►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
C
Cool
walk
everybody
to
the
September
28th,
identifying
security
threats.
Working
group
meeting
I
will
be
your
host.
If
you
guys
haven't
put
your
names
in
the
meeting
notes.
The
the
doc
is
linked
from
the
for
the
meeting.
Invite
I'll
try
to
fill
in
anybody
that
that
doesn't
have
it
for
whatever
reason
on
the
agenda
today.
First
stop-
and
this
can
take
as
long
as
as
long
as
we
need
is
the
metrics
dashboard
Sig
proposal
for
Museum,
narav
and
Jay
I.
C
Don't
know
who'd
like
to
kind
of
steer,
but
the
floor
is
yours:
nirav,
azim
and
Jake.
A
D
Right
this
is
my
first
call,
so
let
me
introduce
myself
a
little
bit,
so
my
name
is
Niro
Patel
I'm
I'm,
with
Linux
Foundation
working
as
a
CTO
working
on
a
couple
of
open
source
in
each
City.
We
are
building
a
platform
for
engagement,
aggregation
and
collaboration.
So
this
is
a
part
of
one
of
the
effort,
so
I
wanted
to
highlight
that
on
it.
D
So
going
back
to
the
agenda
on
the
metrics
dashboard,
so
this
is
something
I've
put
together
with
the
David
wheeler
and
azim
Sanjay
and
others
as
well
about
having
a
common
interest
right,
basically
creating
a
special
interest
group
around
Matrix
dashboard,
it's
nothing
but
like
having
a
public
platform.
Of
course,
that's
not
a
it's!
A
vendor
neutral
objectives
around
the
risk
assessments
and
focusing
around
maybe
top
100
repositories
or
top
10
000
repositories
as
a
part
of
MVP.
D
So
yeah.
We
just
wanted
to
highlight
that
I,
don't
know
if
all
of
had
a
chance
to
read
through
the
proposal,
because
I
don't
want
to
go
in
detail,
because
I
would
like
to
keep
that
open
as
as
more
for
the
discussion
versus
I
read
through.
All
of
that,
so
that
was
the
one
agenda
and
then
I
also
proposed,
like
a
you
know
how
it's
going
to
look
like
for
next
three
months
again.
D
This
is
something
me
thinking
how
the
three
months
is
going
to
look
like
open
for
suggestions
is
like
first,
is
sick
formation,
clearly
Define
what
the
MVP
is
going
to
look
like
you
know:
who
are
the
users?
D
What
are
the
problems
you're
trying
to
solve
what
benefit
the
solution
will
provide
it
right,
map
out
all
the
user
workflows
and
come
up
with
like
some
sort
of
like
a
clickable
markups,
where
everyone
think
that
okay,
this
is
going
in
the
right
direction,
or
this
is
how
we're
thinking
building
a
road
map,
and
then
we
talk
about
the
the
technical
details,
architecture,
tools
and
whatnot,
so
more
in
like
so.
These
are
some
high
level
three
months
objectives
that
we're
thinking
to
achieve
it
with
with
this
group.
C
From
from
my
kind
of
Vantage
Point
here
it,
this
feels
in
line
with
the
spirit
of
what
we
originally
talked
about
when
we
were
talking
about
the
metric
dashboard
and
that
this
is
like
the
grown-up
version
of
that
so
I'm
I'm
excited
I,
I.
Think
the
the
most
important
points
in
this
is
is
you
know
like
so
the
current,
so
we
have
two.
No
there's
like
there
were
a
bunch
of
existing
solutions
that
are
kind
of
in
this
space.
C
There's
things
like
the
the
thing
from
chaos
I'm
drawing
a
blank
on
the
name,
but
it's
a
chaos
tool
that
that
you
you
install
and
then
you
have
a
local
service
that
that
does
this
work.
There's
the
metric
settlement,
ssf,
there's
LFX
security,
there's
depths.dev
and
yeah,
and
so
so
all
these
things
kind
of
have
different
different
Scopes
different,
you
know,
is
it
public?
Is
it?
Is
it
inclusive
versus
kind
of
exclusive?
In
terms
of
like
you
know
the
the
types
of
projects?
C
How
deep
does
it
go?
Is
it
authoritative?
Is
there
an
API
or
all
these
things
and
I
think
that
it
there's
room
in
the
space
for
like
multiple
different
projects
to
be?
You
know
to
take
different
stances
on
that
I'm,
not
sure
what
our
stance
should
be
on
this,
so
I
do
think
that
the
initial,
like
phase
that,
like
second
second
bullet
I,
think
that
you
had
yeah
that
one
like
being
crystal
clear
here
and
it
doesn't
need
to
take.
C
You
know
six
months
of
you
know
like
doing
this,
but
you
know
being
clear
with
like
what
is
this
thing?
And
what
is
this
thing
not
I,
I
think
is,
is
important
and
then
seeing
you
know,
as
you
said
like,
if
if
this
is
something
that
resonates
and
and
and
whatnot,
because
I
think
some
of
those
decisions
will
have
drastic
architectural
ramifications
in
terms
of
in
terms
of
storage
and
processing
and
and
all
this
stuff-
and
you
know
we
want
to
be-
you
know,
just
go
into
it
very
intentionally.
D
Yeah
I
think
yeah
I
think
yeah
I
come
I
kind
of
agree
with
you
as
well,
so
yeah
I
think.
The
main
idea
is
really
like.
Like
help
us
defining
the
the
MVP
like
helping
us
mainly
around
I
was
talking
about
the
Zim
and
he's
like
we've
been
talking
so
many
other
things.
But
what
exactly
you
know?
Mvp
is
going
to
look
like:
let's
define
it
properly
and
work
as
a
group
I
think
that
is
where
would
be
a
good
start.
