►
From YouTube: OpenSSF Day at OSS NA - Action & Impact Panel: How OpenSSF and Industry Improve Open Source Security
Description
OpenSSF Day at Open Source Summit North America - Action and Impact Panel: How OpenSSF and Industry Improve Open Source Security with Tracy Ragan, DeployHub; Rao Lakkakula, JP Morgan Chase; and Bob Callaway, Google
A
So
let
me
just
briefly
introduce
you
by
name
and
affiliation,
and
then
I
allow
you
each
to
kind
of
go
and
give
kind
of
a
deeper
kind
of
kind
of
intro,
but
tracy
reagan
from
deploy
hub,
raul,
akakula
from
jpmorgan
chase
and
bob
calloway
from
google.
All
three
of
them
are
folks,
who
are
deeply
sorry.
A
Sorry
involved
with
open
ssf
with
the
governance,
tracy
and
rao
are
both
on
the
open
sff
governing
board,
and
bob
is
the
chair
of
the
technical
advisory
council.
So
I
thought
it'd
be
kind
of
interesting
to
put
together
kind
of
a
closing
panel
again
looking
at
how
do
we
help
business
understand
the
impact
of
what
we're
doing?
How
do
we
help
make
the
case
for
this
kind
of
internally
in
our
own
organizations,
and
security
is
one
of
those
things
that
companies
sometimes
get
a
little
rivalrous
about.
A
We
would
love
our
customers
to
believe
that
we're
more
secure
than
the
competition
right,
either
directly
or
indirectly,
yet
working
in
open,
ssf
kind
of
is
about
sharing
that
as
a
first
order
principle.
So
why
don't
we
just
kind
of
go
down
and-
and
I've
got
a
few
questions
for
for
for
my
panelists
to
start,
but
then
we'll
kind
of
open
it
up
to
broader
conversation.
So
why
don't
I
start
with
rau?
A
B
I'm
rawla
kakula
the
head
of
product
security
in
jp
morgan
chase
after
working
in
startups
and
technology
companies
for
20
years.
I
thought
it's
fun
to
work
in
a
bank,
so
I
joined
morgan
chase
three
years
back,
expecting
like
a
bunch
of
guys
wearing
suit
and
running
around
and
developers
in
the
back
like
work
in
a
dungeon.
But
actually
it's
opposite
I'll
talk
more
about
it.
We
actually
it's
actually
a
tech
shop
with
a
bank
face
on
it.
B
So
it's
interesting
so
with
with
the
open
ssf
I
mean,
as
brand
mentioned,
I'm
serving
on
the
governing
board.
Now
I've
been
doing
that
from
2020
from
the
inception
before
that
I
was
part
of
the
convict
board
for
the
open
source
security
coalition,
which
is
merged
into
the
open
ssf.
I
served
on
tag
bob
is
serving
now,
but
I
was
on
the
attack
last
year,
so
I
have
relationship
with
openssf
jpmc
been
the
from
the
beginning,
a
big
supporter
of
open
software,
and
we
are
premium.
Member
now.
A
Great,
thank
you.
Let's
go
to
tracy
next
tracy
as
representing
to
some
degree
the
kind
of
the
startup
ecosystem
in
in
this
world
of
what
are
otherwise
kind
of
the
big
monster
players
in
in
the
tech
industry.
Tell
us
more
about
deploy
hub,
tell
us
more
also
about
what
kind
of
led
you
to
participate
and
join
openssf.
C
We
sold
that
to
what
what
is
now
broadcom
and
that
product
has
has
been
around
now
for
27
years
still
pays
the
bills,
but
now
we
saw
shift
coming
with
microservices
and
said:
how
do
we
reimagine
that?
And
how
do
we
start
tracking
s-bombs
from
that
perspective,
when
you
have
lots
of
s-bombs
and
no
way
to
aggregate
them
up
to
the
application
level?
So
when
I
saw
the
open
ssf
start
to
shine,
I
was
like
oh
they're,
my
peeps.
A
Like
finally,
right
and
bob,
let's
go
to
you,
google's
investments
in
in
open
source
security
are
legion.
Now
you
know
kind
of
well-known,
but
why?
Why
is
that?
Why
I
mean
google's
a
big
contributor
to
open
source
in
general,
but
but
this
seems
to
have
risen
in
importance
very
recently,
and
could
you
tell
us
just
more,
I
mean
google
has
made
such
a
massive
commitment
to
it.
I
I
yeah
just
help
help
us
understand
a
bit
more
deeply
kind
of
your
role,
perhaps
in
that
and
and
google's
priorities.
D
Yeah
sure
thing
so,
I'm
bob
with
google
tech,
leader
manager
of
google's
open
source
security
team
and
our
team
is
100
focused
on
working
on
the
same
fundamental
mission
of
the
open
ssf
to
make
upstream
more
secure.
You
know,
in
terms
of
your
specific
question
as
to
why
I
would
point
to
I
mean
everybody
knows
what
google
is
and
the
role
that
it
plays
in
in
people's
lives.
