►
From YouTube: OSS SIRT Best Practices (August 2, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everybody
we'll
get
started
in
a
few
minutes.
If
you
could
please
sign
in
to
our
agenda
mark
your
attendance
and
add
any
opens
that
would
be
super
groovy.
It
started
about
two
after
the
hour.
B
Hey
globe
just
checking
in
just
to
say
hi.
I
have
to
leave
because
for
some
reason,
after
a
week
after
a
week
offline,
my
cell
phone
no
longer
receives
calls
or
texts
at
the
number
that
I'm
still
getting
lte
service
at,
which
is
bizarre.
So
I
just
gotta,
go
to
the
t-mobile
store
and
figure
out
make
sure
I'm
not
being
sim-jacked,
because
that's
that's
happened
before
so
I
just
wanted
to
say
to
make
sure
this
meeting.
B
That
story
was
just
great
that
you
were
here,
that's
great
and
and
just
really
looking
forward
to
this
group
iterating
further
on
the
the
stream
description
and
then
maybe
even
starting
to
prepare
what
what
what
a
funding
proposal
might
look
like,
but
I
just
just
wanted
to
check
in
with
that,
and
now
I
have
to
balance
all
right.
Thank.
A
B
A
This
was
my
18
year
old's
graduation
present
idea.
B
We
all
have
failures:
all
the
marching
band
children.
My
daughter
was
in
blue
nights,
the
world
class
marching
band
yeah,
so
she
she
did
two
years
and
her
third
year
her
age
out
year.
She
didn't
make
the
cut,
so
she
was
very
disappointed
yeah.
I
I
taught
dci
marching
bands
for
a
while
yeah.
B
A
C
A
C
Yes,
so
hi
everyone,
art
manion,
my
current
company
is
called
inallegance.
I
didn't
write
them
down
just
because
I
am
trying
to
sort
out
affiliations
with
things.
We
are
a
primarily
a
government
contractor
and
I
have
a
contract
with
cisa.
So
I
am.
I
am
not
speaking
for
dhs
cisa
here.
I
think
I'll
just
be
my
personal
professional
self
for
the
time
being
nice
and
get
that
sorted
out,
so
that's
sort
of
the
new,
the
news
there
no
longer
representing
circus
or
cc.
C
I
haven't
changed
my
mind
about
most
things
and
I'm
still
involved
in
the
space
so
sort
of
some
continuity
there
and
my
affiliation
might
might
float
around
a
little
bit.
I've
been
meaning
to
come
to
this
call
for
like
months,
but
a
lot
of
for
weeks.
I
guess
it's
been
going
on,
but
finally
made
it
today.
So
thanks
welcome
all
right.
Glad.
A
All
right
do
we
have
anyone,
that's
willing
to
assist
us
in
scribing,
some
notes.
B
I
can
assist,
but
I'm
not
sparking
too
brightly
this
morning,
so
I
wouldn't
mind
if
others
also
assisted,
but
I
will.
A
A
Vicky
do
we
have
any
new
opens
for
today.
A
All
right,
so
I
was
was
alluded
to
the
beginning
of
the
call
was
not
on
the
team.
Call
last
week
was
anyone
here
that
would
be
willing
to
give
us
a
two
minute
overview
of
what
we
did
last
week
and
if
there
was
anything
outstanding
we
needed
to
jump
on
today.
D
So
last
time
we
finished
going
through
the
day
two
notes
and
kind
of
providing
additional
clarification
on
what
each
of
those
bullet
items
were.
We
did
not
have
time
to
go
through
the
full,
comprehensive
list
of
changes
that
needed
to
be
removed
or
updated
plan
2.0
draft,
yet
that
one
so
the
intent
was
everybody
asynchronously
go
provide
comments,
clarify
everything,
and
then
we
would
come
back
and
review.
Let
me
know
if
I
misrepresented
anything.
A
A
A
A
Our
second
item
second
comment
is
in
goal:
2.1
we
revised
it
and
we
changed
it
to
read:
ensuring
secure
communications
between
maintainers
researchers
and
organizations
when
receiving
vulnerability,
reports
and
or
proof
of
concept
code
and
marta
asks.
Would
we
provide
the
communications
channel
for
all
projects
we
provide
guidelines
to
help
projects
might
have
channels
already
a
suggestion
would
be
change
it
to
support
ensuring
secure
communication.
What
does
the
team
feel
about
that.
