►
From YouTube: OSS SIRT Best Practices (July 26, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
You
share
that
link
in
the
the
chat,
so
those.
C
Oh
sorry,
can
you
repeat
that
my
sound
was
not
loud
enough.
A
D
C
D
E
C
Hey
folks,
who
are
here
already,
let's
give
it
maybe
two
minutes
see
if
we
get
some
more
morning,
people
to
show
up.
C
C
C
C
Yeah,
unless,
unless
you
folks
are
opposed
to
it,
we're
just
gonna
get
started
yeah
summer,
so
I'm
reposting
the
notes
here.
Just
to
I
don't
know
if
I
don't
think
zoom
actually
shows
history
when
people
join.
So
these
are
the
notes
feel
free
to
highlight
your
name.
C
F
C
C
The
rest
is
old-timers
at
this
point.
All
right
can
we
get
a
scribe
for
today's
session.
C
And
keep
up.
Thank
you
eric.
Let
us
know
if
you
need
us
to
repeat
or
pause
now.
I
don't
think
we
had
any
open
discussion
points
from
last
time
at
all,
so
we
can
actually
pick
up
where
we
were
in
a
way
now
sick
business
news.
We
do
have
a
mailing
list.
Now
it
has
so
many
s's.
I
think
it's
open
ssf
dash
sig
dash.
C
I
think
that's
it.
We've
been
using
it
for
a
handful
of
emails.
If
you
are
not
on
the
list,
do
you
email
me
privately
as
well
as
krobe,
and
we
will
see
if
we
can
add
you
folks
on
it,
but
otherwise
yeah.
Welcome
to
the
the
amazing
long
name
lists
now.
C
Picking
up
first
item
at
the
agenda
here
is
like
picking
up
review
from
dc.
So
essentially
on
day
two,
we
had
a
few
notes.
C
I
was
not
there,
but
we
have
about
10
15
points
of
discussion
here
to
get
through
after
that,
once
we're
done
with
reviewing
this
here,
we
wanted
to
spend
a
minute
to
maybe
have
a
look
at
the
proposed
changes
that
we
had
for
the
plan.
So
essentially
when
we
reviewed
the
plan
for
the
first
few
sessions
of
this.
C
This
meeting
we
had
some
changes
and
so
on
and
so
forth,
so
we've
gathered
them
into
a
dock
here
feel
free
to
have
a
look
before
we
get
to
it,
but
some
folks
have
less
comments
in
it,
so
we'll
be
having
a
quick
look
at
it
and
if
we
do
have
time,
I
wanted
us
to
start
talking
about
a
mission
and
scope
for
the
sig
just
to
make
sure
that
we
clarify
what
it
is
that
we're
here
to
do
and
where
we
want
to
take
this,
it
looks
like
there
was
some
structural
changes
proposed
to
the
plan
that
may
affect
said
mission.
C
So
it
might
be
good
to
actually
review
that
and
see
if
we
see
if
we
can
settle
for
something
that
pleases
most
folks
in
the
room.
So.
C
F
C
C
F
B
C
Perfect
okay,
should
we
just
pick
one
and
and
hope
for
the
best,
or
was
there
like
major
advantages
to
one
or
the
other
from
like
your
point
of
views,.
F
I
think
the
intent
was
to
be
the
most
inclusive
yeah,
the
most
inclusive
of
the
of
the
vast
majority
of
the
communities.
That
would
be
that
we
would
be
dealing
with
and
interacting
with.
C
And
here,
pre-release
fix
basically
means
that
we
would
just
like
award
the
product
maker
would
send
out
a
pre-release
fix
to
the
impacted
products
or
the
rollout
products.
Correct.
F
F
C
Okay
for
most
open
source
software
that
are
small
and
medium
in
size,
I
don't
think
they
have
that
kind
of
knowledge
at
this
point
so
like
coordinating
a
pre-release
fix,
is
almost
probably
as
complicated
as
like
doing
a
market.