D
That's
given
the
company
a
very
unique
perspective
to
not
only
the
the
scale
of
the
challenges
that
are
out
there,
but
also
to
the
breadth
of
different
open
source
communities
and
practices
that
are
being
adopted,
and
so
at
google
we
have
the
the
you
know
the
blessing
of
being
able
to
employ
over.
You
know
tens
of
thousands
of
people
that
work
upstream
every
single
day,
and
so
it's
it's
that
richness
and
that
almost
community
dynamic
that
gives
us.
You
know
the
most
informed
opinion
to
say
like
look.
D
There
is
a
lot
of
opportunity
to
make
things
a
lot
better
and
so
coming
back
to
kind
of
our
corporate.
You
know
rallying
cry
or
motto
of
you
know,
do
the
right
thing,
but
do
the
right
thing
for
the
user.
When
you
look
at
that
space
and
you
look
at
the
places
where
you're
working
day
in
and
day
out,
you
have
that
moral
obligation
in
some
sense
to
give
back
and
do
better,
and
so
when
we
saw
kind
of
the
the
formation
of
the
open
ssf.
D
We
said
you
know
what
this
is
a
really
unique
opportunity
where
we're
seeing
all
of
the
massive
players
come
together.
We
need
to
play
a
leadership
role
in
that.
So
for
us,
the
business
case
behind
that
is
again
like
not
so
much
in
the
yeah
there's
a
ton
of
problems,
but
if
we
look
at
where
our
customers
are
going,
even
if
we
had
a
magic
wand
and
cured
all
of
the
vulnerabilities
and
all
the
issues
today,
projects
are
still
going
to
be
created
tonight.
That
may
have
issues
going
forward.
D
So
it's
about
really
making
sure
that
we're
solving
the
problem
sustainably
in
the
long
term,
and
so
we
realize
that
that
sustainable
approach
needs
a
structural.
You
know
its
own
unique
structural
kind
of
mission.
Above
and
beyond
just
going
and
trying
to
clean
up
everything
that
exists
right
now,
but.
A
D
No,
I
don't,
I
don't
think
so
at
all
I
mean
you
know
again.
It
goes
back
to
the
breadth
of
the
use
cases
that
we
see
on
a
regular
basis.
It
goes
to
you
know.
Security
is
the
cornerstone
of
our
our
port,
our
product
and
go
to
market
strategy.
In
terms
of
where
we
see
our
differentiation,
so
there's
benefits
to
us
as
a
corporation.
That
are
very
clear,
but
it's
also
going
back
to
that
notion
of
what
do
we
do?
D
A
Ro,
I'm
sure
there's
somebody
between
you
and
jamie
dimon,
jamie
and
diamond's,
your
ceo
right,
okay,
yeah,
there's
there's
got
to
be
somebody.
Well,
he
hates
bitcoin.
He
was
ahead
of
the
curve
on
that.
It
was
really
good.
There's
got
to
be
somebody
between
you
and
him
who's,
pushing
back
who's
going.
Why?
Why
make
this
investment?
Why
why
jump
in
we're
consumers
of
this
technology?
Aren't
we.
B
B
So
that's
what
actually
made
my
life
easier
to
support
openssf
is
actually
I'll
lay
up
to
the
lorry
beer.
Who
is
our
global
cio
and
jamie
dimon
they're,
fully
supportive
of
openness
as
f?
That's
great
so
yeah
I
mean
do
you
expect
that?
But
I
think
probably
thanks
to
regulators,
but
actually
security
is
considered
as
very
important.
A
Yeah
again,
it
helps
to
have
the
white
house
beating
a
drum,
but
there's
something
that
regulated
industries,
like
especially
banks,
have
to
follow,
which
is
the
cyber
security
framework
right.
Does
that
play
a
role
in
justifying
this
work.
B
E
B
Think,
overall,
the
trend
has
been
changing.
I
mean
it
rather
than
I
mean
luck
for
sure
is
a
good
example.
I've
seen
the
business
execute
asking
the
right
questions
about
earlier.
I
think
few
years
back,
the
knee
jack
reaction
would
be,
let's
stop
using
and
let's
build
something
inside
right,
but
actually
now
they're
asking
like
hey.
Let's,
let's
actually
understand
more
about
how
do
we
help
the
open
source
community
to
do
better?
Where
else
we
could
actually
understanding
the
critical
software
we're
using.
How
do
we
help
them
community
wise?
B
A
An
organization
who
knows
how
to
price
risk
to
five
decimal
points,
though
I
imagine
some
of
the
some
of
the
better
statistics
than
the
metrics
that
we've
talked
about
to
evaluate
the
trustworthiness
of
code,
would
be
helpful
in
making
that
case
too.
Right.
B
Certainly
we
do
that
right.
I
mean,
as
I
mentioned
earlier,
we
do
actually
have
53
000
developers.
Now
you
have
53
000
developers
in
jp
morgan
chase,
which
is
actually
a
surprise
to
me.
When
I
joined
out.
I
didn't
expect
that
number
that
was
actually
35
000.
When
I
joined
three
years
back
now,
we
currently
53
so,
as
you
can
imagine,
fifty
three
thousand
dollars
developing
applications
and
most
of
applications.
These
days
have
eighty
to
ninety
percent
open
source
software.
