►
From YouTube: OSS SIRT Best Practices (July 12, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
B
A
D
A
Ireland-
and
I
was
amazed
at
the
diversity
of
the
euro
coins-
it's
quite
exciting,
there's
some
interesting
currency.
I
like
it.
A
All
right
we'll
give
it
one
more
minute
and
we'll
get
rolling
if
anyone
has
any
opens
they'd
like
to
add,
please
do
my
dream
is
today
we
work
through
section
items
four
through
thirteen
in
the
mobilization
plan
document.
A
B
A
A
A
A
What
is
missing
from
the
plan?
Do
we'll
talk
about
this?
Probably
in
our
next
phase
you
know:
do
we
think
the
estimates
are
realistic
or
achievable
once
we
actually
start
to
flesh
out
the
plan,
we'll
probably
get
more
into
that
and
then
always
keep
in
the
back
of
your
head?
Do
we
have
either
volunteers
that
could
work
on
this
effort?
A
Do
we
know
of
as
gifting
people
like
they're
part
of
this
team
or
the
foundation
that
would
work
on
this
effort
or
think
about
people
that
aren't
here
that
we
need
to
invite
so,
for
example,
the
distro's
security
teams?
Do
this
work
a
lot
and
I
think
they
would
be
good
people
to
listen
and
learn
from
that's
an
example
of
a
stakeholder
that
isn't
in
the
room
but
kind
of
keep
those
thoughts
in
your
head
as
we
march
through
the
plan,
please
any
questions
before
we
jump
into
defining
eligibility
criteria.
A
All
right
so
as
it
is
written,
somebody
was
very
excited
about
gating
things
that
came
into
this
team.
A
Bone
so
they
felt
it
was
important
to
put
as
part
of
the
plan
the
eligibility
criteria
for
petitioners,
maintainers
projects,
communities
to
actually
leverage
this
oss
cert
function.
A
And
if
you
look
in
the
document,
I
thought
marta
had
a
very
good
comment
where
she
said
that
she'd
be
careful
in
defining
criteria
based
off
criticality.
A
A
Most
of
the
other
high
profile
issues
in
the
last
decade
have
been
on
the
six
to
seven
range
log
for
j.
E
Oh
you're,
talking
about
cvss
scores.
Yes,
okay,
I
was
talking
about
the
first
part.
A
That's
one
of
their
criteria.
Another
thing
could
be:
is
it
on
the
critical
projects
list
the
harvard
survey
census
right
right?
So,
as
a
group
do
we
feel
that
it's
important
for
us
to
put
in
the
plan
a
prescriptive
list
of
criteria
for
participation
in
this
group,
helping
with
cbd
and
I
saw
vicky's
hand
first.
B
I
think
it's
probably
a
good
idea
to
say
that
we
will
attempt
to
make
a
first
pass
at
a
list,
but
putting
it
in
the
plan
itself.
No,
I
especially
since
that's
something
that's
going
to
it
will
we'll
need
to
iterate
on
it
right,
and
so
it
does
not
belong
in
the
plan
itself.
It
should
be
external
on
the
plan,
if
only
to
make
it
easier
to
iterate,
but
I
I
agree
with
marta
and
you
that
these
these
are
a
bit
too
prescriptive.
B
E
Words
all
right,
I
I
must
have
put
a
wrong
button.
Okay,
so
let
me
take
point
of
view
of
loyal
opposition
here,
so
I
I.
I
would
totally
agree
that
if,
if
it
must
be
like
in
some
sort
of
quantitative,
you
know
see
if
it's
a
cvss
score
of
six,
we
must
never
consider
it.
That
would
be
wrong.
On
the
other
hand,
we
do
not
have
infinite
resources.
Those
do
not
exist.
E
I
don't
care
if
this
is
in
the
plan
or
something
else,
but
we
will
need
to
have
eligibility
criteria
to
winnow
out
that
which
is
going
to
get
extra
resources
and
that
which
we
just
can't.
I
realize
that
there
are
some
people
in
the
security
community
where
all
vulnerabilities
or
every
snowflake
is
important.
All
vulnerability
is
important.
We
must
fix
everything
I
will
be
dead
and
everyone
else
will
be
before
we
fix
everything
in
the
universe.