Research
and
understanding
like
you
need
a
dedicated
team
to
understand
your
usage
base.
At
this
point.
F
Yeah,
and
that
might
be
something
that
the
education
sig
takes
on
with
consultation
from
this
group.
C
D
I
think
that
one
of
the
things
this
sig
should
and
can
do
is
to
try
to
educate
and
potentially
coordinate
these
with
these
small
and
medium
projects,
since
there
really
are
a
lot
a
lot
more
of
them
than
there
are
very
large
projects
that
have
the
resources
to
do
this,
and
so,
whichever
way
we
decide,
we
should
probably
be
assisting
them
to
make
sure
that
they
can
actually
do
it.
C
I
agree
here
that
it
might
actually
be
good
to
coordinate
with
the
education
sig
to
see
if
there's
something
we
can
do
with
respect
to
the
office
our
hours
as
well,
to
like
prepare
smaller
and
medium-sized
projects
for
like
dealing
with
embargoes
in
general,
but
this
comes
down
to
as
well.
I
think
go
ahead.
D
And
there
is
there
some
sort
of
infrastructure
or
clearinghouse
of
some
variety
that
we
can
help
to
set
up
and
maintain
that
they
can
use,
because
the
easier
we
make
it
for
them,
the
more
likely
it
is
that
it's
actually
going
to
happen
because
they
may
not
have
the
resources
to
do
that.
Sort
of
thing.
C
Yeah,
I
think
it's
it's
kind
of
related
to
the
should
we
staff,
or
should
we
run
our
own
instance
of
vince
as
a
coordination
tool
and
offer
it
to
the
smaller
groups
or
the
smaller
projects
as
like
a
place
where
they
can
actually
coordinate.
D
Yeah-
and
you
know,
the
question
of
our
relationship
with
fence
is
a
different
matter,
but
certainly
I
would
if
we
can
get
away
with
it.
I
would
rather,
we
didn't
fork
or
otherwise,
spin
off
and
sweet
a
single
source
of
truth
is
going
to
be
much
better
for
this
sort
of
stuff.
C
D
C
Okay,
maybe
we
need
to
think
a
little
further
about
this
as
a
group,
I
don't
I'm
comfortable,
leaving
it
open
for
now.
The
folks
are
as
well.
C
C
Next
point
is
when
the
world's
on
fire,
no
one
reads
the
documentation,
so
I
think
that
one's
pretty
clear
I
mean
in
general,
I've
always
been
there's
a
there's,
a
playbook.
I
think
around
the
uk
nhs
emergency
situation,
which
had
on
the
first
page,
if
you're
reading
this
for
the
first
time
during
an
emergency,
just
don't
read
it
and
do
what
you
can
I'm
a
big
fan
of
that.
So
I
agree
here
like
what
was
the
emily.
Do
you
recall
the
point
of
discussion
here
or
the.
F
Yeah,
so
the
concern
was
a
lot
of
these
processes.
Just
like
we
discussed
are
pretty
complicated,
especially
if
you've
never
done
them
before
so
providing
any
kind
of
guidance
to
a
project
without
the
subsequent
level
of
training,
or
attention
can
be
extremely
overwhelming,
particularly
in
a
situation
where
you
do
need
to
respond
quickly.
F
So
whatever
is
produced
like
there
should
be
material,
that's
available
with
a
more
personal
level
of
engagement
with
the
project
and
the
maintainers
about
how
to
deal
with
a
particular
situation
before
it
occurs,
as
well
as
like
a
cheat
sheet
or
something
else
that
just
has
short
and
sweet
here.
Here
are
the
main
things
that
you
need
to
do.
If
you
don't
remember
anything
else,.
C
A
A
lot
of
kind
of
common,
it's
more
of
a
cheat
sheet
really
than
a
one-pager
for
a
lot
of
common
items
around
best
practices
for
implementing
security,
something
similar
would
potentially
be
good
for
firefighting.