That
means
we're
actually
using.
B
B
Exactly
right,
so
half
a
million
open
source
packages
are
out
there
for
developers
to
use,
so
we
do
actually
churn
a
lot
of
code,
including
so
we
do
actually
have
security
controls
and
automatic
mechanism
to
look
for
security,
vulnerabilities,
making
sure
the
right
software
get
into
the
bank
and
also
continuously
looking
for
vulnerabilities
in
the
process
like
every
day
right.
So
there
we
do
have
those
mechanisms
and
that
definitely
helps
and.
A
Tracy
the
same
kind
of
question
to
you,
but
it's
obviously
at
a
different
scale
like
how.
How
do
you
make
the
case
to
customers,
or
even
to
like
your
own
internal
stakeholders,
about
the
investments
you
make
in
stuff
that
just
goes
back
out
and
could
be
so
easily
picked
up
by
your
competitors
and
and
used
to
compete
against
you.
C
Good
point
about
being
accountable
to
your
customers.
A
It's
not,
I
don't
think
it's
working,
sorry
we'll
just
get.
A
Why
don't
we
just
get
the
handheld
mic
up
here?
Yep
I'll
run.
C
C
So
I
think,
being
accountable
to
your
customers
is
primary,
but
we're
in
the
business
of
doing
security.
So
you
know
we're
in
the
business
of
right
now
where
deploy
hub
tracks,
it's
a
it's,
a
catalog
that
tracks
your
supply
chain
and
who's
using
it.
So
if
we're
not,
if
we're
not
doing
the
right
thing,
we
can't
expect
our
customers
to
be
doing
the
right
thing.
So
in
our
world,
it's
leading
by
example.
A
Well,
the
three
of
you
are
either
lead
or
are
lucky
enough
to
work
for
rather
forward-leaning
organizations.
On
this
topic,
though,
I
imagine
there's
folks
out
there
working
for
orgs,
where
you're
kind
of
here
on
the
sly
or
you
know
kind
of,
because
you
believe
in
the
importance
of
it,
but
finding
carving
out
the
time
to
be
able
to
commit
to
it
might
be
a
bit
of
a
challenge.
A
A
B
I
would
say,
I
think,
for
any
size
company
startups
too,
like
a
big
bank
like
jpmc,
innovation
is
the
key
to
move
forward
right
in
a
way
faster,
like
innovate,
faster,
actually,
open
source
is
the
key.
In
my
opinion,
right,
you
don't
want
to
like
reinvent
the
wheel.
So
if
you
think
that
way,
innovation
faster
open
source
is
feeding
that
and
then
security
is
the
key
to
actually
enable
the
technology
securely
so
that
we
keep
the
customer
trust
intact.
B
So
I
think,
if
you
think
that
way,
no
one
actually
is
opposite
to
innovation,
like
all
the
business
wanted
to
is
enable
the
innovation
move
faster,
deliver
value,
the
customer
faster,
I
think,
making
a
case
that
way,
I
think,
makes
it
easy.
So
I
think
we
just
have
to
tie
that
back
and
educate
the
business
people
about
how
the
open
source
is
securely,
making
their
innovation
go
faster.
D
I
think
the
dynamic
I
would
highlight
there
is
it's
also
about
open
source.
Gives
you
an
opportunity
to
learn
from
peers
around?
What's
good
and
what's
bad
and
being
able
to
take
that
back
to
drive
that
innovation
engine
I
mean
in
my
old
jobs
before
this
you
know.
I
often
talk
to
customers
and
you
know,
was
seeing
a
trend
towards
you
know.
The
the
overall
release
pipeline
and
supply
chain
is
really
a
core
part
of
a
company's
intellectual
property,
not
just
from
a
risk
perspective
and
that
they
need
to
do
it
right.
D
It's
how
they
engage
with
their
developers.
It's
about
the
cadence
upon
which
they
work,
and
so
you
know
talking
about
the
the
learnings
that
you
get
from
engaging
in
the
community
here
helps
to
really
serve
that
that
core
innovation
engine
or
just
the
core
infrastructure
there.
It
helps
you
personally
to
help
develop
your
skills
and
learn
from
others.
It
also
helps
the
company
really
position
themselves
to
attract
the
best
talent
and
go
after
the
market
opportunities
that
they
have.
So
it's
in
some
sense.
D
You
can
look
at
it
very
short-sighted
and
say:
yeah
there's
some
security
problems,
and
maybe
these
are
projects
that
we
use,
but
if
you
actually
start
to
lean
into
that
diversity
in
a
meaningful
way,
you
can
actually
make
your
your
internal
systems
and
your
own
career.
You
know
pay
off
dividends
in
ways
that
maybe
you
never
thought
of
before.
So
it's,
I
think,
about
playing
the
longer
game
and
really
appreciating
that.
There's
a
lot
of
insight
and
learnings
that
come
to
benefit
all
of
us
by
engaging
in
upstream.
A
Yeah,
you
know
in
the
early
days
of
open
source
we
kept
trying
to
come
up
with
ways
to
justify
companies.
