
open
source,
especially
from
some
projects
that
are
very
popular
in
other
big
princess
projects,
but
at
the
same
time,
maybe
they
are
written
in
different
languages.
How
do
you
think
that
we
can
scan
them?
I
mean
zip.
E
Lip
probably
is
written
in
c,
so
it
is
quite
easy
and
some
critical
library
are
written
in
c
c,
plus
plus
a
similar
one,
but
that
technology
is
about
being
quite
fast,
especially
the
web
oriented
one,
and
there
are
some
new
languages
that
are
very
important
like
golang,
for
example
this
and
it's
not
so
easy
to
scan
a
project
every
single.
At
the
moment
I
mean
there
is
not
the
same
technology.
Probably
this
is
yeah
main
problem.
Yep.
A
So
so
there
will
always
be
the
haskells
of
the
world
for
which
there
are
no
good
tools.
A
And
there
will
always
be
frameworks
like
so
you
know,
scanning
angular
is
different
than
scanning
javascript
and
things
like
that,
but
I
think
what
we
would
have.
I
think
I
think
that
that
some
of
it
comes
down
to
x.
So
if
z
lib
were
written
in
haskell,
then
we
probably
wouldn't
be
able
to
make
any.
A
I
mean,
I
I
I
suppose,
where
you
know
where
x
is
either
the
ssf
like
analysis,
tool,
chain
or
codeql
or.
E
Grappers
or
exactly
this
is
the
second
pointer.
If
you
want
to
follow
a
sort
of
scientific
method,
we
need
to
offer
a
tool
that
other
people
can
use
to
obtain
the
same
result.
Maybe
there
are
errors
in
the
tool
that
we
use,
or
there
are
missing,
features
similar,
but
at
the
same
time
people
need
to
trust
us.
So
this
means
that
people
need
to
be
able
to
do
the
same
tests
with
the
same
tool
that
we
want
to
that.
We
want
to
use,
and
oh
it
is
too
difficult
in
your
opinion.
A
Yep
yep
you're
totally
so
so
there's
a
little
a
little
bit
in
the
weeds,
but
the
way
I
would
imagine
this
would
work
because
you
would
have
some
sort
of
container
has
all
the
tools,
pre-installed,
kickoff
script,
etc.
A
We
would
have-
and
I
think
it's
really
important-
that
we
have
additional
filtering
magic
to
reduce
false
positives,
where
they
can't
be
go
right
back
into
the
tool,
but
as
far
but
they
we
should
not
find
any
vulnerability
that
they
cannot
themselves
find
excellent.
A
Now
I
think
that,
as
a
preference
makes
sense
right
now,
lfx
security
has
a
relationship
with
snick,
so
they
they
get
results
from
snick.
Now
I
can't
reproduce
nick's
results
without
going
to
snack,
because,
similarly,
I
could
imagine
a
scenario
where
a
proprietary
static
analysis
company
wants
to
join
the
party
and
wants
to
do
analysis
themselves
and
provide
us
results
where
we
wouldn't
be
able
to
like
redistribute
that
engine
we
can
cross
that
bridge
when
we
get
there,
but
I
think
the
strong
preference
would
be
everything
we
use
is
open.
A
E
This,
yes,
because
two,
it
is
quite
easy
having
a
lot
of
false
positives,
especially
in
when
you
are
writing
a
new
scanner
for
new
languages,
and
when
there
is
two
noise,
usually
people
try.
It
start
to
ignore
the
messages.
So,
yes,
exactly
exactly
so.
A
So
even
going
forward,
so
after
we've
built
this
all
out,
I'm
asking
I'm
proposing
a
team
of
four
engineers
just
focused
on
tooling
efficiency
and
like
they're,
not
triaging,
anything
they're,
just
making
the
tool
better
better.
You
know
all
the
time
and
I
think
that's
the
right
order.
Magnitude
people.
A
So
so
this
is
different
than
in
fact.
I
might
need
to
change
this
because
really
I
want
these
people
focused
on
that
first
bullet
we'll
see,
but
yeah.
A
Cool
any
other
thoughts
on
alpha
omega.
A
A
So
the
top
hundred
projects-
this
is
important
for
both
planning
reasons.