I
would
say
yeah
and
then
yeah.
C
I
I
would
and
then
stop
talking,
but
I
would
suggest
that
as
well.
It's
important
to
define
the
MVP
I
think
it's
equally
important
to
Define
out
the
like.
What
does
this
look
like
when
it's
done
when
it
when
it
is
like
when
it
when
it
skips
over
to
maintenance
mode
like
what?
What
does
that
really
look
like
I?
Think
if
the
MVP
vision
is
like
it's
it's
something
you
know,
that's
not
really
what
people
are
buying.
C
So
yeah,
it's
important
to
have
that
vision
and
maybe
even
to
have
mock-ups
of
what
that
vision
like
what
we
you
know
sell
it
like
you
know
the
the
this
is.
This
is
what
the
Cadillac
version
of
this
looks
like
or
would
look
like.
I'm
sorry,
I
see.
A
No
I
just
wanted
to
plus
one
what
Michael
is
saying
so
one
suggestion
I
can
give
here
is.
This
is
a
framework
we
very
frequently
use,
even
in
some
of
our
products
like
scorecard
so,
which
is
we
basically
call
it
Mission
Vision
strategy,
roadmap
I
think
it's
it's
a
framework
that
kind
of
really
helps
us
say
like.
A
What's
the
exact
problem
we
are
trying
to
solve,
you
know
what
would
be
the
ideal
state
of
the
world
if
we
solve
this
problem
and,
like
you
know,
how
are
we,
how
is
this
solution
that
we
are
proposing
helping
us
solve
that
problem,
I
think
probably
having
just
like
one
or
two
liners
defined
here
and
having
like
just
a
few
minutes
of
brainstorming
here,
will
probably
help
us
get
some
of
those
answers
that
Michael
is
looking
for,
but
but
yeah
I,
I,
agree.
A
E
And
I
I'm
sorry,
I
put
my
hand
up
I.
Just
you
know.
I
also
want
to
encourage
us
to
to
view
this
project
as
something
that
is
never
done,
something
that
should
be
designed
in
such
a
way
that
we
could
make
them
take
the
most
advantage
of
volunteered
resources.
E
I
think
we'll
be
able
to
find
you
know,
paid
resources
to
work
on
things
as
well,
and
so
it's
important
to
prioritize
the
paid
work
appropriately
so
that
we're
getting
to
MVPs
we're
getting
the
stuff
that
that
matters
and
can
show
impact,
but
but
to
also
design
it
in
such
a
way
where,
if
there's
other
things
to
feed
the
data,
Lake
people
can
contribute
those
from
the
side,
and
we
can
decide
whether
the
data
lake
has
room
for
the
output
of
those
feeders.
E
We
should
look
for
ways
to
actually
replicate
the
data
Lake
to
to
other
places,
so
people
can
consume
that
on
on
their
own
as
well
and
then
have
a
default
view
of
of
what's
in
the
data
Lake
as
presented
by
a
single
website,
but
have
as
much
flexibility
through
that
as
we
can
and
and
as
an
open
source
project.
I
think
it's
kind
of
on
on
the
the
Sig
to
balance
everyone's
interest,
but
also
get
the
most
of
what
everyone
has
to
bring
bring
to
the
front.
E
So
it's
I
just
encourage
us
to
be
pretty
late,
binding
with
a
lot
of
this
stuff.
If
we
can
be.
C
So
it
sounds
to
me,
like
you
know
what
you
described
Brian
is
is
this
is
a
platform
and
not
a
website
and
not
just
a
tool
or
a
aggregator
of
tools
or
things
like
that.
C
I
like
that
I
think
the
the
platform
part
of
it
does
mean
that
we
don't
need
to
have
all
the
answers
up
front
and
and
we're
we're,
there's
less
risk
in
going
down
a
path
that
is
offered
to
back
out
of
it's.
Obviously,
more
of
an
upfront
lift
and
I
wouldn't
want
to
underestimate
the
like
monetary
cost
of
building
out
a
platform
versus
you
know
a
tool
because
it's
probably
like
two
orders
of
magnitude
larger
degree,
one
than
the
other.
C
I'm
reading
this
as
enthusiastic
agreement,
Full
Speed
Ahead.
A
All
right,
I
think
it's
a
great
idea
and
let
me
know
I
can't.
B
F
A
C
Okay,
so
Brian
a
question
for
you
and
I
I
should
know
the
answer
to
this
I'm,
sorry
that
I
don't.
But
what?
What
is
the
essence
of
a
Sig
like
I
I,
it's
a
Sig
is
a
defined
thing
in
openssf.
Now,
right
or
is:
are
we
using
very
Loosely?
It.
E
It
is
it's
basically,
the
the
fundamental
unit
of
community.
E
Right
so
so
the
taxonomy
goes,
you
have
attack
working
groups
and
you
have
technical
initiatives
under
the
working
groups.
Technical
initiatives
can
either
be
software
projects
that
are
very
clearly
about.
E
Let's
just
build
open
source
software
and
be
kind
of
you
know
things
like
Sig
store,
although
you
can
also
have
that
at
the
top
level
reporting
to
the
attack,
which
is
what
sensor
is,
you
can
have
I
I,
eventually,
services
and
specifications
communities,
and
then
you
have
a
Sig
for
kind
of
everything
else
and
and
I
I
think
a
lot
of,
what's
today,
kind
of
informally
chartered
might
get
more
formally
recharted
as
a
Sig.
That's
my
read
of
one
of
the
recent
changes
to
governance.