You
know
spending
time
and
money
on
this
and
one
of
the
quotes
that
helped
us
came
from
a
sun
co-founder
named
bill.
Joy,
who
said
you
know
most
smart
people
in
the
world,
don't
work
for
you.
You
know
they're
more
people
outside
of
your
own
organization.
A
A
Maybe
jp
morgan
has
enough
people
inside,
but
but
but
my
sense
is
and
tell
me
if
I'm
wrong
on
this,
but
my
sense
is
that
people
are
realizing
now
that
in
the
field
of
cyber
security
it
no
longer
is
enough
to
just
by
grade
you
know,
point
tools
off
the
shelf
and
and
and
have
a
bunch
of
internal
controls
that
there
is
much
more
of
a
it,
takes
a
village
kind
of
thing,
there's
much
greater
interdependence,
even
between
potentially
competitors
to
try
to
close
some
of
these
issues
is
that.
D
That
I
mean,
if
you
look
at
the
dependency
graph
for
kubernetes,
it's
one
of
the
famous
images
you're,
probably
going
to
see
all
week
long
in
talks
right,
it's
a
mess,
it's
an
intertwined
web
of
all
of
these
things,
and
so,
even
if
you
solve
one
key
point
like
okay,
there's
still
100
more
to
go
after
that
right.
So
it
begs
the
question:
what
are
the
patterns?
D
What
are
the
systemic
approaches
that
we
can
solve
that
we
can
use
as
a
as
approaches
to
solve
the
problem,
and
in
doing
so
it's
about
sampling
the
community.
So
I
think
it's
absolutely
true.
A
Is
that
is
that
why
google
open
sourced
the
salsa
and
brought
it
and
brought
it
to
the
community
because
it
started
life?
If
I'm,
I
remember
correctly,
as
as
google's
internal
kind
of
devsecops
pipeline
tool
right
to
manage.
D
It
it
could
risk
around
deployment
yeah.
It
comes
from
our
internal
systems
running
on
borg,
which
is
kind
of
the
predecessor
to
kubernetes
something
called
bcid,
but
it
was
really
about
hey
if
we
understand
how
to
apply
that
within
our
own
infrastructure.
D
That's
great,
but
if
you
look
out
there
for
the
broader
open
recommendations
around
best
practices,
how
to
do
this?
There,
really
there
were
point
things
here
and
there,
but
there
really
wasn't
a
single
place
to
actually
talk
about.
You
know
for
ins,
you
know
verifying
the
integrity
of
source
all
the
way
through
the
pipeline
to
get
to
prod
what
are
the
best
practices
and
leave
it
in
an
implementation
and
tool
agnostic
way.
D
So,
just
literally
saying
what
are
the
right
things
to
ultimately
do,
and
so
I
think
what
we've
done
with
salsa
is
not
only
just
say
what
it
looks
like,
but
we're
actually
helping
people
to
answer
that
in
the
environments
where
they
really
are
so
go
where
the
projects
are.
If
they're
running
on
top
of
github
actions
or
they're
going,
you
know
on
top
of
get
lab
or
other
ci
infrastructure.
D
How
can
they
ultimately
take
where
they
are
today
and
implement
one
of
one
or
more
of
those
best
practices
and
make
it
actionable?
That's
where
we've
seen
a
lot
of
the
engagement
around
that
community,
not
just
like
hey,
let's
all
tell
people
what
to
do.
There's
plenty
of
people
up
pontificating
about
what
what
good
looks
like
help
them
get.
There
is
really
where
we're
trying
to
take
the
salsa
community
going
forward,
but
yeah
it
does
come
from
our
own
learnings
of
building
out
our
own
web
scale
infrastructure
on
the
google
side.
C
Well,
I
I
would
say
when
I
first
saw
salsa
and
started
you
know
reading
I
realized
that
we
finally
started
looking
at
our
new
door
metrics.
To
be
quite
honest,
I
always
tell
people
dorm
the
door
metrics.
We
can
still
use
them
and
they're
still
important,
but
they
may
be
getting
a
little
bit
long
in
the
tooth,
and
I
think
it's
also
really
helps
us
pivot
a
bit
from
that.
A
So
one
of
the
things
that's
different
about
openssf
compared
to
other.
C
A
Linux
foundation
projects
is
we're
not
just
about
writing
some
code
and
shipping.
It
right,
or
even
you
know,
lots
of
different
hundreds
of
pieces
of
code,
we're
also
about
education
materials,
we're
also
about
specifications
like
salsa
and
tooling,
to
support
that,
but
also
we're
looking
at
a
number
of
projects
that
lend
themselves
to
a
little
bit
more
like
the
what
let's
encrypt
those
which
is
another
linux
foundation
project.
A
It's
very
much
a
service
rather
than
a
piece
of
software
that
has
kind
of
commoditized,
the
the
tls
certificate
space
right
and
there's,
there's
kind
of
some
active
questions
in
the
community
about.
Are
there
other
kinds
of
information,
services
or
other
kinds
of
systems
that
perhaps
started
life
as
something
that
a
company
built
as
a
as
a
proprietary
thing
that
it's
about
time
for
that
to
potentially
become
community
managed
or
community
governed?