A
F
This
one,
I
I'm
trying
to
recall
specifically
what
it
was
about.
I
think
the
difficulty
came
in
and
discovering
maintainers
of
certain
projects
is
difficult,
particularly
if
you're
providing
security
incident
response
support
to
them.
C
Agreed
here
this
might
actually
be
an
interesting
discussion
that
we
may
even
have
with
github
and
get
labs
to
see
if
there's
somewhat
of
a
like,
proposed
best
practice
or
proposed
here's
a
starter
project
template
that
offers
also
a
security.nd
file
or
something
to
report
into
vicky.
You
had
an
opinion.
D
D
So
we
can't
just
focus
on
just
github,
so
github
get
lab
get
bucket,
all
the
various
things
work
with
them
to
help
not
enforce,
but
make
it
easier
to
do
the
right
thing
with
your
security.md
or
txt,
or
what
have
you
and
to
keep
it
up
to
date,
I
mean
we
all
get
those
pop-ups
when
we
log
in
saying
hey,
is
this
still
your
email
address?
D
Is
it
possible
to
get
them
to
do
something
like
that
for
hey?
Is
it
security
or
maintainers
that
txt
still
up
to
date
and
working
with
them
to
do
that
sort
of
thing
would
be
very
helpful.
B
Yeah,
you
know
I've
been
studying
github
most
recently
and
more
as
just
to
see
if
it
has
really
good
patterns
that
that
teach
people
who's
just
started
to
to
build
projects
and
and
have
have
adopters
or
forkers
or
whatever,
and-
and
I
thought
I
thought
this
discussion
just
started-
to
go
along
the
edge
of
kind
of
governance
and
best
practice,
and-
and
I
I
I
did
a
study
about
security.text
or
security
md
and
I
found
them
woefully
missing
and
terribly
exciting,
and
and
that's
where
I've
been
playing,
placing
a
lot
of
my
emphasis
just
looking
at
what
are
the
few
low-hanging
fruit
things
that
are
just
so
worthwhile
that
that
github
is
put
in
place
and
then
you
know,
doesn't
have
any
have
any
tools
to
measure
governance
or
go.
B
Oh,
my
gosh.
This
project
is
missing
security.md
or
you
know
whatever
you
know
so
this
this
little
piece
of
the
discussion
just
really
encouraged
me
and-
and
I
felt
so
out
of
my
depth
when
all
of
a
sudden,
we
were
talking
about
little
tiny
projects
with
you
know
that
didn't
have
a
full
security
team.
I
realized.
Oh,
my
gosh,
you
know.
B
C
Mark,
I
don't
know
if,
if
you'd
be
willing
to
or
ready
to
share
some
of
the
results
of
your
analysis,
even
if
it's
just
informal,
it
might
be
interesting
to
just
have
a
look
as
well.
Oh
yeah.
B
Yeah
sure
I'll,
I
actually
started
to
tool
up
something
because
I
thought:
measuring
governance,
artifacts
was
so
cool
and
what
I
found
is
they're,
woefully
missing
and
and
the
the
code
I
was
looking
at
was
our
company's
code.
And
I
thought
oh
wow.
Is
this
a
good
security
resource
research
project?
So
if
I
can
boil
it
down
to
a
paragraph,
because
I'm
so
chatty
yeah
I'll
do
that
this
week,
yeah
glad
to
see.
C
C
If
if
this
is
something
your
team
or
your
group
has
already
thought
about
doing
or
looking
into
it
might,
you
might
have
a
lot
more
information
on
on
that
kind
of
like
work
already
putting
you
on
the
spot
here.
Madison
sorry,.
E
Oh,
no,
that's
fine!
We
we've
talked
about
this
a
bit.
I
guess
maybe
the
one
thing
I
can
share
that
might
be
somewhat
related
to
this
idea.