A
As
well
as,
let's
say,
layer,
eight
marketing
reasons
we
need
to
be
able
to
when
we
announce
we
want
to
be
able
to
say-
and
these
are
some
of
the
projects
that
we're
planning
to
engage
with
or
like
having
something
super
concrete
that
people
can
know
what
they're
getting
out
of
it.
A
A
So
what
I'm
thinking
about
doing
is
taking
the
we
will
start
with
the
top
100
from
the
criticality
score.
Have
that
on
one
list
and
then
send
out
a
survey
like
a
really
simple.
Like
one
question
like
list
all
the
projects
that
you
think
we
should
focus
on,
because
you,
because
they
are
important
to
open
ssf,
maybe
engage
on
twitter
and
and
kind
of
do
something
there
and
get
more
opinions
and
kind
of
jumble.
This
list
together
have
open
ssf
kind
of
vote
to
score,
maybe
we'll
like
group
them
in
buckets.
A
So
it's
not
one
by
one
and
then
have
that
be
the
starting
list.
Certain
organizations
so,
depending
on
the
funding
model
that
we
land
in
we're
probably
gonna,
need
a
lot
more
money
than
member
dues
will
be
able
to
cover
and
therefore
those
organizations
that
give
significantly
more.
A
I
think
the
plan
should
be
to
have
those
organizations
be
able
to
choose
specific
projects
that
get
analyzed
as
well
now,
and
they
don't
know
the
breakdown
of
you
know.
We
can't
all
be
what
those
organizations
choose
so
it'll
be
some
sort
of
a
you
know:
they'll
get
30
or
40
percent
of
the
of
the
bulk
yeah
and
then
once
we
have
that,
once
we
have
the
list
of
100
that
we
feel
okay
about,
then
we
just
break
it
up
and
we
say:
okay
top
10.
A
You
know
next
10
next
10
and
then
we
need
to-
and
I
think
this
probably
is
after
funding,
we
would
have
the
service
provider.
That's
doing
this
work
go
in
and
start
to
engage
the
projects
and
say:
okay,
like
this
project
like
doesn't
need
our
help.
This
one
doesn't
want
our
help.
This
one
is
like
super
tip
top
like
there's
nothing
that
we
can
provide
to
and
kind
of
work
work
their
way
down,
so
that
they're
engaging
in
and
providing
help
and
and
things
where
it's
necessary.
A
We
don't
necessarily
need
to
be
confined
to
the
top
100
if
we,
if
we
need
to
get
to
the
top
400
before
we
find
100
projects
that
really
need
our
help.
That's
that's
cool
too.
A
The
other
thing
was
since
we're
talking
about
alpha
at
this
point.
The
specific
deliverables,
I
think
are
are
important.
I
I
want
to.
I
want
this
to
be
kind
of
crystal
clear,
and
I
want
everybody
to
agree
that
this
is
the
right
set
of
deliverables.
So
actually
maybe
I'll
just
give
everybody
a
minute
just
to
read
that,
and
I
love
your
feedback.
C
It
looks
pretty
consistent
with
what
a
pretty
standard
audit
report
would
create.
Yeah
cool
one
nice
thing
about
a
lot
of
the
reports.
I
was
actually
gonna
send
a
couple
your
way
to
check
out,
but
one
really
good
thing.
C
A
lot
of
them
do
is
they
kind
of
map
the
current,
the
current
outlook
or
the
current
space
kind
of
what
it's
looking
like
and
really
serves
as
an
artifact,
for
you
know,
security
teams,
people
who
want
to
use
this
this
software
to
actually
review
and
get
an
idea
of
where
they're
at
so
in
terms
of
deliverables.
This
very
much
looks
like
what
one
of
those
would
produce
cool.
A
Perfect,
so
I
think
the
two
questions
I
had
for
you
number
one
this
this
kind
of
scenario
here,
like
you
know,
obviously,
in
order
to
analyze
something
you
probably
need
to
build
it
anyway,
but
as
far
as
making
that
the
scenario
that
I
think
we're
trying
to
optimize
for
is,
let's
say
I
don't
know,
I'm
trying
to
use
without
picking
up
a
real
product
open
ldap.
A
Let's
say
we
all
agree
that
it's
super
critical,
the
open,
ldap
t
the
open,
ldap
team.
Let's
suppose
hypothetically
is
just
one
person
and
that
person,
for
whatever
reason
I
don't
have
died
or
or
no
longer
wants
to
maintain
it.