E
Now,
if
you're
going
to
argue
that
hey
cvss
scores
are
not
the
perfect
measure
of
criticism
vulnerability,
let
me
help
agree
with
you,
so
I
would
say
we
need
to
emphasize
the
important
ones
we
can
figure
out
in
a
separate
document
how
to
measure
importance,
but
we
must
prioritize.
It
is
not
an
option.
We
must
because
we
don't
have
the
resources
otherwise.
E
B
A
There
is
an
artifact
called
the
pcert
services
framework
that
describes
how
a
security
incident
response
team
should
operate
and
part
of
the
standard
operating
procedures
is
defining
your
triage
process,
and
in
that
it
defines
how
you
what
your
bug
bar
essentially
is
of
what
you
know.
What
is
a
threshold
of
things,
you'll
accept
it
and
accept
out.
I
would
propose
to
the
group
we
remove
this
particular
piece
from
the
plan
and
put
that
into
whatever
the
team's
operational
artifacts
become.
A
A
Yes,
no
debate
on
that,
but
I
just
I
when
I
read
the
plan.
Actually
I
thought
it
was
really
weird
that
they
got
into
this
and
I
personally
feel
it's
going
to
take
us
a
while
to
get
going
and
to
encourage
people
to
come
to
us.
So
I
don't
know
that
we
want
to
turn
anyone
away
in
the
beginning,
as
we
start
to
vet
our
processes,
and
you
know
kind
of
kick
the
tires
on
this
whole
thing.
E
A
Yeah,
no,
we
shouldn't
ignore
it,
but
I
just
don't
know
that's
part
of
the
plan
to
have
that
gate.
Eric
did
you
have
something
you
wanted
to
add
or
do
we
address
your
statement.
C
It
was
covered,
it
was
just
in
context
of
making
sure
we
have
some
way
to
narrow
down
the
lists,
and
what
that
criteria
is.
I
agree
with
david.
It
needs
to
be
somewhere,
but
the.
Where
is
the
still
the
question
but
it'll
be
crucial.
A
Yeah
well,
and
I
think,
we're
going
to
spend
a
lot
of
time
developing
not
only
the
playbook,
for
whatever
this
team
molds
into,
but
there's
several
suggestions
around,
creating
literature
to
give
maintainers
to
help
teach
them.
So,
potentially,
a
document
that
this
group
might
eventually
work
on
is
how
to
do
triage
and
severity
rating.
E
Potential,
in
fact,
and
that
I
can
jump
in
whatever
the
eligibility
criteria
are,
should
be
modifiable
over
time.
As
you
realize.
Oh
wait.
This
thing
that
was
previously
considered
not
critical.
We
have
now
learned
it's
super
critical
and
now
we
need
to
tweak
the
criteria
so
that
we
handle
that
as
a
you
know,
basically
repeatedly
learning
as
we
go.
C
A
And
potentially,
some
a
petitioner
might
come
to
us
with
a
low
severity
issue
and
we
can,
instead
of
helping
them,
do
the
cbd.
We
can
point
them
to
literature
or
other
things
to
help
them
learn
how
to
do
it
themselves.
E
A
So
I'll
make
sure
that
this
is
captured
this
these
criteria
are
captured
in
our
notes.
Then,
as
we
move
forward
first,
we
will
be
developing
plan
2.0
the
proposal
for
the
governing
board
and
we
will
have
we'll
spin
up
probably
several
other
documents,
and
this
will
go
into
the
operational.
A
We
don't
have
a
repo
yet
madison,
I'm
waiting
on
jory
to
get
back
and
hack
meeting
later
today,
where
I'm
going
to
bring
this
up.
I
don't
know
if
that
we're
going
to
get
our
own
if
this
deserves
its
own
repo
or
if
we
I
have
a
folder
underneath
a
vulnerability
disclosure
working,
I'm
not
sure
how
they
want
to
handle
that,
but
I'm
going
to
bring
that
up,
so
we
will
have
somewhere
to
put
it
and
we
will.
I
will
copy
this
and
put
it
into
a
scratch
pad
around
ops,
docs
and
triage.
A
Yeah
with
summer
and
people
on
vacation,
it's
challenging
to
get
a
hold
of
people,
but
I
believe
julia
will
be
back
soon,
she's
our
liaison
to
the
foundation
one
of
the
program
managers
there.
