►
From YouTube: OSS-SIRT SIG - Part of BEST WG (November 14, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
C
C
C
C
C
A
Be
great
so
for
my
section
we're
I'm
finalizing
the
plan.
Pretty
much
have
everything
done,
but
1.4
I
also
made
an
issue
on
issue
one
or
a
comment
on
issue,
one
to
add
the
scope
as
1.3
to
my
document,
because
we've
discussed
it
before
and
I
think
it's
currently
in
stream.
Three,
but
I,
don't
and
I
think
it
originally
was
going
to
move
to
stream
two
but
I'm,
proposing
it
and
moving
it
to
stream.
A
B
B
A
D
So
I
think
that
there
is
a
fair
amount
of
overlap
between
the
engagement
with
the
community
and
section
one,
but
I
want
to
understand
and
I
can't
remember
off
the
top
of
my
head,
because
I
haven't
had
my
coffee.
Yet
whether
or
not
the
the
intent
behind
that
in
section
three
for
reaching
out
to
those
communities
was
different
than
what
we
had
intended
for
the
intent
in
section
one.
D
The
section
one
if
I
remember
correctly,
was
about
understanding
a
little
bit
more
of
the
problem
space,
doing
the
level
of
Engagement
with
the
community
to
hear
their
concerns
their
problems
and
challenges
and
ask
them
for
what
it
where
we
can
help
or
where
we
can
provide
the
most
value
and
benefit
to
them
potentially
offloading
some
of
that
burden.
Where
is
stream?
Three
is
more
of
an
awareness
and
an
engagement
if
I,
remember
correctly
and
I
want
to
make
sure
that
we
don't
lose
what
the
intent
behind
each
of
them
is.
C
A
D
All
right,
so
with
that,
what
I'm
going
to
recommend
then
and
I
think
the
ink?
We
need
a
line
item
in
the
engagement
model
section
which
is
2-2
to
talk
about
how
we
engage
with
them
or,
alternatively,
into
two.
You
add
a
line
item
to
defer
to
the
engagement
model
in
one
for
the
open
source
communities
and
the
maintainers
as
part
of
that
research
activity
and
then
Define
more
specifically
about
the
appropriate
engagement
as
part
of
going
through
an
incident
or
doing
a
communication
and
collaboration
activity.
A
Fair,
do
you
think
that
we
should
also
do
a
one
or
put
or
I
was
going
to
put
in
or
switch
one
three
and
make
it
like
actually
record
the
scope?
I,
don't
know
we
have
to
go
as
far
as
developing
personas,
but
it's
heavily
recommended
by
first
that
if
you're
gonna
do
a
p
cert,
you
should
probably
put
personas
together.
A
C
C
You
know
better
refine,
because
right
now
it's
a
maintainer
finder
supplier,
consumer
coordinator,
so
they're
very
high
level.
So
if
we
wanted
to,
we
could
dive
into
and
refine
like
the
maintainer
Persona
and
have
I
am
a
project
contributor
or
I
am
a
devops
engineer.
Whatever
we
wanted
to
focus
in
on
or
I'm
a
piece
of
person
right.
E
A
Could
I
so
are
we
in
agreement
that
I
can
make
that
1.3
and
I
could
also
make
it
a
line
item
to
record
the
scope?
Maybe
review
it
every
year,
because
right
now,
one
of
the
things
Emily
is
that
we
don't
really
have
a
scope,
so
we're
kind
of
going
or
what
krobe
and
I
have
talked
about
is
maybe,
starting
with
it's
always
come
up
about
facilitating
communication.
So
maybe
we
could
start
there.
A
So
that
way
we
could
start
presenting
something
to
the
tax,
because
that
seems
to
be
something
that
everybody
mentioned
in
my
initial
discussions
about
how
Auto
communicate
with
this
person,
because
they're,
hostile
or
Auto
communicate
with
this
person
because
they
never
respond,
or
you
know
like
stuff
like
that.
So
I
think
that
that
would
be
the
most
obvious
thing
that
we
could
solve
like
blow
level
I
would
say
and
then
from
there
I
think
every
year
we
could,
depending
on
how
that
goes,
we
can
expand
our
scope
or
maybe
even
modify
our
scope.
D
B
A
A
C
So
I
have
in
the
notes,
please
feel
free
to
edit
Delete
augment
Emily
notes.
We
want
to
add
refining
personas
as
section
one
to
hone
in
on
who
our
audiences
are.
This
is
going
to
help
us
craft
services
to
address
those
viewpoints.