A
But
but
it's
it's
like
the
the
there's,
a
sharp
ending
to
support,
at
the
same
time
that
a
critical
vulnerability
is
found
and
everybody
is
scrambling-
is
there
something
that
we
could
do
today,
I.e
this
buildable
releases
and
code
familiarity
section
to
make
it
more
likely
that
we
being
mem
members
of
open,
ssf
or
their
designees
to
rebuild
patch
and
issue
a
release
of
a
fixed,
open
ldap
in
this
in
this
situation,
and
is
that.
C
Generally,
just
based
on
my
my
experience
with
overseeing
some
of
these
audits
is,
there
is
typically
a
learning
curve
at
the
beginning.
You
know.
Obviously,
the
the
reviewers
and
the
audit
team
need
to
understand
how
the
software
works
and
typically
set
up
their
own
enviro
sandbox
environments,
to
test
it
out
and
whatnot
and
yeah.
So
typically,
most
of
that
the
cost
comes.
A
good
amount
of
the
cost
comes
in
that
learning
curve
at
first.
A
Cool
cool
yeah
then
I
think
that
would
and
obviously
like
a
buildable
release.
Oh
sorry,
building
a
release
candidate
is
different
than
actually
releasing
it
because
you
know
you
have
to
like.
A
We
would
somehow
have
to
get
it
into
the
ecosystem
which
we
wouldn't
be
able
to,
because
we're
not
the
maintainers
of
it,
but
but
I
think
doing
that
work
up
front,
because
if
it
takes,
I
don't
know
if
it
takes
a
week
to
get
up
to
speed
on
a
thing
that
would
be
a
week
that
wouldn't
have
to
be
spent
in
the
case
of
one
of
these
catastrophic
things
that
you'd
have
to
do
anyway.
A
So,
let's
kind
of
leverage-
or
at
least
the
idea,
would
be
to
leverage
that
that
investment
and
kind
of
keep
that
knowledge
somewhat
somewhat
current.
C
Yeah,
yeah
and
and
lots
of
times
the
the
audit
reports
themselves
kind
of
serve
as
a
almost
like
a
family,
like
you
said,
a
familiarity
document
something
to
get
familiar
with
what
it
does,
what
it's
supposed
to
do,
how
it
was
reviewed
stuff
like
that.
So
a
lot
of
that
knowledge
is
captured
in
the
artifact
yeah.
A
Cool
awesome,
oh
and,
and
the
last
part
is
so.
What
I
was
also
thinking
is,
you
know
to
have:
have
there
be
some
sort
of
a
revisiting
and
if
we
limit
the
pool
to
a
hundred
you
know
give
or
take
then
at
some
point
they
will
all
have
gone
through
one
iteration
and
then
the
idea
is,
you
know,
what
would
the
the
next
iteration
against
those
should
be
simpler
and
cheaper
and
faster,
and
you
know
at
least
at
least
in
theory,.
C
Exactly
yeah
and-
and
I
think
a
good
approach
to
this
is
what
a
lot
of
internal
auditing
and
it
auditing
standards
do,
is
essentially
a
risk-based
model.
Where
you
know
the
higher
risk
stuff
gets
reviewed
more
often
the
less
risky
stuff.
You
know
less
often
the
really
important
stuff-
and
I
think
this
is
potentially
possible-
is
something
like
you
know.
C
Part
of
our
our
reviews
is
implementing
tools,
things
like
oss
fuzz
and
things
like
that,
so
that
there
can
be
some
kind
of
continuous
review
as
well,
and
so
all
of
that
can
be
adjusted
based
on
risk
and
and
yeah
you're.
Absolutely
right,
ideally,
the
the
second
iteration
around,
because
that
excuse
me
sorry
because
that
learning
curve
is
is
is
has
gone
over
that,
ideally,
it's
an
easier
process
and
a
less
costly
process.
Yeah
yep.
E
You're
me:
yes,
about
the
project
level,
there
is
written
that
is
ts4
project
that
that
are
distributed
using
a
package
manager
for
packet
manager.
We
mean
something
similar
to
npm
pi
pi,
not,
for
example,
snap.
A
Oh,
I
know
I
would
say:
let's
look,
let's
be
explicit.
A
Snap
so.