So
I
work
with
her
to
get
things
set
up
so
once
we
get
probably
wait
until
we
decide
on
the
repo
map
before
we
update
the
calendar,
but
once
we
do,
I
would
get
the
calendar
invite
updated
with
both
whatever
repo
we're
saving
to
and
then
also
put
them.
F
Cherry
is
actually
on
the
second
half
of
her
maternity
leave
for
the
rest
of
this
month.
So
do
do
forward
to.
A
Yeah:
okay,
I'll
bother
jennifer
then,
but
yeah
I
was
gonna
I'll,
bring
it
up-
hey
brian
since
you're
here
for
sigs.
What's
your
opinion
on
how
we,
what
type
of
around
git?
What
is
your
opinion
on
how
we
store
our
materials
and
get?
Does
the
sig
get
its
own
repo
or
is
it
a
folder
underneath
the
larger
working
group.
F
Repos
are
cheap,
so
it
doesn't
make
sense
to
me
not
to
create
a
repo
for
it,
but
I
don't
have
a
hard
opinion
one
way
or
the
other.
A
Right
so
we'll
get
that
worked
out,
addison
and
matt,
and
everybody
and
we'll
get
the
meeting
invite
updated
for
that
all
right.
So
I
heard
no
counter
we'll
move
on
to
the
communications
and
I
will
take
the
eligibility
criteria
and
put
into
a
note
section
for
triage
emily.
I
see
your
hand
up.
A
So
I
absolutely
agree.
I
would
like
to
table
that
conversation
to
have
a
focused
chat
about
that
in
the
future
to
talk
about
what
that
the
triage
process
might
look
like,
and
I
absolutely
agree
that
tearing
is
a
great
way
to
help
not
only
document
your
services
but
also
kind
of
help.
Anyone
understand
what
billio
is
thanks.
You're
welcome
I'll,
try
to
boot
of
that.
A
So
we
don't
get
that
so,
while
I
type
our
next
item
is
select
I.t
and
communications
infrastructure
necessary
to
deliver
these
the
cert
service
and
the
services
and
make
a
plan
for
deployment
operational
capability
and
security
assurance.
So
do
we
feel
that
this
is
something
that
needs
to
be
in
our
plan.
It
needs
to
be
more
fully
fleshed
out.
B
Yes,
I
think
you
know
it
doesn't
make
much
sense
to
have
a
cirque
if
we
can't
actually
communicate
so
having
some
way
in
there
documented.
So
people
know
where
to
look.
I
think
would
be
a
very
good
plan.
Yes,
but.
A
We
haven't
gotten
to
that
debate
yet
josh,
and
that
is,
as
I
mentioned
in
my
email,
we
have
two
most
likely
paths
that
we
have.
A
A
But
I
think,
for
example,
the
vince
tool
could
be
a
infrastructure
that
this
group
endorses
whether
or
not
we
staff
or
mentor.
I
think
either
path
would
be
helpful.
E
Can
I
suggest
that
we
split
it
up
into
those
two,
at
least
for
the
this
planning
thing,
because
I
think
there's
two
parts
there's
the
infrastructure
for
services
when
it's
embargoed
and
I
expect
that
to
be
highly
secretive.
Maybe
you
know
you
know,
you
know
you
know
we'll
we'll
we'll
we'll
take
all
the
learnings
from
josh's
efforts
of
creating
this
pgp
key
system
right
in
all
seriousness,
though,
I
mean
those
few,
if
you
have
a
really
important
embargo
vulnerability,
you
may
have
something
where
nation
states
care
about
for
the
hey.
E
Let's
train
people,
no
that's
a
I
I
I
would
not
expect
them
to
be
necessarily
the
same
infrastructure
and
in
fact,
where
possible,
I
would
try
to
minimize
the
amount
of
of
special,
maybe
slightly
hardened
infrastructure
for
embargoed
stuff,
and
try
not
to
make
that
anybody
else
have
to
use
that
nonsense.
A
So
and
your
suggestion
to
split
the
conversation
david
is
that
embargoed
versus
embargo.
E
Data
versus
correct
embargoes
versus
yeah
embargo
versus
it's
basically
the
stuff,
that's
supposed
to
be
kept
secret.