A
A
B
That
too,
yes,
yeah
support,
I
think,
is
a
a
more
realistic
word
for
what
we
hope
to
do.
I
think.
A
A
All
right
for
the
reasoning
for
the
changes
we
want
to
ensure
we
do
explicitly
include
companies
but
use
broader
terminology.
So
do
we
feel
the
group
of
people,
maintainers,
researchers
and
organizations?
Does
that
achieve
that
reason
and
help
us
make
that
emily
agrees.
A
We
are
proposing
that
this
be
removed,
so
the
original
proposal
was:
writing
proposed
software
patches
to
remediate
identified
vulnerabilities.
Only
when
requested
by
maintainers
marta
agrees.
We
have
a
review
stage
below
francis
agrees.
Is
there
any
other
discussion
we
want
to
have
or
do
we
want
to
move
forward
with
removing
this
section?
This
item.
C
Can
I
do
the
dumb
thing
where
I
jump
in
as
the
new
person?
Please
all
right.
C
No
no,
but
I
you
know,
jumping
into
a
doc
mid-development
is
questionable,
I
guess
I'll
sorry
I'll
read
down
to
the
review
section.
I'm
not
sure
the
reasons
I
this
is
an
interesting
idea
to
me.
It's
also
expensive
and
potentially
costly
and
could
be
troublesome,
but
offering
it
is
something
that
at
least
strikes
me
as
sort
of
a
compelling
thing.
You
know,
we've
all
are
all
familiar
with
hey.
I
found
a
vulnerability
in
some
open
source
product.
Great,
you
know,
pr's
pr
is
welcome
right.
C
So
the
idea
that
this
potential
team
would
actually
come
with
some
come
with
patches
seems
more
compelling
than
just
the
other
bits
that
it
might
do
if
that's
sort
of
wrapped
up
in
the
review
section,
which
I
think
review
is
very
important.
Also,
that's
fine,
but
I
guess
I'll
just
ask:
could
this
be?
C
You
know
an
option
to
provide.
You
know,
changes
to
software
and
not
necessarily
a
commitment
to
always
provide
patches
thanks.
A
To
frame
what
we're
doing
art
is
a
group
of
people
wrote
the
mobilization
plan
check,
and
then
we
had
some
conversations
in
dc
and
other
forums
talking
about
it.
So
now
this
group
is
marching
through
that
proposed
plan
and
we
are
vetting.
What
were
those
original
ideas?
Do
they
have
merit?
Do
we
want
to
commit
ourselves
our
organizations
potentially
hiring
people
or
acquiring
tools
to
achieve
these
goals?
A
So
if
this
stayed
in
as
written,
we
would
need
to
define
you
know
what
we
would
do
and
kind
of
create
a
budget
and
resource
plan
to
achieve
this
particular
item.
So
I
know
there
was
initially
some
hesitancy
of
having
you
know.
Would
we
have
expert
coders
that
you
know
were
conversant
in
many
different
languages
and
the
different
technologies
involved
in
all
the
projects
that
might
come
to
us?
I
don't
know
that
we're
trying
to
exclude
it,
but
I
don't,
I
think,
we're
stating
we
don't
want
to
directly
commit
to
it
to
it.
A
Yeah
that
you
know
if
somebody
has
those
skills
or
we
can
make
a
connection
to
the
maintainer
and
a
skilled
security
developer.
Yes,
but
I
don't
know
that
we
want
to
commit
as
part
of
our
okrs
for
this
team
does
that
make
it
a
little
more
clearer.
Oh.
C
Yeah,
that
does
so
the
again
first
column
is
from
the
from
the
plan.
Second
column
is,
do
we
you
know,
does
it
stay
in
or
not
or
does
it
get
modified?
Yes
or
I
guess
you
could
stay
as
is
yeah
again,
I
guess
I'll
just
you
know
I'll
leave
it
at
this
I'd.
If
there
was
a
way.
C
You
know
optionally,
provide
patches,
just
still
seems
compelling
to
me
and
if
that's
too
difficult
at
this
point
to
sort
of
commit
to
and
and
put
budget
behind,
I
understand
I'm
not
gonna,
I
won't
argue
any
further
yeah
I
mean
it
varies,
a
lot
right.
Sometimes
the
patch
is
straightforward,
and
sometimes
you
get
expert
in
that
thing
and
you're
not
going
to
find
them.