And
I
don't
know
if
either
of
you
have
kind
of
thoughts
on
this,
but
are
there?
Are
there?
A
C
Well
again,
I
come
from
the
really
my
head
is
so
into
compiling
linking
code
and
putting
the
pieces
together
and
then
from
an
open
source
perspective.
We've
really
built
this
massive
death
star
with
all
these
interdependencies,
and
now
we've
got
to
clean
it
up
and
sort
it
out.
But
when
I
you
know,
if
we
could
talk
about
ai
just
for
just
a
minute,
there
are
these
foundational
models
that
are
starting
to
come
out.
That's
going
to
be
generating
code
like
microsoft
has
co-pilot,
I
feel
like.
C
So
and
that's
not
going
to
be
the
only
foundational
model,
that's
out
there,
there
are
a
lot
of
ai
companies
that
are
really
pushing
to
build
these
foundation
models
and,
what's
in
them
and
who's
using
them
and
as
soon
as
we
start
consuming
them.
If
we
have
53
000
people
at
jpmorgan
alone
and
as
jamie
pointed
out,
education
is
important
bringing
in
new
collar
workers.
I
can
promise
you
that
they're
going
to
be
using
these
foundation
models
to
to
create
code,
so
I'd
say
that's
an
area
that
the
open
ssf
should
be
looking
at.
E
D
Yeah
two
spaces
come
to
mind.
One
is
around
you
know.
The
six
store
project
certainly
is
maybe
the
trigger
for
the
question,
but
you
know
looking
at
how,
let's
encrypt
fundamentally
disrupted
the
the
tls
market,
not
not
really
of
like
hey,
we're
now
going
to
give
something
away
for
free,
but
there
was
this
underserved
market
of
people.
That
just
said,
hey,
look
it's
too
difficult
to
go,
get
a
certificate,
and
arguably
like
okay.
D
It
wasn't
super
difficult
to
get
one
but
to
keep
it
up
to
date
and
to
understand
the
life
cycle
of
what
that
looked
like.
That
was
daunting.
So
if
you
look
at
what
was
done
there,
I
think
this.
What
the
sig
store
project
has
done
around
code
signing
certificates,
there's
a
strong
analogy
to
really
removing
as
much
of
the
friction
as
absolutely
possible
to
a
get
a
certificate,
but
then
managing
the
key
material.
D
That's
behind
that
and
removing
as
much
of
that
friction
as
possible
again
not
trying
to
position
that
that
is
one
model
that
everybody
must
use.
It
is
an
an
option
and
that
the
six
stroke
project
aims
to
be
very
open
and
modular
to
adapt
to
different
folks,
because
people-
let's
be
honest,
banks
are
still
going
to
own
hsms.
Companies
are
still
going
to
have
hardware
keys.
Those
are
not
going
away
anytime
soon.
D
D
It's
running
in
gcp
with
our
our
world-class
services,
so
we're,
I
think,
we're
good
on
that
front.
Okay.
That
being
said,
I
think
the
other
example
being
the
osv
project
right.
So
you
take
hey.
We've
got
vulnerability
information
from
many
different
vendors
out
there
of
different
levels
of
fidelity.
Depending
on
what
project
you're
talking
about,
we
said:
look:
how
can
we
normalize
this
and
define
a
common
schema
to
answer
very
simple
questions
about?
I
have
open
source
package
x.
D
What
vulnerabilities
exist
in
that
package
and
having
just
this
very
simple,
canonical
way
to
answer
that
question,
so
we
within
the
openssf
created
that,
but
again,
a
schema
does
no
good
if
there's
not
actually
a
service
behind
it.
To
give
you
that
information,
so
the
osv
api
that
we've
launched,
you
know
aggregates
all
of
those
different
sources
that
are
out
there
and
from
the
package
managers
from
different
vulnerability
databases.
It
makes
that
very
easy
for
folks
to
consume
and
we're
now
seeing
adoption
come
full
circle
within
python
tooling.
D
E
B
I
think
most
of
them
are
actually
free
for
public
open
source
practice.
That's
a
great
thing,
but
still,
I
think
the
fundamental
problem
is.
We
still
have
ton
of
tools,
finding
issues,
we're
still
lacking
the
tools
to
help
the
developer
and
maintainers
to
fix
the
issues
right.
So
I'm
actually
would
like
to
see
more.
I
mean
there
are
some
research
happen
like
open,
rewrite,
there's
a,
but
I
would
like
to
see
more
of
like
my
openness
of
taking
on
that
programmatically.
A
I
think
the
biggest
challenge
there
is
dealing
with
false
positives
and
somebody
has
proposed
to
forget
which,
in
with
which
which
working
group
this
is
within,
but
I
proposed
an
ai
model
to
try
to
help
weed
out
the
false
negatives
from
reports
back
from
automated
scanning
tools.
I
don't
know
if,
if
it's
really
the
right
kind
of
tool
for
the
job,
but
is
it
worth
it's
worth
at
least
trying
to
figure
out?
Can
we
get
better
at
that
because
that's
the
main
reason
open
source
developers
haven't
used.