As
a
group
we
want
to
craft,
we
need
to
fit
and
craft
a
mission
vision
statement
around
kind
of
what
we
are,
what
we're
doing.
D
C
C
E
Yes,
yes,
I,
don't
have
the
update
is
that
I
observed
I?
Think
probably
last
week,
some
of
the
folks
on
this
call
worked
on
it.
I
saw
the
Milestones
I,
don't
know
if
I
put
the
milestones
in
I
didn't
look
carefully
at
the
at
the
commit
or
whatever
I
should
have
looked
at,
but
I
saw
that
stuff,
that's
close
to
the
close
to
all
of
it
that
I've
done
I've
been
out
for
at
least
two
weeks,
I
think
with
travel
and
such
or
day
job
things.
E
E
D
E
A
B
D
E
Sure,
let
me,
let's
see
so
almost
everything
I've,
that
as
input
is
in
here
now,
I,
don't
think
I
have
anything
sort
of
new
or
substantial
or
different
I
was
about
to
ask
Crowe
if,
if
that
minimum
minimum
year,
one
c-search
services
is
something
that
goes
in
this
stock
or
at
the
top
of
it
or
it's
a
different,
different
doc
entirely.
The
stock
is
longer
than
that.
C
C
To
add
in
like
hey
in
year,
two
blah
blah
blah
okay,
I
think
this
would
be
a
good
spot
to
do
it,
because
the
governing
board
is
going
to
look
at
it
and
they're
going
to
make
their
choice
for
funding
on
kind
of
what
we're
planning
on
doing
sure.
There
was
a
there
was
a
governing
board
Tac
meeting
last
Friday
and
there
was
a
strong
sentiment
from
the
room
that
boy
howdy.
C
The
governing
board
would
love
it
if
there
was
some
type
of
threat:
intelligence
capability
for
the
open
source,
so
that
is
something
we
could
consider
or
Knack
out
of
hand
depending
on
what
we
want
to
do.
But
basically
their
idea
was
there's
a
problem.
How
do
we
tell
people
about
this
problem
like
let's
say,
open,
SSL
V3,
how
Mark
sent
the
pre-notification,
which
was
awesome,
but
Downstream
consumers
were
confused
and
middle
middle
people
didn't
necessarily
do
what
they
were
supposed
to
do.
D
C
And
the
while
the
name
sounds
like
wow.
That
is
exactly
what
we
would
want
to
who
would
want
to
collaborate
with
I
believe
what
the
intention
is
is
to
get
members
to
tell
this
group
of
academics.
These
researchers
like
these
are
the
open
source
prop
packages
I'm
using
in
all
my
dependencies
and
allow
the
academics
to
kind
of
go
through
and
do
research
and
say:
hey
banking
really
uses
a
lot
of
openssl.
C
Exactly
now,
they
have
not
taken
any
steps
forward.
They
have
not
that
group,
that's
one
of
the
many
groups
from
the
plan
that
has
had
no
action.
So
if
we've
come
forth
with
a
proposal
to
say,
wouldn't
it
be
great
if
somebody
managed
kind
of
a
a
what
is
that
an
Isaac
style
knowledge
sharing
Network?
C
C
C
E
C
E
No,
no,
no,
no
yeah,
sorry
I
anchored
on
the
word
threat
and
it
was
about
to
I,
was
gonna.
I
was
muttering
under
my
breath.
Knack
we
should
Knack
it,
but
then
you
described
to
me
sounds
like
what
a
Cirque
would
do,
which
would
be
hey,
there's
a
thing
coming
up:
notify
Downstream
under
embargo,
which
is
a
classic
kind
of
in,
and
that
should
be.
That
should
be
service
one
of
year.
One
in
my
opinion,
that's
like
the.
E
E
C
Mean
yeah
to
wax
philosophical,
a
bit
I
like
the
idea
of
hey
middlemen.
You
have
some
work
coming
up
next
Tuesday,
you
better
be
ready,
because
all
the
people
in
the
know
like
all
of
them
already
are
doing
it
and
already,
but
this
was
for
the
downstream
that
actually
could
deliver
to
the
end.
Consumers.
That's
like
they
I
think
about
the
intention
of
that
notification
was
and
yeah
it.
It's
caused
people.
Some
feels
yeah.
E
A
Well,
I
was
adding
on
to
that,
because
one
thing
that
came
up
during
some
of
the
discussions
I
had
with
Upstream
projects
is
that
they,
because
they
know
I'm
a
lot
involved
with
a
lot
of
packaging-
is
that
we
need
to
stop
solving
things
in
isolation
because
they
do
cause
more
problems
than
not
so
I
wonder
if
the
threat
intelligence
is
a
way
of
maybe
helping
address
that
so
that,
because
yeah
it
gets,
it
gets
really
tricky.