We
are
internally
over
the
next
quarter,
working
on
a
feature
that
will
end
up
being
giving
researchers
the
ability
to
privately
disclose
to
maintainers
on
github.
E
So
this
feature
is,
as
you
can
imagine
quite
large,
and
it's
probably
a
little
ways
out
before
it'll
be
done
in
any
way,
but
our
ciso
publicly
stated
last
year
that
we
were
interested
in
moving
on
this,
so
the
work
for
that
internally
is
starting
over
like
the
next
quarter
or
so,
which
will
be
very
helpful
for
this
effort.
C
That's
good
to
know:
yeah.
E
G
G
G
There
is
one
thing
or
how
to
whatever,
but
typically
you
know
it's
about.
Who
do
you
invite
the
question?
Is
you
know,
do
we
have
an
email
list?
Do
we
have
a
chat
room?
You
know
how
do
we?
How
do
we
marry
the
people
reporting
to
the
maintainer?
So
how
do
they
communicate
right?
Isn't
that
tell
us-
and
you
know,
then,
who
gets
access
control
to
that
who
gets
permission
to
join?
Isn't
that
the
fundamental
thing
we're
talking
about.
C
So
you're
right,
I
think
it's
a
communication
issue
that
we're
discussing
the
registry
idea
is,
I
think,
very
specifically
to
how
do
you
get
researchers
to
know
where
to
even
contact
maintainers
or
with,
for
example,
like
mark's
study
here
on,
like
the
security.md
or
the
intakes
on
github?
It's
actually
very
sparse.
There
are
very
few
projects
that
actually
have
clear
intake
on
how
to
report
vulnerabilities
into
the
project
in
the
maintainers
yeah
yeah
anderson.
I
think
that's
yeah
right.
There
is
a
communication.
G
C
B
B
I
thought
that
was
just
interesting
and
and
where
I
was
going
with.
This
was
not
so
much
that
it
was
woefully
missing
it
rather
that
that
github
had
had
and
and
other
projects
that
want
to
follow.
Github's
patterns
had
had
done
some
really
nice
minimum
project
setup
and
also
some
community
guidance,
best
practices
and
and
that's
along
the
lines
of
what
we're
trying
to
do
and
years
ago.
When
I
I
said,
oh,
I
want
to
take
this
python
project
and
and
put
some
place.
B
Then
I
had
to
go
find
out.
What's
it
what
what
are
the
community
norms
and
that
that's
really
what
I
wanted
to
focus
on
with
the
study?
Not
so
much
it's
it's
good
or
bad
to
have
those
missing.
But
I
was
I'm
really
looking
at
the
things
that
enable
you
to
report,
and
one
of
the
things
that
I'm
I'm
still
studying
is
both
issues
and
pull
requests.
B
That
actually
are
security,
notifications
and-
and
that's
that's
where
I
started
with
this
and
then
I
actually
went
to
a
more
broad
kind
of
study.
Well,
what
else
enables
this
and-
and
and
I
found
a
couple-
you
know
where
it's
like-
oh
wow,
nobody
ever
responded
to
that
and-
and
that
was
really
far
more
interesting
to
me.
Just
like
you
were
talking
about
disclosures
and
private
disclosure
channel
fantastic.
B
What
what
I've
been
doing
is
implementing
a
full
text
on
issues,
and
I-
and
I
found
myself
going-
I
have
a
list
of
things
I
wish
github
would
do
that
would
help
maintainers
go.
Oh
my
gosh
look
at
all
these
issues
or
any
of
them
security
issues,
and
how
would
you
do
that
so
that
that
was
my
the
nature
of
my
itch
that
I
was
scratching
thanks
thanks
for
letting
me
share
with
that.