C
Yeah,
I
think
that
if
we
asked
most
people
still
turn
off
warnings
when
they
compile
their
code
and
I
think,
accessibility
of
the
information
it
becomes
problematic
as
well,
because
you
think
about
it,
you
generate
an
s
bomb.
For
example,
it's
in
it's
in
a
text
file
sitting
somewhere
where
you
generated
it.
Where
is
it?
Did
you
version
it?
You
know,
and
then
you've
got
to
map
that
out
to
get
your
vulnerability.
C
If
it's
not
in
their
face,
I
mean
I
I'm
guilty
of
that
in
so
many
ways
it's
like
I
don't
want
to
have
to
go
dig
for
the
information
I
want
it
served
to
me.
So
I
know
that
we
have
s-bombs.
Everywhere
is
one
of
the
projects
and
I'm
working
on
that,
and
I
think
that
that
is
going
to
be
a
primary
area
to
have
s-bomb
information
and
the
vulnerability
information
available
to
everyone
and
make
it
easy
to
find
not
go.
C
C
C
A
Neutrinos,
though,
bit
flips
in
memory
so
cool
well,
I
think
we'll
have
time
for
one
or
two
questions,
and
this
can
really
be
open-ended
about
like
what
folks
think
about
the
future
of
openssf
or
things
that
we
could
be
doing
or
things
that
are
going
on
now.
A
You
might
not
know
much
about,
but
let
me
just
ask
one
question:
before
we
open
it
up,
what
is
the
the
most
unsung
hero
in
the
open,
ssf
circus,
like
the
project
that
you
guys
think
should
have
a
whole
lot
more
attention
paid
to
it
or.
C
A
Alpha
mega,
okay,
great
right.
B
D
A
Mine
is
I
we
have
a
repo
called
creatively
enough
security
reports
that
it
attempts
to
be
an
archive
of
all
the
third-party
code
reviews
that
have
been
conducted
on
open
source
projects.
If
I
have
that
right
david,
I
might
have
that
wrong.
Okay,
I
I
mean
the
goal
of
trying
to
understand
who's
been
actually
looked
at
by
third
parties,
and
is
there
a
consistency
to
the
reports?
Is
it
worth
trying
to
create
a
you
know,
a
wikipedia
style
kind
of
archive
of
this
information?
A
I,
I
think
it'd
be
a
great
set
of
of
knowledge
to
have
in
one
place
when
I'm
going
out
and
looking
at
what
software
to
use
so
anyways
I'd
love
to
see
some
more
more
investment
in
that.
Okay.
With
that,
why
don't
we
open
it
up
to
some
questions
that
look
like
amanda,
you
had
your
hand
up,
so
do
you
want
to
yell
it
out.
A
So
amanda's
question
was:
she
saw
her
and
she
bought
from
open
uk
by
the
way
visiting
us
from
london
right
where
you
called
home.
How
do
we
plan
to
work
with
other
regions
of
the
world
and
extend
it
a
little
bit
as
well
as
other
governments
and
to
do
the
same
kind
of
thing
we
did
with
the
white
house
and
I'll
jump
in,
but
but
feel
free
to
add
to
it.
So
we
are
already
an
international
project.
A
We've
got
both
corporate
members
from
europe
and
from
the
asia
pacific
region,
and
we
have
contributors
some
of
you
traveled
here
from
europe,
some
of
you
traveled
here
from
australia.
I
don't
believe-
and
somebody
traveled
here
from
japan
from
our
friend
from
cybertrust.
Wherever
you
are,
I
I
and
though
great
and
I
I
we
do
tend
to,
though,
have
an
unfortunate
reliance
in
my
opinion
on
zoom
calls
as
the
fundamental
communications
buffer
or
a
bus
for
the
community,
which
has
some
great
upsides.
A
I've
loved
seeing
all
y'all's
face
on
on
zoom
calls
over
the
pandemic,
but
it
does
make
it
hard
for
those
in
time
zones
that
aren't
kind
of
us-centric
to
our
to
participate,
and
so
one
of
my
one
of
the
things
I'd
like
to
see-
and
I
I
don't
want
to
push
this
too
hard,
because
I
want
people
to
be
productive
and
not
haggled
but
I'd
love
to
see
us
use,
email
more
or
use
other
asynchronous
collaboration
tools
as
the
the
most
baseline
level
of
form
for
collaboration.
A
I
see
our
friend
caleb
nodding
his
head
vigorously
over
there
he's
from
australia
as
well,
where
most
of
our
calls
happen
at
two
in
the
morning.
So
I
I
can
see
why
he
agrees.
The
second
part
of
that
question
was
working
with
other
governments.
So,
as
I
mentioned,
nothing
in
the
mobilization
plan
or
the
meeting
we
had
was
us
government
specific.
We
simply
wanted
to
make
sure
that
our
friends
in
government
knew
what
we
were
doing
and
that
opportunistically
we
could
find
ways
to
collaborate
on
one
or
more
of
the
mobilization
streams.