No,
but
yeah
Upstream
really
wants
us
to
stop
solving
things.
You
know
they
say
us.
E
E
E
E
B
E
A
C
E
C
E
A
A
My
fear
of
the
P
skeleton
because
I
looked
at
it
yesterday,
is
that
it
we
have
to
define
a
lot
of
things
and
I
think
that
we
really
can't
Define
most
of
it
until
we
have
like
a
survey
or
we
have
like
intended
targets,
because
it
would
be
really
hard
to
like
Define
ingestion.
I
was
trying
to
see
if
I
could
maneuver
it,
but
it
would
be
really
hard.
No.
C
C
B
E
Art
so
I
I,
don't
know
if
that
was
quote
unquote
exactly
three
services
or
not,
and
that's
that's
fine
to
me.
That
is
the
core
thing
that
that
pipeline
the
engine.
How
I
propose
we
say:
that's
it
for
year,
one
we're
gonna,
do
that
I
would
say
we
do
not
propose
anything
further
but
and
as
I've
personal
experience
and
I'm
sure
some
of
others.
But
you
do
that
and
you
pretty
quickly
from
your
experience,
figure
out
some
other
interesting
and
good
ideas
that
you
might
need,
and
those
are
your
year,
two
you're
in
things.
E
And
we've
we've
captured
a
lot
of
other
possible
things,
so
we
can
leave.
We
can
leave
all
that
stuff
and
say
you're
one.
This
is
the
core
Focus
fault,
we'll
learn
from
that
we'll
learn
from
our
feedback,
we'll
learn
from
the
things
we
thought.
We
might
also
do
already
written
down
here
see
later
in
the
doc.
E
C
A
I'm
I've
been
privy
to
some
conversations
about
GitHub
advisories,
so
there
might
be
a
chance
that
we
might
be
able
to
leverage
that
as
because
apparently
a
lot
of
people
will
use
it.
So
they
do
have
apis
and
a
bunch
of
stuff
that
they're
integrating
and
releasing
that
are
interesting
to.
If
you
were
to
want
to
kind
of
make
like
a
meta,
cert
and
another
thing,
I
wanted
to
point
out
someone.
We.
A
A
E
Pre-Notification,
almost
any
notification
post
notification
with
no
embargo
is
still
useful
because
cve
or
it
didn't
happen,
sorts
of
things
happen
right
so
and
I
did
this
firsthand
recently
and
it
was
crazy
to
see
that
someone
had
patched
something
and
not
called
it
a
security
issue.
Someone
else
had
not
noticed
the
patch
Downstream,
no
one
had
noticed
frog
or
Downstream,
because
there
was
no
advisory
cve
whatever
to
it.
So
post
notification
can
also
be
pretty
useful.
Absolutely
when
you
find
a
missing
a
missing
supply
chain
thing
that
didn't
happen
so
and.
C
E
I
just
wanted
to
unlimit
our
plan
yeah
from
pre-only,
pre-notification
and
I.
Don't
expect
they're
going
to
be
long,
90-day
embargoes
in
this
world
and
no
one
likes
them
and
no
one
wants
them.
In
fact,
we
may
have
trouble
with
people
keeping
embargoes
and
that's
okay,
I'm,
not
even
not
even
a
judgment.
Just
I
would
expect
very
short
embargoes
if
any
on
on
sort
of
an
average
sort
of
basis.
Well,.
C
And
until
year,
five
I
don't
know
that
we're
going
to
have
an
issue
of
impact.
That
is
that,
like
I
think
initially
we'll
have.
You
know
some
small
to
medium
projects
that
need
some
help
and
we
can
make
some
connections
for
them
and
I
think
that's
how
we'll
probably
be
starting.
Well,
you
know
it's
not
going
to
be
a
heart
lead
right
out
of
the
gate
that
we
need
to
coordinate
thousands
of
companies.
E
This
gets
back
to
the
right.
The
10
incidence
a
year
sort
of
discussion.
Do
we
want
do
we
want
to
attempt
to
estimate
or
characterize
what
we
expect
to
happen,
or
do
we
want
to
just
I
mean
this?
It's
a
re.
It
comes
down
to
resources,
though
okay.