E
Every
kind
of
also
the
windows
star,
for
example,
or
not.
A
Welfare
was
open
source
and
was
distributed
to
the
windows
store.
Basically,.
A
A
Sorry,
it
would
help
so
what
I
was
thinking
when
I
wrote
this
was
if
foo
was
distributed
as
over
npm
as
but
but
foo
the
source
code
is
on
github,
then,
as
the
review
is
being
done
of
foo,
they
also
consider
okay.
So
how
are
you
publishing
this?
Oh,
it's
just
one
person
who
can
publish
it
and
they
have
to
like
and
there's
no
two
factor
off
involved
on
on
npm
side
and
it's
you
know
the
the
passwords
written
on
the
sticky
and
they
they
do
the
public
library
so
like.
A
Well
that
that's
not
optimal.
You
should
do
this
other
thing
instead
and
kind
of
including
the.
How
did
the?
How
do
the
bits
get
down
to
the
user?
Not
an
analysis
of
the
npm
infrastructure
or
like
things
like
that,
but
just
like
are
you
leveraging
the
security
controls
available
as
you
as
you
distribute?
So
you
know,
even
even
to
the
point
of
you
know
you
you,
you
distribute
this
thing
on
my
get
as
opposed
to
nougat.org
or
you
distribute
it.
You
know
you
have
to
you.
A
Do
it
on
launchpad,
you
have
to
do
like
private
ppas
versus
you
know.
Being
part
of
the
ubuntu
ecosystem
or
debian
or
whatever,
and
just
do
that
because.
E
My
question
was:
if
we
are
interested
in
packet
manager
that
offer
packages
for
developers
that
that
then
can
create
other
more
complicated,
more
bigger
software,
or
we
want
to
also
include
some
big
open
source
projects
that
are
shared
or
deployed
using
other
packet
manager
for
the
final
user,
like,
for
example,
firefox,
you
can
install
firefox
from
snap
from
android
store
and
similar
stuff.
E
I
think
it's
not
easy,
because
it
is
quite
easy
to
to
create
two
different
definitions:
one
for
windows
store,
android,
store,
snap
and
similar,
and
one
for
npm
pi
pi.
It
is
more
difficult
to
create.
It
is
a
sort
of
grey
area
for
the
linux
repository,
for
example,
ubuntu
repository
and
similar,
because
sometimes
you
can
install
library
to
write
code.
Sometimes
you
can
install
the
final
product
or
the
final
client.
E
So
there
are
a
lot
of
important
projects
that
are
not
that
are
distributed
for
the
final
user,
but
maybe
we
can
start
with
package
manager
similar
to
mpm
so
ecosystem
for
developer.
Maybe
then
we
want
to
grow
and
we
want
to
add
the
order
category
or
different
packet
manager,
but
for
the
first
step,
probably
we
want
to
work
on.
A
I
I
think
that
that
that
sounds
like
like
the
the
right
approach,
things
like
firefox,
I
would
imagine,
because
they
are
or
really
any
open
source
project
that
is
backed
commercially,
would
probably.
A
Be
pretty
low
on
the
list,
at
least
at
least
I
that
that
sounds
right
to
me,
because
they
would
be
able
to
kind
of
afford
the
security
assurance
themselves
for
open
source
products.
So
vlc
is
open
source
right,
but
like
projects
like
vlc
or
vs
code,
like
other
kind
of
numbers,
vs
code
is
ours,
so
that
that
would
I
would
put
that
in
the
same
category
as
firefox,
but
like
a
popular
open
source
product
that
users
use
rather
than
used
to
build.
Other
things,
I
think
is,
is
interesting.
E
Yes,
I
have
a
lot
of
example.
For
example,
there
is
well
tia
is
under
the
eclipse
foundation,
but
there
is
metabase
that
is
a
business
unit
tool,
for
example,
it
is
quite
popular,
and
but
it
is
not
the
only
one
and
he
clock
is
buying
that,
so
they
are
quite
good,
I
suppose,
but
I
mean
if
we
start
to
search
the
most
popular,
especially
related
to
the
database,
that
you
can
use
both
in
production
or
environments
or
in
a
sort
of
business
environment,
but
also
in
your
personal
one.