I'm
using
the
word
embark.
I
guess
stuff,
that's
supposed
to
be
secret
versus
stuff
that
not
supposed
to
I'm.
Not!
I
don't
I'm
not
talking
about
like
secret
in
the
national
security,
but
just
the
lowercase
l
word
secret.
You
know
secrets
versus
non-secrets.
E
Because
you
want
to
minimize
the
number
of
people
and
infrastructure
and
everything
else
that
you
have
to
deal
with
for
stuff,
you
are
seriously
trying
to
keep
secrets
against
adversaries
and
for
some
of
the
stuff
I
actually,
this
is
one
of
those
rare
cases
where,
indeed
nation-state
directed
attacks
are
legitimately
possible.
E
E
No,
no,
no
seriously,
if
you're
a
nation-state,
actor
and
you're
not
trying
to
get
into
embargo,
vulnerability,
databases
you,
if
you
either
are
having
an
incompetent,
org
or
you'll,
get
fired
and
get
replaced
by
somebody
will
do
their
job.
So,
let's,
let's
you
know
about
I'm
dead
serious,
so
that
doesn't
mean
that
we
can't
do
it.
It
just
means
that
if
we
do
it,
we
have
to
be
serious
about
it
and
minimize
it
to
the
things
we
can
care.
We
don't
minimize
it
up.
Somebody
else,
emily's
on.
G
B
Well,
if
it's
going
to
take
some
time
to
implement
it
can't
just
be
hand-wavy,
so
I
believe
it
makes
sense
to
keep
it
in
the
plan.
So
we
can
acknowledge
if
nothing
else
that
it
doesn't
come
for
free,
if
only
in
time,.
A
A
All
right,
so
any
more
conversation
about
communications
and
infrastructure
wants
to
be
a
pgp
admin.
A
All
right,
our
next
suggested
goal
for
the
first
year
was
augmenting
playbook
guidance,
documentation
directed
at
open
source
maintainers.
It
provides
useful
guidance
about
what
to
do
in
the
event
of
a
cyber
security
emergency
emergency
and
offer
clear
instructions
on
how
and
when
to
get
support.
So
this
not
only
would
generically
talk
about
cbd,
but
in
the
case
of
the
firefighters,
we're
discussing
here
provide
a
little
more
prescriptive
if
x,
then
y
directions
for
them
to
follow.
B
Martin
yeah,
I
will
go
forward
with
the
suggestion
I
give
in
there
in
the
minutes.
That
would
be
also
a
good
topic
of
the
work
together
with
the
education
team,
because,
apart
from
the
guide
itself,
it's
also
worth
putting
into
into
all
the
trainings
available,
and
also
I
wanted
to
stress
out
that
will
probably
need
a
short
and
and
nice
guide
for
maintainary
distress,
and
it
actually
happens
and
what
I'm
going
to.
What
am
I
going
to
do
right
now.
A
Agreed
and
I'll
also
take
this
point.
There
is,
I
think,
it's
part
of
another
sig,
but
it's
essentially
the
idea
spun
off
out
of
the
alpha
and
omega
projects
is
where
the
foundation
is
going
to
be
hosting
a
series
of
office
hours
for
maintainers
of
projects
that
they
can
come
to,
and
it's
kind
of
an
ask
us
anything
style
forum.
A
That's
a
real
pain
in
them,
defining
contractual
expectations,
including
a
valuable
process,
an
ethics
agreement
and
necessary
skills
and
experience
that
were
required
for
each
firefighter
and
incident
responder.
Before
I
address
your
hand,
emily
I,
this
was
written
in
the
context
of
we're
staffing.
A
team
of
people
is
the
context
with
which
this
bullet
point
is
written,
so
we
can
either
continue
on
with
that
assumption
or
mold
it
into
something
of
our
our
own
choosing,
and
I
will
yield
to
emily.
G
So
I
wanted
to
ask
that
this
bullet
and
the
one
immediately
following
it
be
merged
together
and
the
reason
why
is
because
in
some
instances
I
understand
the
need
to
be
able
to
staff
individuals
against
doing
this
work
and
augment
the
existing
volunteer
work
of
the
group.