So
I
certainly
agree
it
would
be
difficult
to
commit
to
it.
In
writing.
C
D
I
was
just
going
to
suggest
that,
because
nothing
in
the
document
as
written
precludes
us
from
providing
patch
information,
it
might
be
beneficial
to
adjust
the
proposed
language
for
2.5
to
specify
something
to
that
effect.
That
should
we
have
the
skills,
capacity
and
timeliness
to
be
able
to
assist
in
the
development
of
a
patch.
A
A
B
D
B
D
C
B
C
That
it
is
that
what
I
heard,
because
that
seems
pretty
normative-
I
mean
not
not.
A
The
focus
of
this
particular
document
is
creating
a
some
type
of
open
source
security
incident
response
team,
whether
it's
actual
staffing,
a
desk
of
people
or
it's
a
group
of
volunteers
or
mentors
or
creating
good
practice
and
to
provide
tooling.
So
this
wouldn't
necessarily
be
the
researcher,
it's
not
that
it
wouldn't
be.
But
again,
as
you
mentioned,
this
is
that
is
kind
of
the
standard
desired
practice
is
if
somebody
finds
a
problem
that
they
propose
a
solution,
makes
it
much
easier
to
get
it
ingested.
C
A
All
right,
I
will
give
folks
a
few
minutes
to
type
away
at
2.5
and
I'll
jump
down
to
the
comments
on
2.6.
A
See
here,
2.6
is
helping
maintainers,
create
and
publish
software
patches
security
advisories
in
a
way
that
will
minimize
likelihood
of
widespread
vulnerability
exploitation
and
we
change
we're
proposing
to
change
that,
helping
maintainers,
publish
software
patches
and
security
advisors
in
a
way
that
will
minimize
likelihood
of
widespread
exploitation
for
year
one
so
we're
just
going
to
be
assisting
coaching
in
year,
one
year,
two
helping
maintainers
create,
coordinate
and
publish
patches.
I
see
that's
not
that
it's
pretty
slick.
A
What
does
the
group
feel
about?
Actually
writing
it
into
the
proposal.
The
kind
of
time
frames
and
the
slight
change
in
deliverables
from
helping
publish
to
potentially
assisting,
creating
and
coordinating.
A
The
the
difference,
the
the
line
is
going
to
be
split
into
two
years,
so
the
first
year
we're
going
to
be
helping
maintainers
get
their
software
out,
helping
them
security,
advisories
and
then
the
next
year.
We
would
actually
commit
to
more
coordination,
potentially
assistance
in
creating
the
patches,
but
it
did.
C
B
C
See
I
see
the
sorry
I
I
got
the
right
doc
now
and
I
see
the
the
year
one
year,
two
stuff.
I
guess
what
I'm
saying
is
that
at
a
glance
the
year,
one
and
year,
two
don't
look
up
a
whole.
C
A
C
Yeah
I
mean
I
have
no
problem
with
the
language
at
all.
I
just
was
trying
to
make
a
distinction
between
the
year
one
and
year
two,
it
seems
like
a
bunch
of
stuff
that
this
cert
might
do
could
be
fit
into
either
I'm
imagining
basically
in
year
one.
C
You
know
this
cert
is
this
team
is
involved
and
it
turns
out
to
be
straightforward
and
trivial
to
you
know,
maybe
create
a
patch,
and
you
know
to
execute
what
the
year
two
says.
I
guess
I'm
concerned
that
we
would
be
constrained
to
not
do,
would
would
be
constrained
to
not
do
like
a
more
full
feature
year,
two
activity,
because
we
wrote
down
that
it's
only
in
year,
two,
even
if
in
year,
one
we're
sitting
right
in
front
of
us
and
easy
for
someone
to
do.
C
I
guess
that's
my
concern.
We're
writing
ourselves
out
of
success
in
a
way
that
are
we
constraining
ourselves
in
any
way
by
by
the
the
year
split
in
the
language,
yeah.
A
I
will
have
to
work
that
out
and
what
our
next
step
will
be
is
that
a
group
of
people
will
go
off
and
work
on.
You
know
line
item
two
six
and
we're
going
to
have
a
more
solid,
more
defined
proposal.
It
says
I
need
to
have
20
hours
of
volunteers.
I
need
to
have
a
full-time
fte.
I
don't
have
a
tool
or
whatever
vicki
had
her
hand
raised
first
and
then
emily
and
then
eric.