A
Postgres
is
going
around
in
my
head
like
something
should
we
should
should
we
do,
and
maybe
that's
where
the
the
origin,
this
initial
engagement
plan,
so
look,
let's
suppose
that,
for
whatever
reason
either
it
comes
up
high
in
the
criticality
score
or
we
vote
and
just
collectively.
We
think
that
that
postgres
is
actually
a
critical
open
source
project.
A
I
mean
it
is
obviously
a
critical
open
source
project,
but
we
think
it
should
be
top
of
the
list
and
the
engagement
plan
you
know
is
created
and
the
resulting
engagement
plan
is
like
you
know:
they've
been
audited
four
times
in
the
past
year.
There
are
no
findings,
they
have
a
spectacular
security
record.
Everything
is
automated,
the
maintainers
say
they
don't
need
anything,
that's
fine
like
it
can
kind
of
other
than
maybe
being
able
to
build
it
yes
like.
If
there's
nothing,
to
do,
there's
nothing
to
do,
and
that's
that's
great.
A
You
know,
but
on
the
other
hand,
if
they
were
like
no
actually
like,
we
need
a
lot
of
help
here
and
there
and
this
other
thing
then
just
because
you're
not
like
just
because
it
isn't
a
library
that
you're
using
like
within
your
code
postgres.
Obviously
like
is
fundamental
to
lots.
You
know
lots
and
lots
of
organizations,
so
yeah
cool.
I
think
that's
good.
A
Cool,
so
so
yeah,
so
I
guess
what
I'd
request
is.
You
know.
Take
one
more
look
at
alpha
omega,
any
comments
throw
them
in
the
dock.
I
will
keep
iterating
on
it,
presenting
the
attack
next
week,
I'll
probably
continue
to
iterate
on
it
with
feedback
from
tac,
so
so
expect
more
tweaks
and
tweaks
and
things.
Obviously,
if
there's
budget
negotiation,
then
we'll
need
to
go
back
and
and
figure
out
how
to
how
to
make
it
work.
A
A
Grid
from
criticality,
I'm
going
to
send
survey
to
open
ssf
asking
for
input
and
then
we'll
just
kind
of
it'll
be
anonymous.
So
so
nobody
has
to
feel
like
they
have
to
give
away
their
organizations
secret
things
they
depend
on,
but
we'll
we'll
mash
those
all
together
and
then
we'll
figure
out
how
to
do
a
prioritization
voting
game
to
sort
those
in
an
order
that
that
we
think
makes
sense.
B
A
Cool
anything
else
on
alpha
omega.
A
Cool
welcome
matt
next
thing
I
wanted
to
chat
about,
was
security
md
or
whatever
we're
gonna
call
it,
but
the
security
empty
thing
I
had
to
drop
at
the
end
of
last
time.
Looking
through
the
notes,
I
guess
the
the
first
thing
that
I
would
like
to
ask
you
matt
specifically
is:
would
you
be
willing
to
just
kind
of
take
ownership
of
driving
this
project
forward?.
A
How
do
I
I
mean
so
in
in
in
the
meetings
that
we've
had
like,
I
think
we're
I
think,
there's
still
lots
more
conversation
that
needs
to
take
place,
but
I
think
getting
something
out
and
getting
feedback
against
it
and
iterated
not
calling
it
a
standard,
but
calling
it
a
an
rfc
or
something-
and
you
know.
F
If
the
question
is
directed
to
me,
then,
first
of
all
I
would
say
I
would
love
to.
However,
the
timing's
not
right
for
me,
as
as
I
am,
I've
been
volunteered
to
lead
the
effort
actually
to
largely
in
part
figure
out
how
we
align
our
own
internal
compliance,
security,
compliance
assessments
and
things
like
that:
around
open,
ssf
technologies.
F
So,
and
that's
a
lot
of
work
inside
of
ibm
to
convince
all
the
product
teams
to
have
basically
we're
trying
to
create
a
universal
system
that
we
can
map
to
sauce
and
things
like
that.
These
are
all
my
roadmaster
proposals,
I'm
counting,
I'm
counting
on
scorecard
in
in
our
alignment
with
work
being
done
against
a
security
md
or
whatever
we
need
it.
You
said
to
to
happen,
for
automation
and
for
determinism.
F
So
absolutely
I
will
participate
in
anything,
but
I
can't
be
the
guy
to
make
the
deliverables
okay,
but
any
meeting
set
up.