However,
there
may
be
occurrences
with
certain
incidents
where
those
volunteers
need
to
have
some
sort
of
written
agreement
or
formal
agreement,
or
some
sort
of
statement
that
they're
working
in
this
space
and
that
there
are
expectations
that
are
going
to
be
met.
G
G
So
there
needs
to
be
some
sort
of
flexibility
in
whatever
that
contract
is
and
the
engagement
between
a
volunteer
working
as
an
independent
or
as
an
employee
of
their
existing
company
and
engaging
in
embargoed
or
highly
sensitive
discussion
with
contracted
personnel.
A
Completely
agree,
I
put
your
note
in
if
please
review
that
and
add
any
other
additional
context,
you
might
have
any
other
thoughts
first
off.
Does
the
group
agree?
We
merge
these
two
things
into
these
two
bullets
into
a
kind
of
contracts,
ethics,
guidelines.
A
We
definitely
need
to
have
a
code
of
conduct
or
expectations
for
people
participating
in
this
group
because
potentially-
and
I
know
we
don't
like
the
use
of
the
word-
volunteer
people
donating
their
time,
so
I
work
for
intel
and
I'm
helping
out
with
this
open
source
thing.
A
C
C
And
have
a
very
clear
defined
project
for
this,
outlining
the
expectations
of
team
members
or
contributors
and
the
assumption
being
that
there
would
be
some
maintainers.
So
you
know
to
the
point
made
earlier.
C
C
There
shouldn't
necessarily
be
a
limitation
there
in
my
opinion,
but
you
know
until
they
prove
that
what
they
check
in
is
just
not
viable.
A
And
I'll
suggest,
on
top
of
that,
at
some
as
we
have
this
focused
discussion,
we
actually
work
out
whatever
that
code
of
conduct
is
ethics
and
envy,
whatever
that
ends
up
being
brian
bellandorf,
we're
probably
going
to
need
some
time
with
the
foundation
lawyers
to
review
that
and
make
sure
they're
comfortable
with
that,
and
I
don't
know
how
we
would
share
that
membership.
B
Vicky
plus
one
to
getting
counsel
to
just
sort
of
probably
rubber
stamp
it
because
we've
all
done
this
before,
but
I
would
encourage
us
when
we
get
to
that
step,
to
follow
the
lead
of
existing
examples,
rather
than
reinvent
the
wheel,
which
I'm
sure
we
would
all
do
anyway.
But
I
just
wanted
to
go
on
the
record
and
make
sure
we
call
that
out
that
we
will
not
be
reinventing
you.
F
I
I
don't
know
there
is
another
cert
in
in
proximity,
you
know,
or
a
similar
situation,
where
we're
going
to
be
trying
to
bound
individuals
to
confidentiality
that
might
even
apply
to
asking
them
to
keep
things
confidential
from
their
employer.
I
can't
think
of
a
comparable
situation,
but
so
we'll
certainly
ask
around.
B
Yeah
I
mean
the
mere
existence
of
the
acronym
cert
means
that
there
are
other
ones
out
there
right,
and
so
this
is
day
concept
we're
coming
up
with
and
security
being
what
it
is.
B
I'm
sure
that
these
groups
will
have
some
sort
of
ethic
statements
and
or
codes
of
conduct,
so
we
should
certainly
just
fall
in
line
with
the
standard
practice
and
make
sure
that
what
we
do
doesn't
digress
from
what
people
commonly
expect
unless
what
people
commonly
expect
is
crap,
which
I
don't
expect
to
be
the
case
as
we
look,
but
that's
just
something
I
want
to
make
sure
we're
very
open
about.
E
Yeah
I'm
trying
to
think
through
right.
I
mean
obviously
there's
a
number
of
larger
lf
projects,
I'm
thinking
like
the
linux
kernel
and
kubernetes,
where
you
know
they
have
a
t
it.
There
is
a
security
at
blah,
blah
blah
email
address.
If
you
want
to
report
a
vulnerability,
there
are
people
on
the
other
end
who
receive
that.
E
I'm
not
sure
of
the
details
of
of
what,
if
I'm
not
even
sure
that
if
there's
a
specific
paper
that
any
of
those
sign
up-
brian-
maybe
you
know-
or
I
I
don't
I
don't-
I
don't
know
that
they
do.
I
know
they
do.