B
No
problem,
I'm
just
wondering
about
which
part
of
the
command-
oh
just
in
general,
for
2.6-
if
you
could
talk
through
your
recommendation
here,
because
my
mind
isn't
kind
of
wrapping
around
it.
For
some
reason
it
could
be
the
time
I
don't
know
or
the
coffee
okay,
so
there
are
two
parts
of
it.
First
is
that
this
is
the
only
place
looking
from
the
beginning
of
the
document
that
I've
seen
that
we
mentioned
working
on
security
advisories
and
they
are
publish
that
their
purchase
security
address
and
other
things
all
linked
together.
B
So
my
suggestion,
without
without
the
real
writing,
is
that
differently,
because
I
I
didn't
have
an
idea
how
to
do
it
was
to
actually
make
the
security
advisories
more
visible,
because
I
think
it's
quite
an
important
thing
to
to
actually
deliver,
but
it's
only
mentioned
in
a
sub
in
a
list
of
other
things,
and
the
other
thing
I
propose
is
release
notes.
B
When
I
was
reading
that
again,
you
have
certain,
but
you
also
have
release
notes
the
projects
provide
that
is
related
to
to
the
security
advisories.
That
would
be.
I
think
it
will
be
also
helpful
that
we
provide
help
with
writing
release,
notes
related
to
security
issues.
A
Does
that
address
what
you
were
looking
for,
vicky.
D
So
I
have
a
suggestion
to
expand
on
the
comment
that
I
made
and
consider
pardo's
proposal
as
well.
There's
two
two
facets
of
this:
two
to
five
and
year,
two
of
2.6
are
very
similar,
with
the
exception
of
the
security
advisory
portion
of
it.
Since
security
advisories
are
much
simpler
from
a
commitment
perspective
versus
actually
writing
a
patch.
The
security,
advisories
and
release
notes
and
coordination
can
be
clustered
together
as
a
single
item,
whereas
the
review
creation
and
publishing
of
patches
can
be
a
separate
area.
D
D
Is
it
beneficial
for
us
to
separate
by
level
of
effort
year,
one
and
year
two
activities,
because
I
believe
the
creation
and
publishing
of
this,
like
the
actual
writing
and
developing
of
the
patch
and
if
it's
not
patchable,
the
remediation
or
compensating
mechanism
to
be
added
to
the
code
base
is
a
fair
amount
of
work
that
falls
into
a
higher
maturity.
Cert.
A
I
agree
emily
we
should
we
need
to
decide.
Do
we
want
to.
A
I
agree
that
we
should
probably
tier
this
into
levels
of
effort
things
that
we
can
quick
wins
so
to
speak
in
year,
one
and
more
long-term
tasks,
but
then
the
statement
around
advisories
a
lot
of
times
from
my
experience.
A
The
the
actual
writing
and
communication
piece
are
skills
that
some
projects
don't
always
have
or
don't
find,
don't
deem
as
useful
as
other
activities,
actually
writing
the
software,
and
if
we
could
even
insert
ourselves
as
being
able
to
help
provide
that
service,
I
think
that
would
be
very
beneficial
to
a
lot
of
projects.
That's
something
that
a
lot
of
the
commercial
distros
do
today.
A
Is
they
kind
of
take
that
role
of
coms
so
to
speak,
because
they
help
write
the
advisories
and
help
document
compensating
controls
so
that
all
consumers
understanding
what's
going
on
so
do
we
want
to
so
to
emily's
proposal?
How
do
we
want
to
address
the
statement
as.
A
When
specifically
requested,
so
how
do
we
want
to
address
that?
Do
we
want
to
have
a
blanket
statement
in
the
beginning
that
talks
about
how
we
have
flexible
operations,
or
do
you
want
to
be
more
prescriptive?
D
Whereas
the
creation
of
a
potential
review
for
patches,
because
providing
a
review
by
a
centralized
organization
can
imply
some
form
of
responsibility
on
accuracy
so
having
them
separated
out
even
further,
so
that
those
those
items
that
are
higher
risk
higher
task
oriented
can
be
specific
requests.
A
I'm
trying
to
think
how
to
now
do
we
feel
I
I
like
that
approach
emily
a
lot.
Do
we
want
to
go
line
by
line
and
say
this
is
by
request,
or
do
we
want
to
have
more
of
a
we
will
have
in
the
beginning
of
this?