F
F
So,
if
we're
talking
about
a
form
of
communication
and
contacting
maintainers
of
projects
both
for
security
researchers,
but
also
as
the
cert,
if
we
become
aware
of
an
incident
that
has
a
larger
impact
to
the
community
to
make
them
aware,
there
are
multiple
potential
communication
styles
and
chat
mechanisms
for
reaching
out
to
them.
That
should
be
considered.
C
I
agree
here
matt
your
hand.
G
C
G
Mean
there's
a
similar
van.
I
may
have
mentioned
on
a
previous
call,
I'm
a
maintainer
on
apache
project
so
patch.
He
maintains
a
list
of
all
maintainers.
They
have
a
global
email
for
any
security
center,
all
for
all
of
apache
foundation.
So
my
experience
is
that
things
are
reported
in
one
of
three
ways:
they
people
actually
pay
attention
and
report
it
to
the
global
email
for
apache
foundation.
G
They
report
they
actually
there's
a
private
list
for
the
maintainers.
They
send
an
email
to
those
maintainers
or
they
reach
out
to
they
perceive
as
a
maintainer
on
the
project
and
email
email
them
directly.
It's
always.
It
always
starts
with
an
email.
It
seems
anyway,
and
people
discard
what
cybersecurity.md
is
email
and
say.
Here's
here's
what
I
found
so.
C
Yeah
I've
I've
been
receiving
a
lot
of
emails
as
well,
and
I'm
done
I'm
not
directly
on
some
of
those
projects
as
well.
So
matt,
sorry
mark
your
hand
was
raised.
Was
it
raise
again.
C
Is
there
a
group
here
or
sub-group
of
folks
who
care
enough
about
this?
Do
you
think
about
it
offline
and
get
back
to
us,
maybe
next
week
or
in
two
weeks,
with
an
idea
or
proposal
on
how
we
should
approach
this
as
the
openness
of
cert,
because
emily
was
right
here
that,
like
some
of
these
topics
and
many
of
well
most
of
these
topics,
whatever
position
we
take
as
like
as
a
function
will
probably
be
what
the
open
ssf
recommends
going
forward.
C
A
Yeah
I
mean
I'm
interested
in
this
topic.
I
also
think
you
know
there's
some
collaboration
again,
that
where
this
may
be
something
that
either
the
secure
tools
and
or
best
practices
group
may
want
to
weigh
in
on
as
well.
So
it's
something
that
potentially
we
should
branch
out
in
in
those
meetings
and
see
if
we
can
just
make
sure
we're
not
reinventing
the
wheel
if
someone
else
is
doing
it
and
making
sure
that
we
collaborate
and
a
little
better
too,
we
don't
want
to
work
in
a
vacuum.
C
Perfect,
I
will
email
the
lot
of
you
and
we'll
we'll
reach
out
to
the
best
practices
and
education
subgroup.
If
that's
okay
with
everyone
else
here,.
G
Matt,
yes,
well,
it
seems
to
me
that
one
of
the
groups
we
have
the
most
in
common
with
is
the
alpha
omega
project,
because
they're
effectively
setting
up
communications
they're,
basically
coming
in
with
a
swat
team
and
saying
hey,
we're
gonna
help
you
secure
your
project
and
evaluate
it.
So
they're
setting
up
communication
channels,
they're
setting
up
whatever
tools
needed,
they're,
setting
up
a
prescriptive
set
of
tool
chains
to
run
against
to
test
for
other
security
and
vulnerabilities,
they're
hosting
infrastructure
to
test,
and
things
like
that.
So
it
seems
the
synergy.
Is
there.
C
C
F
Yep,
so
I'm
part
of
the
global
security
database
group.
It
is
an
open
source
project
that
the
linux
kernel
and
many
other
projects
have
been
leveraging
for
providing
suspected
vulnerabilities,
as
well
as
confirmed
vulnerabilities.
It
aggregates
vulnerability,
information
from
multiple
sources,
including
cve,
and
a
few
others.