A
A
I
know
they
do,
and
that
was
one
of
my
suggestions
is
we
can
go
survey
communities
yeah
like
the
kernel
security
team,
koobs,
actually
openstack
and
even
talk
with
solar
designer
to
kind
of
hear
about
the
rules
of
private
lists.
So
that
should
all
be,
I
think,
there'll
be
existing
information.
We
can
lean
on
and
not.
E
A
A
A
All
right-
and
we
can
have
this
conversation
now
or
we
can
defer
it
down
the
road,
but
the
plan,
as
written
as
I
mentioned,
intended
for
a
group
of
people
to
be
recruited
or
hired
for
doing
this
work.
A
D
I
mean
even
if
we
were
to
hire
people
explicitly
for
this
contracts
vary
in
durations,
so
depending
on
which
countries
you're
talking
about
it
could
be
a
maximum
of
one
year
and
so
on
and
so
forth.
So
there
are
some
details
with
gears
and
also
if
we
are
volunteer
based
like
organization
as
well
as
group.
If
I.
B
D
E
F
I
I
do
think
a
minimum
commitment
is
important,
at
least
in
terms
of
expectation
setting
when
you're
talking
with
an
employer
or
or
a
potential
recruit,
and
it
two
years
is,
is
quite
a
quite
a
long
one,
but
which
would
be
great
but-
and
you
do
have
to
account
for
people
you
know
turning
over
in
their
jobs
and
the
like,
and
you
know
that
ordinary
amount
of
risk,
but
I
just
I
I've
grown
wary
of
you
know
depending
upon
volunteers
who
can
disappear
on
you.
A
So
how
does
the
group
feel
about
that?
Do
you
want
to
soften
the
language
for
the
plan,
then,
when
we
get
to
specifics
like
if
we
decide
we
want
to
hire
a
team,
we
would
potentially
put
that
back
in
how
do
we
want
to
handle
this
time
frame?
Emily.
G
So
I
will
say
that
in
the
past,
at
least
within
the
kubernetes
security
community,
they
have
a
process
around
bringing
individuals
into
the
fold
to
be
capable
of
responding
to
incidents
as
they
occur.
There
isn't
a
two-year
commitment,
however,
there
is
usually
a
minimum
of
a
one
year
path
to
get
to
a
point
where
you
can
take
action
and
work.
A
A
A
D
A
A
A
F
You
know
one
thing
that
occurs
to
me
is
that
the
projects
that
will
probably
hopefully
be
the
only
ones
that
need
this-
the
most
would
not
be
the
the
well-resourced,
security
teams,
but
the
ones
who
are
the
more
individual
single
developer.
You
know
critical,
but
left
behind
forgotten
about
yeah
under-appreciated,
the
you
know
project,
so
so.
F
Finding
some
way
to
get
the
word
out
to
the
mass
market
is
more
important
than
finding
ways
to
get
apache
python,
etc
kind
of
on
board,
and
I'm
not
sure
what
what
that
means
concretely,
but
just
it's
occurs
to
me.
It's
an
important
thing
to
think
about
here.
C
I'm
wondering
if
this
overlaps,
some
with
the
work
that
the
education
seg
is
doing
where
it
becomes
kind
of
partially
educate.
Being
you
know
more
of
a
marketing
type
of
thing
versus
educating
developers
and
groups
on
the
process.
For
this
you
know
presentations
and
webinars,
and
other
things
will
be
something
that
group
is
doing
also
wondering
if
that
should
be
a
collaborative
effort
to
build
an
education
plan
to
get
people
to
work
through
this
process.
A
I
I
personally
think
so
I
would
defer
to
the
other
folks
that
are
also
participating
in
the
education
sig,
but
I
think
this
is
something
we
potentially
could
pick
up
as
a
module
for
our
you
know:
new
augmented
training,
material
for
developers.
Here's
how
to
execute
an
ir
plan,
for
example,.
B
Yeah,
if
we
don't
have
some
sort
of
outreach,
then
we're
just
working
in
a
vacuum
so
yeah.
This
is
this
is
table
stakes,
but
not
the
uk
form
of
table
stakes.
I
don't
know
now:
we've
got
confusion
on
the
word
table,
but
yeah.
This
is
certainly
required
will
require
assistance
from
jennifer
black
emily.