A
A
The
european
union
has
put
a
whole
lot
of
priority
on
kind
of
open
source
software
as
a
policy
first
kind
of
thing
which
is
great
to
see
and
that
kind
of
convening
where
you
bring
together
folks
from
different
parts
of
government
folks
from
local
businesses
to
talk
about
the
the
the
challenges
with
opens
with
securing
the
open
source
community,
but
also
the
opportunities
is
a
very
repeatable
kind
of
format,
and
I
would
hope
that
it
would
help
us
in
the
long
term,
fill
the
gap
between
the
30
million
pledges
we've
raised
in
the
150
for
the
overall
plan.
A
But
even
if
all
we
do
is
go
there
and
find
new
allies.
It's
worth
me
getting
on
a
plane,
so
no
plan
more
specific
than
respond
to
all
the
emails
so
far,
but
we
we've
got
a
few
meetings
in
flight
that
will
be
as
public
about
as
we
as
soon
as
we
can.
C
So
what
we
ended
up
doing
was
we
have
sort
of
an
offshoot
of
our
architecture,
meetings
that
we
do
specifically
in
their
time
zone.
It
does
require
some
additional
work,
but
boy
is
it
beneficial?
Really
really
is
super
beneficial.
So
if
you're
on
an
open
source
project,
I
would
say
find
a
partner
in
that
region
and
let
them
you
know,
take
a
take
a
project
and
run
with
it
and
kind
of
build
their
little
offshoot
of
the
open
source
project.
It
is
a
huge
way
to
go.
C
The
other
thing
that
we're
doing
to
try
to
solve
this.
Is
I'm
not
a
fan
of
slack
or
discord
for
for
tracking
these
kinds
of
conversations,
so
I've
reached
out
to
the
devops
institute.
They
have
something
called
devops
in
the
wild
where
it's
actually
a
community
discussion
boards
and
we're
asking
if
we
can
have
an
artillious
discussion
board
out
there.
So
you
actually
have
historical
record.
It's
almost
like
a
stack
overflow
for
the
ortilius
discussions,
so
those
are
some
ways
that
we're
trying
to
address
the
problem.
A
I
feel
very
old,
suggesting
we
use
email,
because
I
know
all
the
kids
want
to
do.
Pr's
by
tic
talk
these
days.
But
what
is
there?
Actually?
Okay.
C
D
B
E
A
Right
but
but
but
yeah,
I
think
and
well
actually.
Another
example
of
this
that
I
forgot
to
mention
so
one
of
the
one
of
the
reasons
that
open
source
communities
often
have
the
hardest
time
trying
to
reach
is
china,
because
you
have
the
time
zone,
difference
the
language
difference
and
the
firewall
differences
that
make
using
tools
like
github
and
slack
and
others
just
a
non-starter.
A
A
Chinese
developers
focused
on
helping,
translate
and
eventually
contribute
back
upstream
to
the
guides
and
the
other
work
products
of
the
best
practices,
sig
or
best
practices
working
group,
and
if
that
model
works
well,
we
see
replicating
it
potentially
for
other
countries
where
the
language
barrier
can
be
substantial
as
well
like
japan
or
south
korea
for
time
countries
where
time
zones
are
issues
like
india
as
well,
another
great
one
for
sure
the
middle
east
as
well
and
then
potentially
with
other
working
groups
as
well.
A
We
didn't
want
to
try
to
boil
the
ocean
by
doing
an
open,
sf
wide
one
just
yet,
but
I
think
that's
key
meeting
them
where
they
are
so
they
can
use
the
tools
they're
most
comfortable
with
wechat,
for
example,
and
they've
got
their
own
zoom
equivalent
and
the
like.
So
I
think
that's
key
to
reaching
reaching
local
audiences
anything.
B
Else
folks
wanted
to
add,
I
think,
as
brand
mentioned,
all
the
work
streams
are
actually
works
globally.
Right,
there's
nothing
specific
to
yes.
Obviously,
u.s
executive
order
is
helping
to
mobilize
some
of
them,
but
projects
are
actually
global.
I
would
like
to
see
actually
the
regional
leaders
actually
step
up
and
maybe
have
the
local
chapters,
and
maybe
you
can
have
regional
weapons
of
days
in
future.
In.
A
A
Arnold
was
with
me
on
arnold
orz
from
ibm
was
with
me
on
hyperledger,
where
we
built
a
network
of
over
100
different
local
meetup
communities
city
by
city
around
the
world,
who
would
host
regular
kind
of
gatherings,
and
that
kind
of
you
know
wither
during
the
pandemic.
But
I
think
we're
at
the
point
now
where
those
kinds
of
things
are
happening
again
and
whether
it's
us
or
us
showing
up
at
b-sides
events
and
and
and
other
security
community
events
already
happening
locally
and
face-to-face.
A
The
point
is
kind
of
fan
out
and
try
to
get
more
base
into
what
we
do
sure
go
ahead.
Amanda.
A
Thank
you,
amanda
be
great.
I
do
think
we
have
time
for
one
more
question,
especially
since
we
tend
to
give
five
paragraph
essays
to
answer
yeah
in
the
back.
There
yep
go
for
it.
A
A
I
you
mentioned
ai
and
building
and
building
sophisticated
models,
so
kudos
on
that.
But
sorry
I'll
repeat
the
question
the
claim
was
in
three
to
five
years.