They
intend
us
to
be
a
global
location
where
researchers,
security,
operators
and
other
individuals
in
the
field
to
go
and
learn
about
vulnerability
information
without
having
to
go
to
twitter
all
the
time,
because
twitter
has
the
most
so
trying
to
shift
that
traffic
to
a
more
formal
location.
F
C
F
It's
actually
under
the
cloud
security
alliance,
because
vulnerabilities
and
cves
in
particular,
don't
necessarily
fall
within
the
cloud
realm.
They
don't
get
reported
that
way.
So
this
was
also
designed
to
address
that
shortcoming
in
the
existing
cve
structure.
F
C
Indeed,
I
don't
know
if
we
should
indeed
like
take
a
stance
with
respect
to
that
as
like
dessert,
but
I
thank
you
very
much
for
sharing
the
information
anybody
had
questions
about
it.
C
Emily
that
might
be
an
interesting
little
like
10
15
20
minutes
presentation
for
one
of
the
sinks
in
the
future.
If,
if
you'd
be
open
to
that,
maybe
not
this
week
next
week
or
if.
C
F
C
C
F
C
F
So
this
was
the
original
point
of
the
discussion
on
day.
Two
around
this
was
creating
that
firefighter
volunteer
lots
of
air
quotes
because
the
term
volunteer
was
very
hotly
contested,
but
the
point
of
it
was
that
there
should
be
a
security
incident
response
team
that
can
provide
assistance
to
projects
that
are
undergoing
an
incident.
The
problem
with
that
is
is
that
there
are
hundreds
of
thousands
of
open
source
projects
that
don't
have
a
security
person
on
them
or
a
security
team
or
a
security
file.
F
So
you
can
imagine
it
can
be
very
overwhelming
when
you
have
a
widespread
incident
that
affects
build
systems
or
tooling
or
something
to
that
effect.
So
the
proposed
structure
was
twofold:
that
every
project
that
had
the
resources
and
the
capacity
and
interest
to
do
so
would
have
their
own
security
team
or
mailing
list
those
that
couldn't
but
were
part
of
a
foundation.
The
foundation
would
establish
a
security
incident
response
team
that
those
non-security
team
projects
can
go
to
in
the
event
of
an
incident.
F
F
So
when
you
pick
up
the
phone
to
call
9-1-1
you're,
calling
your
local
emergency
services,
that's
how
it's
being
redirected,
it's
based
off
of
where
you're
located
this
would
be
a
similar
function
in
the
event
that
there
is
a
widespread
incident,
that
your
local
emergency
response
team
either
doesn't
exist
or
is
incapable
of
handling,
they
would
escalate
to
the
next
higher
order.
So
that
was
the
structure.
F
C
D
Yeah
emily
touched
on
the
point
I
was
going
to
make
right
there
at
the
end,
which
is
there
are
a
lot
of
foundations
out
there,
and
we
need
to
make
sure
that
we
are
coordinating
with
them
not
dictating
to
them.
There
is
a
directory
of
open
source
related
foundations
that
we
can
use
it's
maintained
by
the
floss
foundations.
Community
just
drop
the
link
into
the
chat
and
full
disclosure,
I'm
one
of
the
maintainers
of
it.
D
C
Okay,
so
I
don't
think
we
disagree
on
anything
here.
This
is
something
we
want
to
include
in
whatever
action
plan
we
have
for
the
cert,
so
excellent
matt.
Yes,.
G
Yeah
also
point
out
that
a
lot
of
organizations
quote
unquote
that
own
soft
open
source
software
actually
are
private
companies,
and
often
the
private
companies
are
a
person.
So
we
will
have
legal
boundaries
to
you
know,
foundations
are
easy
to
work
with.
That's
that's
the
that's
easiest
case.
It's
where
we
get
into
situations
where
there
are
private
orgs
of
a
few
people
and
there's
legal
considerations
and
then
the
worst
case.