E
I
don't
mean
to
overweight
things,
but
I
think
the
expectation
is
that
a
Sig
is
accountable
to
a
working
group
or
in
rare
circumstances,
upward
to
the
attack,
but
but
I
think
usually
to
a
working
group
and
then
being
accountable
has
like
some
reporting
Cadence
and
that
kind
of
thing,
but
as
otherwise
you
know
its
own
meetings,
its
own
kind
of
agendas
and
and
and
if
it's
you
know,
aligned
with
a
part
of
the
mobilization
plan
that
we
find
some
way
to
get
things
that
come
up
in
the
Sig
funded
as
a
part
of
the
plan.
C
Okay,
so
is
the
next
like
thing
on
the
agenda?
Is
it
to
kind
of
formally
vote
and
say?
Do
we
want
this
to
be
a
Sig?
Does
anybody
object
to
voting
for
this
to
be
a
sake
like?
Does
anybody
need
more
information
or
in
order
to
to
make
that
decision?
I,
don't
want
to
put
anybody
on
on
the
spot,
to
say
and
and
really
what
I
think
creating
the
Sig
just
means
is
like
what
you're
not
you're,
not
voting
for
money
you're,
not
approving
the
plan.
C
You
are
saying
that
this
plan
is
worthy
of
a
group
focused
on
it
to
drive
it
Forward.
E
I
think
the
question
is
on
that
and
how
does
a
vote
get
recorded
and
and
consensus
achieved
and
that
sort
of
thing
and
I
think
your
question
of?
Is
anyone
strongly
opposed
to?
This
is
a
good
one,
but
but
also
like
consents
that
are
simply
not
just
the
lack
of
no's
but
but
are
enthusiastic.
Yes,
are
always
better
consents
right.
C
Okay,
so
do
we
have
a
do?
We
have
a
required
voting
procedure
with
an
open,
ssf,
otherwise
I'm
just
going
to
make
something
up
now
and
we'll
we'll.
E
We
don't
even
have
a
clear
sense
of
who
are
members
who
can
vote
or
not
right
and
I
think
this
is
something
you'll
I'd
expect
to
attack
over
the
next
little
while
to
get
a
little
bit
more
formal
about,
because
you
kind
of
need
it
for
corporate
governance
rules
anyways,
but
I
think
if,
if,
if
I
mean
you're
you're
the
chair
of
this
Tech
right
sorry.
A
E
Of
this
working
group,
yeah
I
think
if,
in
your
sense,
the
consensus
of
the
people,
both
in
this
room
and
and
others
who
are
not
in
this
room,
Who
You'd,
consider
part
of
the
Sig
is
that
this
is
something
that
the
working
group
is
willing
to
take
responsibility
for
because
in
a
sense,
you're
taking
some
responsibility
right
for
for
the
sick.
E
If
the
sick
goes
sideways
you
you
know,
this
group
should
be
the
one
to
kind
of
jump
in,
and
course
correct
or
or
cast
it
off
and
say
you
know
this
is
this
has
got
to
be
canceled
because
you
guys
are
are
doing
crazy,
stuff,
I
I!
That's
that's
the
obligation
on
this
working
group
then
just
like
any
other
kind
of
technical
initiative
under
it.
E
So
yeah,
if
you
feel
like
this,
is
something
this
working
group
has
the
energy
enthusiasm
and
and
believes
is
appropriate
for
itself
compared
to
other
working
groups,
then
I
think
if
you,
if
you
you,
could
declare
that
consensus
and
and
move
forward.
I
think
it's
great
that
it's
you
who's
not
working
directly
on
this
on
the
Sig.
You
know,
rather
than
any
sort
of
you
know
nothing.
You
have
to
recuse
yourself
from.
C
Cool
David,
your
hands
up.
G
So
not
in
a
position
to
make
a
decision
towards
money
spending
or
anything
like
that,
and
so
it's
nice
to
mentioned
that
but
I'd
like
for
the
proponent
to
explain
how
that
proposal
aligns
with
you
Texas
of
the
working
group
a
little
bit
more
in
detail.
I
think
that
would
be
useful.
C
I
can,
if
you
want
to
take
that
you're
welcome.
Otherwise
I
can.
D
Yeah
like
so,
what
are
you
referring?
David
is
more
like
in
terms
of
like
defining
this
proposal.
More
in
detail
is
that
what
I'm
I'm
hearing.
G
Right,
so
the
working
group
is
identifying
skills
today,
so
how
this
proposal
helps
users
of
these
information
system
to
identify
security
threats?
Basically,.
C
The
way
that
I
would
answer
that
is
is
it
is
a
it
is
aligned,
because
the
the
the
the
the
metrics
and
and
metadata
and
aggregated
and
calculated
stuff
that
would
come
out
of
this
dashboard
would
be
used
to
inform
users
of
the
Rel
of
the
absolute
and
relative
risk
of
of
of
of
projects
and
using
a
risky
project
is
essentially
a
threat
to
you.
C
So
if
we
Define
threats
somewhat
Loosely
I
think
it
lines
kind
of
spot
on
the
working
group,
we
do
have
a
kind
of
a
short,
concise
whatever
is
it,
but
it
is
a
good
question
because,
because
I
mean
it
does
lend
itself
to
like
well,
why
not
like
security
tooling,
like
we're
building
tools,
so
we
shouldn't
be
in
security
tooling,
or
it's
encouraging
people
to
use
best
practices
so
shouldn't
it.
Be
there
there's
so
much
Venn
diagram
overlap
between
the
working
groups.
C
You
know
so
the
purpose
of
the
identifying
security
threats
working
group
is
to
enable
stakeholders
to
have
informed
confidence
in
the
security
of
Open
Source
projects.
I.
Think
it's
like
like
right
in
the
middle
of
that
we
do
this
by
collecting
curating
and
communication
and
communicating
relevant,
metrics
and
metadata
for
open
source
projects
and
ecosystems
which
they
are
a
part.