The
final
proposal
we'll
have
kind
of
a
purpose.
A
You
know
market
problem
statement
and
we'll
talk
about
kind
of
the
rules
and
engagements.
So
do
we
want
to
talk
about
how
the
cert
will
provide
a
variety
of
optional
services,
and
you
know
so
at
the
higher
levels
we
may
assist
in
writing
vetting
patches
or
do
we
want
to
go
line.
B
C
So
I
will
whatever
propose
suggest
pick
the
vote
for
the
I
mean
okay,
so
we
100,
of
course,
want
to
respect
maintainers
and
developers
and
the
organization
and
do
things
their
way,
always
when
possible
and
work
within
their
procedures
and
process,
no
argument
whatsoever
there.
That
said-
and
I
have
to
put
a
comment
on
the
when
requested
review
the
patch
again
sort
of
would
not
want
to
constrain
this.
The
team
to
you
know:
here's
a
patch
sitting
out
there
ready
to
go,
and
I
look
at
it.
C
C
Of
course
you
want
to
say
something
and
the
search
should
say
something
then
so
I
guess
I'll
suggest
some
kind
of
top-level
sort
of
cover
material
that
we
always
always
always
respect
and
work
with
the
maintainer
in
the
organization.
We're
not
gonna,
you
know,
go
against
their
wishes.
We're
not
gonna
be
jerks,
but
I
think
it'll
get
difficult
to
do
line
by
line
optional
when
requested
optional.
One
requested
now
that'll
be
overly
constraining.
E
As
a
distro
maintainer,
I
I
do
like
what
emily
said
and
I,
but
I
and
I
would
encourage
probably
making
as
many
things
optional,
because
there's
a
whole
debian
situation
like
there's
gen,
2
and
diving
that
are
kind
of
on
opposite
spectrums,
and
I
know
that
the
deviant
patches
sometimes
have
issues
because
of
the
opinions
that
are
committed
in
them,
and
a
lot
of
them
are
supposed
to
be
security
thing.
So
I
think,
maybe
avoiding
being
heavy-handed
and
making
everything
as
like.
E
Opt-In
as
possible
would
be
the
best
for
open
ssf,
and
I
also
agree
kind
of
with
what
matt
said
that
it's
also
a
liability.
I
know
in
homebrew
we've
had
that
before,
where
we've
had
to
make
it
very,
very
clear
that
homebrew
should
be
seen
as
a
last
line
of
defense
and
should
not
be
considered
an
actual
security
tool.
A
B
It
sounds
like
we're.
You
know,
to
use
a
restaurant
metaphor
going
more
towards
you
know
a
la
carte
menu
than
prefix
yeah.
I
like
that.
Yes,.
D
So
I
made
a
suggested
language
change
in
2.5
to
pull
the
year
2
version
from
2.6
up,
so
that
we
could
group
those
two
areas
together
about
specific
requests
for
maintainers
and
then
just
general
minimization
activities
that
way
2.6
can
solely
focus
on
the
year
one.
The
understanding
that
your
two
activities
may
also
fall
into
year,
one
so
we'll
need
to
like
carry
that
down.
D
A
So,
let's
read
the
work
that
emily
just
did
so,
when
specifically
requested
by
maintainers.
A
D
C
A
A
D
So
if
this
is
particularly
focused
on
that
sense
of
urgency,
portion
of
it,
especially
for
like
super
severe
vulnerabilities-
and
that
makes
sense
as
a
call
out,
but
then
I
feel
like
we're
almost
leaving
the
other
portions
of
it
on
the
table
unless
we
have
captured
that
elsewhere.
In
the
document
that
I
missed.
A
I
don't
think
we
have
captured
it
elsewhere,
so
I
think
that's
a
good
point.
So
how
would
you
like
to
revise
that
just
handle
you
know,
vulnerability
reports
would
that
be
just
in
general,
help
provide
guidance
and
mentorship
around
that
and
then
escalate
in
year.
Two
does
that
get
rid
of
the
in
the
wild
exploit
for
you.
D
A
A
Excellent
excellent,
excellent
all
right,
so
we
are
proposing
for
section
three.
There
were
six
very
prescriptive
things.
The
official
authors
of
the
document
laid
out.