You
know
the
stuff
that
would
probably
be
concerned
about
is
the
people
who
don't
have
foundations.
C
Next
point
map
out
those
cases
and
discuss
these
to
allow
mapping
of
this.
So
I
assume
that's
with
respect
to
the
the
three
categories
you
named.
C
Next
bullet
point
value
of
exercises
in
war
games.
The
radical
table
tops
exercises
can
be
useful,
so
I
think
this
was
already
previously
discussed.
That's
something
we
wanted
to
engage
with
the
education
group
about.
F
No,
I
think
it
was
also
in
part
for
security
incident
response
teams
to
also
execute
on
those,
because
there
are
different
types
of
maintainer
interaction.
F
C
How
would
you
like
to
use
zero
day
served?
Sir,
that's
kind
of
like
that
covers
the
topic
of
engagement
and
also
connecting
with
like
what
it
is
that
people
need.
I
think
this
is
one
of
the
first
bullet
point
we
have
with
our
own
search
plan
like
discover
and
explore
what
it
is
that
we
want
to
offer
as
a
service.
More
specifically,
so
I
think
this
this
fits
right
in
there
any
changes,
variations
or
ideas
about
this
from
anyone
here.
C
C
Cert
of
last
resort
sig
under
von
disk
discovery,
disclosure
eric
you've
mentioned
that
this
is
a
duplicate,
excellent.
C
And
lastly,
document
how
ossf
will
handle
reports
and
escalations?
So
yes,
this
will
definitely
be
something
we
want
to
make
very
crystal
clear
like,
even
only
if
only
for
the
legal
reasons
that
might
be
attached
to
the
fact
that
there's
you
know
how
many
of
us
here,
12
and
probably
10
different
companies
represented.
C
So
emily
sorry
again
was
there
anything
else
discussed
at
the
second
day
that
wasn't
covered
so
far
or
do
you
think
we
should
surface.
G
One
last
thing:
on
the
last
point:
I
think
that
you
talk
about
all
these
great
foundations
who
have
processes.
You
know
the
open
ssf.
I
just
went
to
one
of
our
flagship
projects
fresca
and
they
don't
have
security.md.
You
know,
what's
what's
our
own
ssf
reporting
process?
What's
our
own?
How
do
we
handle
our
own
reports
and
stuff
like
that?
You
know
so
we
take
ourselves
through
those
exercises
or
tabletop
games
or
war
games
as
well.
C
Eating
your
own
dog
food
yeah.
There
is
no
various
names
for
this
idea
here
at
this
point,
but
yes
fully
agree
on
this
one.
We
should
we
should,
if
anything,
be
promoting
our
own
best
practices.
C
For
a
fresca
just
file,
a
bug.
G
G
C
Excellent,
all
right
so
yeah
any
other
comments
before
we
move
on
or
questions
or
reflections
on
these
discussions.
That
happened.
D
Just
a
quick
one
because
of
the
way
the
notes
were
set
up.
Our
notes
for
today
are
currently
on
the
july
19th
date.
If
we
could
cut
and
then
paste
those
into
the
right
location,
that
would
be
awesome.
C
We
only
have
about
10
minutes,
so
we
won't
really.
We
really
won't
have
time
to
sorry
vicky.
Did
you
have
another
question
nope.
C
No
worries
all
right,
so
yeah
we
have
only
a
few
minutes
left
and
I
don't
think
we'll
be
able
to
actually
review
every
box
items
or
every
item
in
the
revised
or
suggested
revisions
to
the
plan.
Let
me
link
it
here.
I've
linked
it
in
the
notes
as
well,
but
here
is
for
exhaustive
completeness
in
the
chat.
C
This
here
is
the
original
plan
that
we
discussed
over
the
first
two
meetings,
where
we
basically
reviewed
all
of
the
goals
and
sub
goals
and
kind
of
discussed
and
saw
if
we
could
apply
some
variations
to
them.