So
perhaps
our
description
of
the
working
group
should
be
expanded,
but
at
least
the
way
that
it's
defined
today,
the
project
I
I
think
is-
is
right
in
the
middle.
A
Open
source
dependencies
which,
like
Michael
said,
is
like
probably
like
Falls
in
between
going
further
and
saying
identifying
security
threat,
so
I
mean
in
that
way.
In
that
sense,
I
see
it
aligning
here
in
the
working
group
pretty
much
what
Michael
said:
cool.
C
Okay,
so
let's
so
we
already
did
the.
Does
anybody
like
vehemently
oppose
this
or
or
even
not,
vehemently
like
do
you
do
you
do
you
have
strong
reservations
where
you
think
we
should
not
proceed
to
make
this
a
say?
If
so,
now
would
be
a
good
time
to
to
speak
up?
C
C
E
Zoom
has
this
feature
where
it
times
out
your
thumbs
up.
So
that's
why
someone
disappearing
very
helpful
right.
Okay,
so.
C
So
I'm
seeing
consensus
so
interrupt.
D
It
was
sorry
but
I'm
not
able
to
find
that
yes
option.
It's
fine
I'm
just
playing.
So
let
me
try
Okay
yeah.
We.
C
C
C
Nice,
okay,
so
I
see
practically
unanimous
consent
here.
So
let's
declare
this.
Oh
so
so
actually
I
should
be
careful.
The
the
the
of
the
folks
that
attended
there
is
clear
consensus,
we'll
create
the
Sig
I
will
open
this
up
on
the
slack
channel
for
folks
that
couldn't
join
this
meeting.
If
they
had
had
other
things,
I'll
invite
them
to
watch
the
watch
the
meeting
and
read
the
doc
and
comment
if
they,
if
they
have
issues
but
other
than
that,
I
think
do
we
need
Brian.
C
Do
we
need
tack?
We
certainly
need
to
inform
Tac.
Do
we
need
to
get
something
approved
from
tac
before
we
ask
for
money.
E
Well
separate
out
setting
up
the
Sig
from
how
things
that
emerge
out
of
this
sig
might
get
funded.
You
have
the
agency,
as
a
working
group,
to
say
yes
to
new
technical
initiatives
of
All
Sorts
as
a
courtesy
you
might
want
to
let
the
tech
know
and
when,
when
you
voted
to
accept
them
in
but
I
I
put
aside
the
question
of
funding
for
things
until
we've
identified
things
to
fund
okay.
C
Perfect
and
then
so
now,
the
the
the
the
the
other
most
important
question
is.
We
need
a
lead
and
some
co-leads
for
this
sig
to
drive
this
forward.
E
I
think
the
proposal
suggested
both
nirav
and
Jay.
As
you
know,
co-leads,
or
maybe
that
wasn't
in
the
proposal,
but
I
think
that's
implicit
and
neuroven
Jay
I'm
just
checking
with
you
as
well.
If
that's
yeah,
yeah,
that's
that's
where
it's
aligned
yeah!
That's.
G
C
C
And
I,
if
anybody
of
Jack's
just
paying
me
other
than
that,
let's
consider
this.
It's
like
formed
nice
job,
everybody
and.
E
Most
importantly,
if
you
want
to
join
this
egg,
please
let
us
know
and
and
we'll
make
sure
that,
in
addition
to
getting
the
meetings
of
this
sig
listed
in
the
public
calendar,
we
should
probably
post
to
this
working
group's
email
list
when,
when
we
have
those
meetings
set,
if
anyone
else
wants
to
just
especially
make
sure
they're
plugged
in
let
us
know.
C
C
And
then
so
so
going
forward,
Jay
narav,
you
know,
feel
free
to
obviously
continue
attending
this
meeting
and
I'll
just
treat
you
guys
like,
like
the
other
projects,
where
you
know
status
updates,
and
how
can
we
help
and
things
like
that,
but
from
here
on
out,
you
guys
run
the
you
know,
get
the
get
the
call
set
up
run
the
meetings
and
good
luck
to
you.
C
Cool
thanks
awesome.
Is
there
anything
else
that
folks
like
to
talk
about
regarding
this?
The
metrics
dashboard,
I
I
should
mention
the
Metro
shuttle.
Businessf.Org
I
will
keep
running
until
there
is
something
to
put
it
to
to
transfer
it
to
but
I'm
imagining
either
the
domain
will
go
away
or
will
be
repointed
or
will
be
subsumed
somehow
by
this
it
doesn't
really
matter.
We
can
decide
that
later,
but
I'm
not
gonna
shut
down
the
the
current
dashboard
right
now.
C
C
Okay,
second
thing
that
I
want
to
talk
about
was
so
so
this
came
up
and
I'm
sorry,
my
video
is
still
crapped
out
the
the
idea
of
doing
a
video
walkthrough
of
doing
a
circular
review,
I,
don't
recall
which
channel
I
think
I
think
I
probably
put
this
on
General
and
I
think
we
talked
about
this
once
before,
but
I
wanted
to
kind
of
move
on
this
a
little
bit
in
the
next
maybe
month,
and
basically
what
I
was
thinking
here.
C
What
I've
seen
over
the
years
is
that
you
know
everybody
has
their
own
kind
of
special
sauce
and
a
methodology
and
approach
and
and
everything
to
to
to
do
this
stuff,
and
it's
more
than
just
running
tools
and
looking
at
the
output,
it's
knowing
like
which
tools-
and
you
know
when
they're,
when
they're,
actually
looking
through
code,
like
what
things
stand
out
to
them
and
I
thought
that
from
a
kind
of
an
education
perspective,
but
also
aligning
the
researchers
themselves,
it
would
be
interesting
to
have
like
a
video
walk
through
of
someone
doing
one
of
these
and
kind
of
kind
of
talking
out
their
stream
of
Consciousness
as
their
or
as
they're.