That's
the
name
of
our
new
best
friend
in
marketing
over
an
open,
ssf
she's,
just
getting
up
to
speed
and
doing
a
heck
of
a
job
so
so
yeah.
This
will
be
key.
E
Yeah,
quick,
quick,
no,
I
mean
I
agree,
outreach
is
key.
I
don't
know
how
much
is
general
broad
versus
focusing
on
trying
to
identify
the
relevant
developer
communities
and
talking
to
them
individually,
but
I
I
don't
know
that
we
need
that
detail
in
this
in
the
plan,
but
I
I
would
not
be
surprised
if
some
of
the
more
effective
outreach
would
be.
E
We
definitely
need
great
well,
you
know
web
page
and
office
hours,
but
identifying
some
of
the
critical
some
of
the
most
relevant
communities
and
contacting
them
one
by
one
might
be
important
to
set
up
that
trust,
because
in
the
end,
if
you're
in
a
crisis
mode
you're
probably
going
to
reach
out
mostly
to
the
folks,
you
trust-
I
don't
know
how
the
best
I
mean.
That's
a
human
question,
not
a
tech
question.
A
All
right,
so
we
will
keep
this
in.
We
will
figure
out
a
way,
potentially
maybe
to
wordsmith
or
even
better
define
some
actual
things
we
will
do
so
do
we
think
this
is
achievable
with
this
group
and
help
of
select
friends
within
the
first
year,
on
top
of
everything
else,
we've
already
committed
to
keyboard.
A
Well,
my
intention
is
once
we're
done.
We
only
have
two
more
things
I
think
we
can
get
through
in
15
minutes
once
we're
done
reviewing
the
initial
plan,
I'm
gonna
go
back
and
we'll
create
a
plan,
2.0
document
where
we
will
put
the
things
we've
agreed
on
into
the
document
and
start
to
we'll
go
back
and
start
to
refine
and
estimate
defined
tasks
that
we
will
commit
to
and
start
to
put
some
estimates
around
time
and
resource
requirements.
So
we
will
do
that.
That'll
be
a
next
step
for
us.
B
G
You
did
not
have
to
do
that,
but
thank
you.
I
did
have
a
quick
question,
so
at
the
summit
we
had
a
lot
of
discussions
around
a
cert
and
around
this
particular
stream,
and
I
apologize
for
not
being
at
the
first
meeting.
However,
is
there
an
intent
to
also
re
re-review
those
discussions
at
the
summit
as
part
of
the
rewrite
for
version
two.
A
Yes,
my
plan
is
to
go
through
those
notes
we
had
from
the
dc
summit
and
share
them.
That'll,
probably
be
our
net.
Our
next
meeting
as
we'll
go
through
those
additional
notes,
and
then
hopefully
that
time
I
think
francis
is
going
to
help
me
start
to
stub
out
the
plan
and
then
we'll
start
to
flush.
It
out
that'll
be
a
kind
of
a
second
step.
Second,
next
step.
B
You
know
we
love
a
stretch
goal,
what's
gonna
happen
if
we
fail
and
that
I
think
is
worth
answering.
I
think
this
is
ambitious
and
certainly
worth
looking
at,
but
considering
all
the
stuff
we
have
to
set
up
in
order
to
deliver
services.
B
I
think
30
might
be
pushing
just
a
bit,
but
you
know
try.
B
F
I
think
this
is
a
statement
both
about
supply
and
demand.
F
So
on
the
supply
side,
it's
about
likely
being
able
to
say
given
random
distribution
of
security
events,
they
tend
to
actually
do
come
in
waves
that
there
is
a
capacity
on
the
team
side
to
handle
more
than
one
hot
button
item
at
a
time
it
seems
like
at
least
right-
and
I
don't
know
if
it
means
being
able
to
handle
three
or
four,
but
but
at
least
more
than
one,
because
this
would
suggest
you
know
in
the
second
half
of
the
year,
you're
handling
one
a
week,
but
each
are
handling
handling
one
new
one
a
week,
but
we
know
it
might
take
multiple
weeks
to
resolve
one
right
so
so
think
about
how
this
affects,
supply
and
and
or
capacity
right
and
and
and
then
on
the
demand
side.
F
You
know,
I
don't
know
if
there
are
30
new
cves
from
under
resourced
open
source
projects.