With
respect
to
the
form
group
that
we
have,
I
wanted
to
highlight
maybe
like
some
of
the
important
points,
so
how
to
read
this
document.
First
off.
C
C
C
Otherwise,
this
when
you
see
two
columns
here,
it
basically
means
there
was
some
changes,
so
yellow
and
green
grains
are
additions,
yellow
tend
to
be
kind
of
delays
or
changes
in
scope,
as
defined
above
so
feel
free
to
have
a
look
here
and
something
we
probably
there.
Okay,
thank
you
martha.
C
We
do
have
a
review
stage,
so
I
wanted
to
highlight
like
maybe
we
can
actually
spend
five
minutes
to
have
a
look
at
the
big
red
boxes
just
to
at
least
raise
awareness
that
these
topics
were
either
not
raised
or
incomplete
in
discussion
for
us
to
actually
take
a
stand
about
it.
So
that
would
be
this
one
2.4.
C
Does
that
work?
Are
there
any
position
to
just
reviewing
the
three
main
unfinished
points,
and
I
would
leave
all
of
you
to
have
a
read
of
the
document
if
you
want
to
do
and
put
some
comments
in,
we
can
do
an
asynchronous
comment
session
and
then
review
this
a
bit
more
and
like
over
discussions
at
the
next
meeting.
If
everyone's
okay
with
that.
C
Awesome
so
martha's
point
here:
we
should
remove
this.
We
have
a
review
stage
below
so
propose
writing
software
patches
to
remediate
identify
identified
vulnerabilities
only
when
specifically
requested
by
maintainers.
C
A
Yeah,
I
mean,
I
guess,
the
way
I'm
reading
this
is
more
about.
Actually
writing
the
patches
not
doing
reporting.
So
I
guess
I'm
like
a
review
stage.
So
is
this
actually
fixing
the
issue
or
is
this
doing
the
review
component?
And
this
is
the
review
component
further
down
cover
the
same
thing
about
writing
packet
patches
or
just
doing
the
the
due
diligence?
A
B
Yes,
yeah,
you
know
I
was
a
little
concerned
about
it
as
well.
I
think
it's
a
little
premature
if
we
were
getting
involved
in
actually
having
a
fixed
team.
I
I
didn't
quite
understand
that.
C
E
E
C
Yeah
write
down
some
of
your
points
here.
C
Feel
free
to
comment
or
insert
comments
in
the
document
as
well
like
just
to
actually
keep
these
things
formally
recorded,
so
we
don't
skip
over
them.
C
That
was
globally
agreed
point
number
eight.
So
this
is
a
recruitment
of
a
cohort.
This
definitely
needs
a
lot
more
review.
I
don't
know
if
we'll
have
time
to
actually
discuss
what
timeline
we
want
to
do
with
the
cert
that
we
want
to
hire
people
that
we
want
our
staff
like
a
staff,
a
full
cert
team
and
an
instant
response
team
or
just
be
a
service
that
offers
best
practices
and
assistance
with
some
needs,
so
we'll
need
to
actually
sit
down
and
I'll.
Think
about
this
more
like
very
actively.
C
Point
number
nine
document
publicly
and
operational
model
for
the
service
for
the
service,
including
so
point
number
one
was
commitment,
firefighters.
This
is
again
the
same
topic
more
or
less,
so
I
guess
we
won't
get
away
from
it.
I
just
I
just
feel
like
there's
four
minutes
left
and
it
would
just
hurt
to
start
talking
about
it.
C
C
Your
homework,
if
you
so
choose
to
spend
time
on
it,
is
to
have
a
read
about
this
plan
and
the
changes
and
leave
comments.
You
can
have
discussions
in
there
as
well.
If
you
see
typos
do
inline
like
fixes,
don't
wait
for
me
on
it.
It's
all
good.
I
am
not
super
good
in
english,
so
we'll
all
get
there
one
day.