C
Doing
this
to
see
you
know,
wow.
This
person
went
about
this
in
a
way,
that's
completely
different
than
the
way
that
I
would.
This
is
interesting
and
I've
learned
something,
and
you
know
obviously
vice
versa.
What
we
don't
want,
like
I,
don't
we
there
was.
There
was
a
suggestion
that
maybe
we
live
stream.
This
I
don't
feel
super
comfortable
live
streaming
it
because
you
know
if
we
do
come
across
like
a
serious
vulnerability.
C
We've
just
accidentally
zeroided
the
world,
but
assuming
that
there
are
no
serious
issues
that
come
out
of
it.
You
know
kind
of
promptly,
you
know
putting
it
on
on
YouTube
and-
and
you
know,
maybe
have
a
series
of
these
where
we
have
you
know
eight
or
ten
different.
You
know,
folks
that
that
do
this
regularly
like
go
through
this,
so
you
have,
you
know
the
you
know
a
short
series
but
but
have
have
multiple
of
these,
so
that
was
that's
kind
of
the
The
Proposal
I.
C
Don't
think,
there's
anything
much
more
formal
than
that,
but
there's
also
really
no
cost.
It's
really
just
folks
time
that
are
willing
to
to
do
this
I
think
somebody
recommended
we
actually
do
this
as
a
zoom
chat,
where
you
have
other
people
kind
of
looking
on
and
talking
back
and
forth
and
and
that
might
be
interesting
too
I'm
I'm
up
for
anything
but
I
wanted
to
get
folks
thoughts.
What
do
you
guys
think.
G
So
we
do
something
quite
similar
as
our
usual
thread:
modeling
activities,
the
red
hat.
It's
a
it's,
a
mix
of
threat,
modeling
and
Architectural
Review
of
different
systems.
It
could
be
part
of
the
operating
system,
it
could
be
something
internet
facing
and
what
I
can
tell
you
is.
That
is
a
very
rewarding
experience.
It
helps
with
raising
security
awareness
of
the
engineering
teams,
and
one
important
thing
is
that
not
everything
is
documented.
G
No
Leo
unknowledge
and
it's
a
very
good
opportunity
to
have
them
look
at
their
own
projects
from
a
different
perspective.
So
our
strategy
is,
is
usually
providing
these
engineering
teams
with
the
time
and
space
to
take
a
different
perspective
on
the
system
and
we
act
as
facilitators.
We
normally
we
I
mean.
Are
my
team
normally
bring
the
expertise
when
it
comes
to
Security
in
general
terms,
not
that
these
engineering
teams
are
completely
unaware,
but
we
kind
of
bring
the
methodology
and
the
and
the
experience
in
this
practice
and
we
drive.
G
This
is
normally
more
than
one
session
where
we
dive
deeper
in
in
specific
pieces
of
the
information
system,
those
that
are
more
critical
or
more
maybe
subject
to
attacks
or
or
maybe
deal
with
sensitive
information
or
identity
management,
or
anything
like
that
sure.
C
That's
great
thank
you
and,
and
that
that
totally
aligns
with
our
review
of
the
world
too,
in
terms
of
like
the
most
important
part
of
threat.
Modeling
is
like
the
discussion
and
the
wait.
Those
boxes
don't
connect,
they
do
this.
Other
thing
and
everybody's,
like
oh
I,
didn't
know
that
so
it's
good
stuff.
B
Luigi
that
I,
like
this
idea
about
the
how
to
do
Security
review
or
code
review.
It's
very
interesting
and
I
totally
agree
with
David
I
mean
about
the
chat
modeling.
That
is
a
step
before
maybe
they
write
the
code
or
Implement
something,
and,
and
so
there
is
a
thread
model
and
review
for
that
model.
But
the
insecurity
review
is
very
difficult,
because
every
ecosystem
or
infrastructure
can
be
different
with
different
languages
and
maybe
security
Engineers,
don't
have
the
knowledge
for
every
language
or
a
very
deep
knowledge
for
every
languages.
B
It's
normal,
so
I
probably
have
some
I.
Don't
know
list
of
very
important
points
for
every
languages
or
for
every
sort
of
common
implementation
can
be
very
helpful
online.
There
are
some
good
approach
to
write,
secure
code,
so
don't
miss
this,
follow
how
to
escape
Charters
or
input
so
and
so,
but
to
do
a
Security
review,
it's
a
bit
different.
So
how
find
something
or
not
find
something,
and
it
can
be
interesting-
I
mean
for
me
from
a
user
perspective.
B
I
think
it's
very
interesting,
but
I
am
not
good
suggestion
at
the
moment
on
how
we
should
proceed.
I
think
that
the
topic
is
very
big,
so
maybe
we
want
to
find
some
good
scope
to
not
go
randomly.
That
is.
A
F
So
on
this
thing
about
about
the
scope
I
mean
so,
for
example,
for
our
company
I
mean
we
do
this
kind
of
reviews
for
our
clients
all
the
time
as
in
we
prepare
bug
books
by
running
our
tool
and
looking
into
that
there,
it
can
also
be
done
by,
for
example,
using
the
docker
email
that
you
have
prepared
and
and
looking
at
things
that
we
found
and
then
yet
another
approach
is
what
David
was
suggesting,
which
is
looking
at
it
from
a
threat.
Modeling
point
of
view
architectural
point
of
view.
F
So
there
are
many
ways
of
doing
this
as
Luigi
was
mentioning
scoping
it
out
and
perhaps
like
create
some
episode.
Arts
like.
Let's
imagine,
instead
of
like
just
discussing
about
the
Wake
concept,
we
can
talk
about,
like
maybe
10
episodes
and
then
what
whatever
is
going
to
be
covered
in
each
of
them,
and
then
we
can
start
working
into
that.