You
know
a
year
I'd
imagine
so
I
it
kind
of
imagine
that's
like
a
drop
in
the
bucket
compared
to
how
many
there
actually
are
or
or
things
that
should
be
cves.
F
So
I
I
think
it's
it's
about
making
sure
there's
enough
people
aware
of
the
availability
of
the
service
and
trust
in
the
service
that
they
actually
make
use
of
it,
and-
and
that's
so
so,
there's
almost
these
two
goals,
implicit
in
this
metric-
that
I
just
wanted
to
make
explicit.
D
I
think
it's
fine
to
leave
it
in
actually,
and
I
think
it's
fine
if
we
fail
one
thing
that's
going
to
come
out
of
it
is.
If
we
fail,
we
will
have
to
explain
why
and
it
could
actually
be
very
good
information
to
surface
up
to
the
folks
who
actually
wrote
this
down
and
accepted
the
original
intent
to
this
document
as
in
yes,
maybe
there
won't
be
30
vulnerabilities
for
us
to
work
on,
or
maybe
the
whole
plan
was
just
way
too
ambitious
or
yes,
we
did
succeed
kudos
to
us.
D
D
C
C
The
door
which
you
know
optimistically
hopefully
will
never
be
an
issue,
but
it
becomes
that
conver
conversation
point:
do
we
split
kind
of
a
difference
and
and
lower
the
number
to
20?
Do
we
not
give
a
number
at
all
and
then
set
a
relevant
metric
after
the
first
year
and
then
in
a
very
agile
velocity
kind
of
way
continue
to
look
to
increase
that
over
time
would
be
my
my
only
thought.
A
And
perhaps
we
change
the
wording
from
emergency
incidents
to
interactions,
for
example,
you
know
maybe
engagement
engagements.
Maybe
projects
don't
need
us
to
do
the
cvd
forum,
but
maybe
they
need
help
connecting
to
maybe
they
need
an
advisory
template.
So
maybe
we
can
have
engagements
might
be
a
better
metric
for
us
and
maybe
those
are
incidents,
but
maybe
you
know
maybe
they
aren't.
Maybe
we
taught
a
team
and
we
help
them
get
set
up
with
pgp
keys.
E
Yeah
I
do
like
I
I'm
well
one:
has
I'm
hesitant
in
a
plan
to
have
that
that
number
right
in
the
plan,
but
to
be
honest,
having
a
you
know,
30
engagements,
whatever
the
phrase
is,
is
a,
I
think,
actually
helpful
for
kind
of
level
setting
everybody.
We
can't
I'm
very
concerned
about
the
hey,
we're
the
help
desk
for
the
universe.
E
We
we
know,
that's
not
gonna
be
possible,
but
we
are
trying
to
be
helpful.
Trying
to
level
set
expectations
that
hey
over
this
period
of
time,
we're
expecting
to
do
this.
Many
engagements
I
I
think
kind
of
help
helps
both
the
world
and
us
level
set
the
the
we
are
going
to
do
some
things.
We
can't
do
everything.
A
E
A
E
So
maybe
it's
not
just
a
report
of
key
metrics,
a
and
sample
results.
E
A
A
If
you
look
down
on
the
notes,
I
borrowed
from
stream
six
their
little
bit
about
maturing
coordinating
onboard
disclosure-
that's
number
13
our
list.
So
do
we
feel
that
maturing
cbd.
A
I
don't
hear
any
disagreement,
so
our
homework
for
next
time
is
to
reflect
upon
what
we've
talked
about.
Read
the
notes
and
reflect
on
if
we've
missed
anything
in
our
next
conversation.
We'll
talk
about
the
notes
that
the
room
had
for
stream
five
from
the
dc
meeting,
and
then
we
will
potentially
roll
that
into
a
build
a
pcert.
A
Build
versus
buy
conversation,
do
we
hire
a
team,
or
do
we
have
a
team
of
mentors
or
volunteers?
So
our
next
conversation
will
be
that
debate
on
kind
of
directionally.
What's
our
recommendation
for
this
stream?
Do
we
hire
a
bunch
of
people
or
do
we
have
a
cohort
of
good-minded
contributors
so
get
your
thoughts
prepared
for
that,
and
we
will
talk
to
you
next
week.
Everybody.