A
The
group
talked
about
and
proposed,
we
removed
the
explicit
having
a
a
cvss
score
of
a
certain
threshold
as
a
gatekeeper
to
allow
interaction
with
the
team,
and
so
the
group
proposed
we
toss
out
these
six
items
and
go
more
generically
to
defining
criteria
for
evaluating
things
and
providing
practice
and
documentation.
A
E
I
just
wanted
to
point
out,
so
if
people
are
fall
or
projects
are
following
all
of
our
other
recommendations,
wouldn't
they
already
have
an
organized
security
team
or
like
they're,
using
github
advisories,
because
github
advisories
also
kind
of
has
their
own
way
of
handling
this.
So
just
kind
of
pointing
that
out.
A
Hopefully,
yes
and
my
fear,
when
I
read
this
one
especially
is
we
don't
want
to
anyone
that
needs
assistance?
We
don't
want
to
turn
away
if
we
have
the
opportunity
to
assist
them
and
educate
them
and
prepare
help
them
prepare
themselves.
For
the
next
event
is,
I
think,
a
good
thing
I
don't
want
to
have
to
be.
I
don't
want
to
be
the
gatekeepers
of
cves
for
people
and.
E
I
understand
we
should
help
what
I'm
saying
is,
if
they're
more,
if
they're
gonna,
because
I
know
like
best
practices-
does
openly
recommend
using
github,
advisories
and-
and
what
I
was
gonna
say,
is
that
that
kind
of
makes
people
used
to
tooling
doing
everything
for
you.
So
I
don't
know
like
because
I
know
some
of
the
stuff
here
is
not
necessarily
tooling
based,
so,
if
they're
already
using
tooling,
how
would
we
deal
with
something
like
that,
because
I
know
I
can
give
github
advisories?
E
A
B
A
C
Yup
sorry,
so
I
agree
with
the
the
choice
here.
No,
no
question
there:
the
the
original
text
from
the
plan
for
3.0
talks
about
so
eligibility
criteria,
but
then
the
the
sub
bullets
seem
to
be
more
like.
C
Is
it
in
here
somewhere
and
I
didn't
even
search
for
the
word
yet
do
we
care?
Is
it
in
here
anywhere
that
this
search
may
have
selection
or
prioritization
criteria,
because
we
have
you
know,
for
instance,
limited
resources
and
can't
handle
every
request
we
get
and
have
to
pick
and
choose
based
on
and
then
now
some
of
those
bullets
would
make
make
some
sense.
C
I'm
searching
for
the
word
priority
again,
no
argument
with
the
decision
on
this
on
this
item.
Just
are
you
know:
do
we
need
to
worry
about
criteria
anywhere
else,
or
is
that
that
may
be
a
next
stage
detail
and
that's
what
this
resolution
of
three
is
going
to
be.
A
A
So
I'll
highlight
this
in
yellow,
so
does
that
adjustment
kind
of
help
help
give
us
a
little
more
flexibility
and
really
speak
to?
I
think
our
our
purpose
is
to
provide
frameworks
and
documentation
and
assistance,
as
opposed
to
you
know,
being
a
traffic
cop,
so
to
speak,
of
letting
cves
in
and
out
emily.
D
D
I'm
thinking
back
to
our
in-person
discussions,
where
we
talked
about
like
the
third
of
last
resort
and
foundations
having
their
own
search
and
what
is
that
escalation
path
look
like,
and
how
do
we
determine
whether
or
not
something
gets
taken
on
by
this
group
versus
by
pushing
it
back
down
to
a
foundation's
cert?
For
instance,.
B
D
A
A
And
I
I
think
my
I
was
not
included
in
the
original
conversations
around
the
creation
of
this,
but
I
think
the
idea
of
the
authors
was
that
they
would
have
they
would
have
thousands
of
developers
coming
petitioning
for
this
service
the
first
day
clamoring
for
help,
and
we
would
need
some
way
to
throttle
that
and
I
don't
think
in
actual
practice.
That's
gonna
happen.
A
I
think
it'll
grow
over
time
and
maybe
eventually
in
you
know
in
the
future,
when
we're
all
in
our
silver
spacesuits
and
flying
cars.
That
might
be.
We
might
need
to
throttle
things
a
little
more,
but
I
think
initially,
we
just
want
to
try
to
help
provide
guidance
and
pointers
and
help
where
we
can
vicky.