That
could
be
one
way
of
of
like
concretizing
things
thanks
I.
C
So
so,
just
just
clap
when
you
say
episode,
R
are
you
thinking
like
for
a
given
project.
We
have
one
episode
where
it
is
focused
on
threat
modeling,
perhaps
with
the
maintainers
in
the
room
and
another
episode.
It
might
just
be
like
run
these
types
of
tools,
another
one
might
be
like
setting
up
fuzzing
another
one
might
be
reviewing
the
results
of
fuzzing,
yes,
kind
of
okay.
So.
F
Yeah
we
do
as
maintaining
we
can
look
into
like
languages
like
doing
something
in
Java
is
very,
very
different
than
doing
that
in
JavaScript.
So
perhaps
that
that
too,
and
and
so
on,
but
I
mean
if
we
have
a
clear
plan
like
okay,
we
will
concentrate
on
these
10
topics.
Then
we
can
just
start
focusing
on
that
and
then
we
can
also
think
of
some
of
them
may
require
a
zoom
session
like
having
multiple
people
and
and
so
on,
but
I
mean
it's
it's
first.
F
Scoping
them
out
is
probably
a
key
Point
here.
C
I,
don't
know
I,
don't
I,
don't
have
thoughts
at
the
moment
on
where
to
go
from
here,
I
mean
I.
I
think
you
know
we
could.
We
could
find
find
a
project,
that's
kind
of
willing
to
engage
with
us
on
this
experiment
and
then
use
them
and
kind
of
Define.
This
all
out
together.
Try
it
once
do
a
you
know,
five
or
eight
part,
you
know
series
and
then
you
know,
review
and
look
at
it
and
say
well.
We
would
do
this
other
thing
differently
and
then
try
it
separate.
F
C
Next
step
here
connect
with
the
mirror
for
suggestions
on
how
to
proceed
and
we'll
talk
about
again
in
two
weeks.
G
David
can
I
suggest
that
we
do
this
with
the
project
that
we
just
approved.
G
That
would
be
showing
how
a
project
I
mean
I,
don't
know
in
which
stage
that
is
probably
in
design
phase
at
this
moment,
and
it
is
going
to
have
some
assets
deployed
somewhere.
There's
an
architecture
to
be
designed,
and
it
doesn't
really
matter
that
the
project
is
not
too
complex
or
anything.
It's
actually
probably
a
good
thing,
because
it's
going
to
be
easier
to
do
a
threat
model
is
going
to
be
simpler
to
show
how
that
could
be
done
on
a
less
complicated
piece
of
software.
Yeah.
C
So
yeah
so
I
think
we're
we're
months
away
from
code
on
that.
We
should
absolutely
do
that
if
we
wanted
to
do
something
before
that,
so
so
I
I
get
a
kind
of
a
test
run
of
this,
just
just
myself,
with
just
none
of
the
threat,
modeling
stuff,
but
more
just
kind
of
a
Code
walkthrough
and
learn
tools
against
a
really
small
npm
module
that
I
figured
would
take
15
minutes
and
and
be
done,
and
after
I
stopped.
C
The
video
I
realized
I've
been
talking
for
two
hours
and
it
was
like
there
wasn't
a
lot
of
like
empty
space
in
that,
so
I
was
really
surprised
at
how
even
a
you
know.
Maybe
a
thousand
lines
of
code
could
generate
a
lot
of
work.
I
guess
so.
We
could
also
start
with
very,
like
very,
very
simple
projects.
C
You
know
is
odd,
I
mean
even
even
you
know,
and
and
and
do
things
like
that
to
kind
of
experiment
out
on
each
of
the
different,
like
you
know,
play
around
with
threat
modeling,
where
you
know
before
we
bring
it
all
together
with
with
one
project
but
yeah.
We
should
absolutely
don't
for
this
ourselves
really
on
anything
that
we
do
I
mean.
Why
not
do
this
on
scorecard
or
I,
don't
know
pick
pick
a
project
or
we
could
do
it
on
the
current
metric
dashboard,
but.
C
You're
doing
anything
yeah,
so,
okay,
so
so
so,
let's
connect
with
the
mirror
we'll
talk
about
this
again
in
two
weeks
and
we'll
just
keep
keep
moving
this
one
forward.
C
All
right,
let's
see
for
the
next
next
part
of
this,
could
I
have
the
normal
project
updates.
So
we
have
security
insights.
We
have
the
virtual
maintainer,
Summit
and
moonwalk
I
feel
so
horrible
I
am
like
literally
like
there's.
If
I
look
up,
I
see
nothing
but
like
unread
emails
above
me,
so
I
know
I,
owe
you
a
response.
C
I
promise,
I'll
get
your
response
today
and
I
think
the
answer
is
like
yes,
I
will
I'll
be
on
the
steering
committee
and
and
and
all
that,
but
I
wanted
to
give
you
a
more
precise,
but
so
so
virtual
security
is
a
virtual
Summit,
OSS
maintainers.
If
you
want
to
talk
about
that,
what
else
office
hours
I
don't
see,
Marta
I
think
there
was
a
while
we're
talking.
C
I'll
look
to
see
if
there's
an
update
for
office
hours
and
then
assimilation
I
haven't
made
any
progress
on
that.
That
was
just
kind
of
lower
priority,
because
I
did
not
get
a
resounding
like.
Yes
from
me,
security
response,
mobilization
stream,
folks,
so
I
don't
want
to
I.
Don't
wanna
Spread,
spread
things
too
thin
and
not
be
able
to
make
progress
on
anything.
So
I
think
assimilation.
I
will
wait
another
month
or
two
and
then
maybe
pick
it
up
in
the
new
year.