Most
cyber
security
issues
will
be
about
automated
systems
versus
automated
systems
and
we
might
lose
the
battle
if
we
deal
with
it
too
much
as
I'm
I'm
extrapolating
here
as
a
cultural,
you
know,
community,
let's
just
go,
find
all
the
bugs
and
fix
them
kind
of
thing.
Instead,
ai
models
become
much
more
important
and
just
new
kinds
of
defenses.
C
Have
thoughts
on
that?
Thank
you
for
asking
the
question
and
this
I
brought
this
up
in
dc.
C
C
We
can
do
a
lot
to
shut
down
a
lot
of
the
you
know,
penetration
points
we'll
just
call
them,
but
we
we
can
never
be
a
hundred
percent,
so
I
feel
like
what
we
should
be
doing
as
a
community
is
really
coming
up
with
a
female
response
right.
How
does
how
do
you
report
a
problem?
Then?
What
happens?
What
is
the
escalation?
Is
there
a
central
organization
that
reports
to
everybody
what's
occurred?
C
I'd
love
to
find
out
when
jamie,
when
ibm
found
out
about
log4j
or
whoever
first
discovered
that
which
I
don't
know,
what
did
they
do?
I'm
a
developer.
I
found
a
bad
problem.
What
do
I
do
with
it?
I
feel
like
that
is
where
we
really
should
be
looking
at.
Creating
a
proper
response
because
outages
matter,
security
breaches
matter,
and
that's
that's
something
that
we
should
be
laser
focused
on
to
solve
the
problem.
A
Well,
I
think
we
have
a
volunteer
to
help
convene
it
perhaps.
A
Oh,
is
that
no,
I
think
I
think
elder
hands
were
like
volunteering
to
go.
Help
so
put
together.
Ava
is
going
to
help
you
put
together
a
great
proposal
for
the
tech
and-
and
I
think
we
have
working
group
number
eight
already
in
hand
great
cool
well
with
that.
I
think.
Are
we
at
the
time?
E
To
the
room,
I'm
not
a
technical
expert
on
the
government
of
this
issue.
So
to
that
point
just
now
that
you
know
you
can't
close
yourself
out
of
that
issue,
and
it
sounds
very
much
like
some
of
the
conversation
we're
having
around
incident
response,
which
is
sadly
kind
of
really
lagging
behind
on
what
we're,
what
we're
doing
from
a
government
perspective.
But
is
there
something
where
you
feel
like
it's
completely
falling
short
any
other
ideas?
Do
we
need
to
push
you
know?
I
mean.
E
Obviously,
the
white
house
is
extremely
interested
there
from
a
federal
government
perspective,
trying
to
really
throw
money
behind
it
and
do
a
lot
of
things,
but
is
that
the
right
direction
do
we
need
to
push
them
into
something
different?
Does
there
need
to
be
a
more
global
response,
easy
question.
C
A
Let
me
suggest
mapping
out
like
what
is
what
does
sissa
do,
yeah
what
you
know
in
the
event
of
like
a
future
log
for
jim
just
looking
for
alan.
What
what
does
onc
do?
What?
What
does
the
national
security
council
do
as
like
the
government
side?
But
then
also?
What
does
cert
do
right
and
and
and
in
response
to
log
for
j?
You
know
that
was
where
there
was.
It
was
actually
discovered
by
a
chinese
developer
working
for
alibaba,
followed
appropriately
reported
it
to
the
apache
developer
community.
A
They
made
a
commit
to
a
repo
that
mentioned
a
cve
number
and
then
that
triggered
there's
a
whole
bunch
of
vendors
out
there
who
watch
commits
who
went?
Oh
there's
a
cve
number
in
this
commit,
I
wonder
what
that's
for
and
then
that
that
led
to
it
inadvertently
getting
out
too
rapidly.
I
might
be
way
massively
under
okay,
thank
you,
and
so
so
there
possibly.
If
we
were
to
map
it
out,
we
could
probably
find
a
gap
and-
and
I
think
one
of
the
gaps
that
we
found
really
spoke
to.
A
One
of
the
mobilization
plan
points
which
called
for
the
establishment
of
the
emergency
response
team
right,
which
is
modeled
after
other
things
that
we've
seen
work
but
not
as
open
source
focused
as
we
proposed.
But
even
if
we
propose
that
I
know
that's
what
you
were
responding
to
with
a
comment
in
dc.
There
might
still
be
a
need
for
somebody
who
is
more
female-like
to
complement
those
efforts.
Yeah.
F
Disclosures
working
group
has
created
a
sig,
the
oss
cert
sig,
which
we
will
have
our
first
meeting
the
first
week
of
july.
Anyone
that
is
interested
in
scoping
out
and
trying
to
contribute
to
solving
this
problem.
Everyone
is
invited.
A
So
if
you're
interested
in
this
problem,
fine
crow
find
tracy,
there's
a
meeting
first
part
of
the
first
week
of
july
to
focus
on
this
to
get
that
emergency
response
team
set
up
great
well,
I
think,
with
that,
that's
a
great
place
to
end
on.
I
want
to
thank
my
panel
thank.