I
will
be
there
that
I
can
attend
and
I
will
you
know
I
would
attribute
you
know
all
my
spare
time
today.
A
A
Amir
or
luigi
are
either
of
you
interested
in
in
in
lead,
so
so
I
do
not
have
cycles
to
to
drive
this
this
either.
I
think
it's
important,
I
think
it's
the
how
we
get
there
is
probably
at
least
as
important
as
the
final
part,
but
the
final
part
is
all
the
people
will
see
at
the
end,
but
but
but
I
think
the
there's
an
opportunity
to
for
for
this
to
meaningfully
improve
the
the.
E
A
E
E
A
Okay,
perfect
as
being
very
different
yeah,
so
so
there's
there's
a
separate
dock
down
here.
That
has
lots
of
details
and
examples.
Schemas
and
things
like
this.
I
guess
what
I'm
looking
for
is
someone
to
own
this
project
and
like
set
up
meetings
and
then
invite
the
right
people
and
report
back
and
kind
of
own
this.
E
If
for
you,
if
you
think
that
I
can
do
it,
I
probably
I
would
like
to
do
it.
It
is
I
I
have
full
faith
in
you,
so
you
rock
so
okay,
probably
every
right
to
use
some
question
to
try
to
organize
this,
to
drive.
A
E
A
E
A
Absolutely
invite
whoever
you
think
could
be
helpful
at
doing
this
at
minimum.
I
there's
a
note
down
here
at
minimum.
What
I
would
suggest
is
setting
up
some
sort
of
recurring
meeting
talk
to
the
folks
at
best
practices
and
scorecard.
You
could
probably
just
do
that
on
slack,
get
them
interest,
you
know
up
to
speed
and
invite
them
and
get
their
thoughts
and
make
it
make
it
a
collaborative
thing.
E
C
Yep
just
a
couple
quick
reviews,
so
I
updated
one
of
our
first
reviews
on
veracrypt
because
I
happen
to
come
across
it
in
the
metrics
dashboard
and
notice
the
security
reviews
at
the
bottom.
So
I
uploaded
that
the
artifact
of
that
actually,
the
report
is
it's
a
really
good
report.
C
So
if
you
want
to
get
an
idea
of
kind
of
what
one
of
our
security
artifacts
would
look
like
it
could,
that
would
definitely
be
a
good
example
and
then
the
second
thing
I
did
was
just
trying
to
close
out
some
of
the
issues
I
saw.
I
believe
it
was
you
michael
that
to
add
the
mozilla
vpn
review
that
just
got
published
a
week
or
two
ago,
so
I
just
went
ahead
and
added
that
to
the
repo
as
well.
C
So
yeah
overall
it's
good.
I
just
had
one.
I
guess
bit
of
comment.
I
guess
or
feedback
is
sometimes
the
configuring.
The
yaml
text
can
be
a
little.
You
know
arduous,
so
I
was
wondering:
is
it
possible
to
you
know
to
be
able
to
choose
kind
of
from
a
preset
list
of
options
when
we're
putting
things
in
like
implementation,
non-implementation
or
implementation,
partial,
for
example,
just
to
to
reduce
those
errors
from
coming
up?
So
we
know
you
know,
I
can
pick
from
these
three
things
I
can
pick.
A
Absolutely
I'm
just
giving.
A
A
A
C
A
A
A
B
A
Cool
awesome-
and
in
fact
so
obviously
we
didn't
make
it
clear
enough
in
the
project.
So
let's
we'll
update
the
readme
or
something
to
point
folks
to
that,
because
I
wouldn't
want
anybody
else
trying
to
do
it
by
hand.
A
Yeah,
okay,
anything
anything
else
on
that
or
any
other
topic.
A
Cool
you
guys
can
get
a
couple
minutes
back
but
again
homework
for
everybody
is,
if
you
haven't,
if
you,
if,
if
you
read
it
and
completely
agree
with
everything
wholeheartedly,
then
you
don't
need
to
do
anything,
but
if
either
of
those
aren't
true,
please
add
your
comments
to
the
alpha
mega
doc
here,
so
hoping
that
by
the
next
time
we
meet
we'll
be
preparing
for
the
government
for
the
governance
board,
money
discussion
and
then
a
couple
couple
times
after
that
we'll
be
well
announced
publicly.
So.