C
On
on
how
we
want
to
proceed,
there
assimilation
was
the
open
source
Sim,
where
we
monitor
the
ecosystem
and
look
through
metadata
and
then
actually
alert
out.
C
B
Yes,
after
that,
you
target
me
in
that
Twitter
Thread
about
people
that
maybe
don't
want
to
receive
pull
request
created
by
Bots
or
in
an
automated
way.
B
I
think
this
can
be
the
last
pull
request
that
can
edit
the
security
inside
schema
without
changing
the
versioning
and
next
step.
I
would
like
to
improve
the
python
script
because
I
can
so
it's
not
a
big
issue.
I
just
need
to
find
the
time
to
code,
and
my
question
is
for
you
I
think
that
the
first
question
is
ready.
Definitely
and
I
would
like
to
start
to
open
issue
or
pull
request.
B
I
need
to
Define
this
approach
in
some
open
source
project
to
ask
people
if
they
want
to
implement
it.
I
can
also
create
the
security
insights
for
them,
because
if
the
project
is
open
source,
probably
they
call
I
can
collect
every
information
if
the
maintenance
want
to
add
more
information.
Of
course
they
can
and,
of
course
the
poor
request
is
a
proven,
reviewer
and
merged
by
the
maintainers,
not
by
me,
but
my
question
so
I
have
some
question.
B
One
is
I
can
start
to
open
pull,
request
or
issue
in
a
personal
project,
asking
people
to
implement
or
to
add
the
security
insights
explaining.
What
is
the
project,
of
course,
and
the
second
question
is
I-
can
do
it
as
open
ssf
or
just
as
Luigi
that
want
to
improve
the
security,
and
the
third
question
is
I
need
to
if
I
can
start
to
do
this
I
just
start
from
my
own
list
of
Open
Source
projects
that
I
know
or
something
similar
or
I
can
use
the
Alpha
Project
list.
B
C
I
think
I.
Obviously
you
want
to
start
with
like
friendlier
projects.
So
perhaps
the
friendliest
projects
are
open,
ssf
projects,
so
maybe
for
each
of
the
tools
that
we
have
a
repo
for
in
in
ossf
start
out
with
them.
I
would
say
you
start
out
with
an
issue.
I
think
we've
the
the
conversation
we
had
over
slack
around.
C
You
know
automatic
pull,
requests
and,
and
all
of
that
I
I
think
we
had.
You
know
I
know
that
we
had
enough
people
on
there
to
declare
consensus,
but
we
we,
it
seemed
like
opening
an
issue
and
saying
here's
a
thing:
are
you
interested
and
then,
if
they
say
no,
then
that's
it
and
if
they
say
yes,
then
a
pull
request
follows
is
I.
Guess
would
be
more
likely
to
be
perceived
as
I.
Don't
even
know.
C
The
right
word
like
socially
the
right
thing
to
do
in
open
source
projects,
so
I
would
suggest
doing
it
that
way,
and
not
just
Just
Landing
up
Landing
a
pull
request.
C
I
I
think
you
should
be
prepared
for
the
question.
Well,
what
uses
this
information-
and
that
was
the
conversation
around
scorecard
and
and
whether
or
not
you
know
scorecard,
was
amenable
to
you
know:
parsing
the
security
insights
back
and
doing
something
with
it
and
and
I
I
apologize.
But
I,
don't
recall
where
that
that
conversation
left
I.
B
Am
open
issue
so
I
moved
to
this
discussion
about
support
the
security
insights
in
scorecard
in
after
a
meeting
with
the
scorecard
team.
I
have
opened
it
yesterday
if
I
remember
correctly
and
issue
in
the
scorecard,
where
I
asked
to
support
security
insights.
Initially
it
can
just
be
a
draft
pull
request
to
implement
the
support
and
the
I
don't
ask
to
use
the
data
in
the
evaluation.
For
now.
B
It's
just
try
to
support
it
in
some
way
and
in
particular,
it
can
be
used
to
reduce
the
false
positive,
for
example,
or
to
align
API
that
are
missing
another
platform
because
scorecard
work
with
GitHub,
API
or
GitHub
information.
But
gitlab
has
a
different
API
information
same
for
bitbucket.
So
if
we
start
to
use
just
API,
the
my
concept
is
that
we
can
have
different
information
for
project
and
we
cannot
compare
them.
If
we
have
the
security
inside,
we
can
try
to
balance,
especially
if
they
are
moving
to
gitlab
at
the
moment.
B
I,
don't
know
how
gitlab
works
exactly
what
are
the
difference
between
itlab
and
GitHub,
but
I'm
quite
sure
that
there
are
important
difference
between
GitHub
and
bitbucket,
for
example,
that
it
is
less
popular
than
Gita,
but
still
use
it
and,
for
example,
Google
has
all
not
all,
but
a
lot
of
Open
Source
projects
directly
on
their
platform,
Google
source.com,
for
example,
Android
or
PDF,
and
so
okay.
We
can
use
the
API
for
a
lot
of
reasons.
B
C
Right
and
at
minimum
you
know
it
would
I
think
we
we
discussed
like
the
file
is
always
the
the
over
well,
it's
either
the
overlay
or
the
underlay,
depending
on
which
you
trust
more.
But
like
it's
it's.
If
the
platform
has
everything,
then
the
file
can
be
empty
and
you
get
the
same
information.
Yes,
you
know,
but
if,
but
so
it's
really
to
fill
in
those
gaps
on
you
know
and
there
will
always
be
gaps
so
Okay
cool,
so
yeah
I
I,
would
suggest.
Starting
with
you
know,
issues
in
openssf
projects.
C
And
then
seeing
seeing
how
that
goes,
and
then
we
could,
we
could
certainly
have
the
conversations
with
the
products
that
we
engage
with
on
the
alpha
side.