B
How
is
this
sort
of
thing
captured
in
a
medical
context
in
a
treat
medical
triage
context
right
where
you've
got
a
number
of
different
patients
and
you
have
to
select
which
ones
most
urgently
need
your
limited
health,
because
I
suspect
they
did
a
lot
of
wordsmithing
on
that
to
make
sure
it's
exactly
descriptive
of
what
we
need.
And
then
it's
also
a
well
understood
metaphor.
A
Ground
yeah:
it's
tough,
because
you
know
somebody
had
an
idea:
they
threw
it
over
the
wall
and
it's
up
to
us
to
actually
execute
on
it
or
help
execute.
B
B
D
Well,
triage,
generally
speaking,
is
about
the
evaluation
and
potential
prioritization
for
following
action
yeah
in
a
medical
context.
Now
I'm
not
a
licensed
medical
professional,
but
I
do
have
a
fair
amount
of
wilderness
survival
training
when
you're
doing
triage
for
widespread
events
like
that,
it's
usually
the
ones
that
are
mobile
are
the
ones
that
are
less
likely
to
need
your
immediate
help
because
they
can
get
up
and
come
towards
you,
whereas
the
ones
that
are
on
the
ground,
but
still
vocal.
Those
ones
probably
need
more
of
your
attention.
B
Yeah
that
that
works
for
me,
I
love
it
yay
and
all
of
a
sudden
you're,
pretty
badass,
with
all
of
your
your
training
there.
So
the
agreement
is
to
have
essentially
a
triage
criteria
document
that
we
can
maintain
in
a
public
place
outside
of
this
document,
the
2.0
document-
and
we
can
then
iterate
on
that
as
necessary
and
bike
shed,
hopefully
not.
A
So
I
hope
I've
captured
all
the
conversation.
Do
we
they
think
the
new
statement
meets
what
we're
looking
for.
Now
you
get
a
thumbs
up
from
emily.
I.
C
A
A
A
The
statement
was
this
group
will
terrible
augment
a
playbook
directed
at
open
source
maintainers.
It
gives
generally
useful
information
about
what
to
do
in
the
event
of
a
cyber
security
emergency
and
to
offer
clear
instructions
of
how
and
when
to
get
our
support,
and
somebody
noted
proposed
to
move
this
to
the
education
working
group
and
my
statement
is,
I
don't
think
the
document
exists
yet
so
we
can't
throw
it
over
the
education
group
yet,
but
that
might
be
a
end
state
and
emily.
You
have
thoughts.
D
B
D
Okay,
that
information
is
not
well
known,
especially
in
the
stream
one
for
where
that's
supposed
to
be
occurring,
so
sharing
that
information
would
be
greatly
appreciated
by
many
individuals.
Secondly,
I
think
you're
spot
on
with
the
creation
of
or
assistance
in,
the
creation
of,
because
I'm
not
an
educator.
I
don't
pretend
to
be
one,
and
I
know
that
I
would
probably
be
do
a
terrible
job
of
writing
educational
material
in
a
manner
that
allows
individuals
to
consume
it
in
the
best
way
possible.
D
B
A
All
right
with
that,
I
will
pause
us
here,
I'll
put
a
blatant
plug
tomorrow
morning,
9
a.m.
Eastern
the
education
sig
meets
we're
working
on
stream,
one
and
I'll
be
glad
to
take
this
little
piece
of
feedback
and
account
for
it.
In
our
plan,
that'll
probably
be
more
advanced
like
we're
talking
about
different
levels
of
training.
I
think
this
would
be
a
nice
intermediate
or
advanced
set
of
instructions.
We
want
to
provide
there
and
I
also
agree.
We
definitely
need
to
work
with
educators.
A
While
I
play
one
on
tv,
I
am
not
actually
an
educator,
so
we
will
try
to
hook
up
with
real
professionals
to
get
that
materials
materials,
crafted
any
comments
or
thoughts
before
we
close
for
today
we
will
work
start
on
section
six
next
week
and
as
always,
if
you
have
comments,
please
tag
them
on
the
doc.
We'll
work
with
those.
C
A
Yeah,
I
want
to
thank
everybody
excellent
conversation
today.
Thank
you
all
for
participating,
I'm
very
happy
with
where
we're
going
and
our
next
step
after
this
will
be
to
start
documenting
the
plan
and
lining
up
commitments
or
estimates
on
what
we
think
it's
going
to
need
to
achieve
some
of
these
goals.
So
thank
you.
Everybody
look
for.
Thank
you
for
working
with
us
and
we
will
talk
to
you
next
week.