I
think
they
would
be.
You
know,
I
mean
Apache
might
be
particularly
interested
in
this,
because
they
do
things
very
differently
and
I
I.
Don't
know
that
they've
that
they
have
a
way
of
programmatically.
C
Expressing
that
I
mean
that
Apache
literally,
was
the
I
think
one
of
the
thoughts
that
we
had
when
we
first
started
talking
about
this
a
while
ago.
So.
B
Yes
and
either
knives
can
be
helpful,
but
it's
definitely
different.
Security
insights
have
a
more
information.
It
is
a
yaml
file,
so
it's
required
time
at
least
the
first
time.
Some
minutes
to
write
it
yeah,
but
I
think
that
the
challenge
is
quite
similar
to
security.txt,
so
convince
people
to
add
the
file
in
your
website
with
some
security
information
and
it's
similar
to
convince
people
to
add
a
file
in
your
repo
with
security
information.
So
we
I
know
that
adverflow
is
in
this
luck.
B
C
Did
we
ever
I
I
keep
apologizing
for
not
knowing
things
the
the
security
insights,
because
we're
gonna
do
like
a
wizard
web
web
thing
that
could.
B
Help
yes,
I
need
I
mean
I.
I
am
definitely
slower
to
write
typescriptive
about
I,
don't
think
it
is
so
difficult
to
create
a
client
side
that
can
do
this.
Okay.
B
F
F
No
so
so
I
spoke
with
Luigi
last
week
or
two
weeks
ago
right.
We
had
a
long
meeting
about
like
how
we
can
probably
integrate
it
like.
We
were
also
experimenting
with
this,
like
automated
pull
requests
and
everything
and
how
this
can
be
integrated
in
the
workflow.
At
that
point,
we
were
also
discussing
about
the
wizard
thing
so
like
when,
like
I
I
need
to
discuss
this
with
Michael
as
well
as
in
like
what
we
should
do
as
next
step
and
so
on.
C
The
is
the
what's
it
called
the
security
reviews
Quick
Start
wizard
like
is
that
90.
Is
that
essentially
what
you
want
Let
me.
Let
me
find
the
find
what
I'm
talking
about.
A
Quick
Start
this.
C
B
That's
nice,
no
other
question,
I
mean
I,
want
just
something
that
you
check
the
boxer
or
you
add
the
link
or
the
information.
The
client
does
some
check
following
the
schema
in
the
schema.
There
are
also
already
the
rejects,
so
it's
not
a
big
issue
and
you
can
the
the
client
print
well
formatted
the
yaml
stop.
C
I'm
I'm
trying
really
hard
not
not
to
say
that
I
I'll
I
can
find
time
to
help,
but
that's
but
I
think
I
think
this.
This
is
relatively.
This
should
be
relatively
straightforward
for
that
so
I.
B
C
Yeah,
let's
create
one
okay,
you
want
to
create
one
we'll
we'll
invite
Roderick
and
me
and
we'll
okay
between
everybody,
we'll
we'll
get
something
done:
okay,
terrific!
We
just
have
a
few
minutes
left
what.
F
About
the
the
yeah,
let
me
just
quickly
like
one
minute
summary
of
whatever
so
Alex
was
supposed
to
do
this,
but
he
had
to
leave
with
a
call.
So
he
asked
me
to
do
this
thing,
so
we
have
been
meeting
for
the
past
three
weeks.
We
have
created
a
basic,
so
we
were
talking
about
the
scope
like
whom
to
invite
and
so
on.
We
were
also
talking
about
the
the
the
format.
It's
not
that
we
have
a
consensus
yet,
but
we
are
getting
there.
F
We
were
also
more
kind
of
a
little
bit
of
a
confused
of
like,
for
example,
like
whom
to
go
for
this
and
everything.
That's
why
I
approached
you
like
regarding
a
state
or
the
committee
and
so
on,
because
we
wanted
people
who
are
more
in
involved
with
the
Linux
foundation
and
and
open
ssf,
then
what
happened
was
last
time
we
met
David
wheeler.
F
He
suggested
that
enemy
Fox
be
joining
in
our
group
and
she
has
been
I
mean
she
does
this
kind
of
conferences
a
lot
and
he's
an
expert
in
that,
so
she
has
been
very
helpful
so
power,
her
suggestion.
We
are
right
now
connecting
with
the
Linux
Foundation
event,
people
we
have
a
couple
of
contacts,
so
we'll
be
getting
basically
executing
it
to
them.
So
for
now
the
plan
is
to
just
create
a
program
committee,
as
we
have
like
the
three
of
us,
perhaps
Emily
involved.
Maybe
you
if
you're
interested
but
but.
A
F
I
mean
keep
it
simple:
let's
talk
with
the
events
guys
and
figure
out
the
logistics.
The
plan
would
be
to
perhaps
do
a
small
virtual
version
in
the
next
three
months,
four
months
Horizon
and
then
perhaps
have
another
in-person
version.
When
the
next
year's
open
ssf
day,
which
I
think
is
in
June
or
something.
G
C
To
do
it
in
you
know
kind
of
early
December
grade.
If
not
you
know,
New
Year
is
fine
but,
like
you
know,
have
that
be
like
10
people
and
then
you
know
have
have
a
one.
That's
because
I
think,
if
it's
below
a
certain
size,
you
don't
have
enough
like
cross-pollination
to
have
it
be
useful
and
have
one
up
with
you
know:
I,
don't
know
50
people
in
like
March
or
April.
F
Between
the
between
the
people
who
are
involved,
I
think
can
easily
get
solicitation
from
at
all
participation
from
even
like
just
personal
communication.
We
can
actually
guarantee
participation
of
like
10
or
12
important
projects
in
very
quick
time,
so
yeah
we
can
probably
try.