The
reason
I
ask
is
my
former
colleague
Alan
householder
has
some
work
that
he
based
on
cert
CC's
data,
which
is
only
certain
CC's
data,
but
probably
not
surprisingly,
it
follows
a
pretty
standard
power
loss,
sort
of
thing
and
you
keep
getting
these
like.
E
C
C
Get
our
our
minimum
viable
set
of
services
together,
and
then
we
can
kind
of
talk
through
kind
of
tabletop
what
we
think
utilization
would
be,
and
then
we
could
put
an
estimate
for
because
again
we're
going
to
be
all
volunteers
plus
a
couple
staff.
You
know
like
a
program
manager,
so
we
can
kind
of
game
out.
We
think
we'll
have,
and
if
we
have
data
that
says
statistically
that
every
year
you've
got
this
many
criticals
or
you
know
you
have
embargo
these
embargoes-
were
this
long.
A
I
think
that
it
would
be
difficult
to
approach
a
project
that
we
haven't
approached
before
and
not
to
mention
they
might
take
it
the
wrong
way.
So
I
almost
think
that
the
goal
that
we
should
have
is
maybe
say
something
like.
We
want
to
get
10
projects
and
then
see
what
type
of
influx
that
creates
and
then
build
off
of
that
to
see
how
many
people
we
can
service
it
might
be
a
way
of
measuring
stuff.
C
And
that's
potentially,
where
we
talk
with
the
Omega
folks,
which
is
you
know
the
bottom:
the
next
thousand
critical
projects
that
aren't
going
to
get
the
hand
the
white
glove
treatment.
It's.
Maybe
we
kind
of
reach
out
to
some
of
those
folks
and
say
you
know,
talk
about
their
problems,
but
I
think
we'll
be
getting
a
lot
we'll
be
collecting
a
lot
of
data
that
will
help
us
for
year.
Two
be
much
more
accurate.
B
E
A
A
A
C
B
C
C
C
C
C
And
then
just
so,
you
all
know
for
the
vulnerability
disclosure
working
group,
which
is
our
Mothership
I,
have
a
request
in
to
set
up
some
APAC
meetings,
and
since
we
are
associated
with
that
group,
there
is
the
potential
we
might
be
able
to
recruit
some
additional
collaborators
from
the
APAC
time
zone.
So
as
that
develops
I'll,
let
everybody
know
how
that
progresses.
C
C
D
B
C
The
mission
of
the
cert
is
to
empower
open
source
security
teams
like
open
source
projects
to
be
self-sufficient
and
to
apply
learnings
from
engagement
with
the
cert.
The
cert
will
be
responsible
for
open
source
projects,
requests
for
assistance,
guidance
and
support
and
handling,
processing,
Communications
and
general
management
of
suspected
and
confirmed
vulnerabilities
and
findings
reported
to
them
directly
or
by
proxy
in
a
manner
that
considers
the
community's
existing
response
processes.
C
B
A
A
C
E
I
have
a
I
hate
to
Hate
to
be
not
really
a
complaint,
but
I
like
the
self-sufficient
opening,
but
I
I
should
read
more
carefully.
First
there's
a
my
gut.
My
gut
reaction
to
that
is.
We
have
a
bunch
of
independent,
self-sufficient
projects,
which
is,
which
is
a
valid
point
and
good
I.
Don't
think
that
is
well
anyway,
I
think
there's
more
of
a
community
like
we
have
to
work
together
piece,
and
it's
not
that
it's
not
that
a
project
doesn't
have
its
own.
E
You
know
it
can
make
its
own
decisions,
can't
be
its
own.
Adult
can't
can't
work
on
its
own
recognizance,
but
there's
sort
of
no
way
for
a
single
project.
Downstream
of
open
Foo,
that's
Library,
to
kind
of
go
on
their
own
and
I.
Think
that's
where
the
cert
can
glue
together
the
independent
self-sufficient
projects
when
needed
on
a
case-by-case
basis,
so
that
sorry,
the
basically
reacting
very
much
to
that
very
first
sentence,
but
I'll
I.
It's
a
very
quick
first
reaction,
so
just
wanted
to
throw
that
out.
There's
no.
C
D
I'm
hearing
is
a
request
to
include
more
collaboration
with
the
open
source
projects,
either
through
their
requests
for
assistance,
guidance
and
support,
or
maybe
General
questioning,
removal
of
the
significant
critical
concern,
because
that
is
a
execution
detail
that
doesn't
need
to
be
included
within
the
mission
statement.
What
about
the
last
part
in
the
course
of
serving
open
source
projects?
The
cert
will
consider
all
information
provided
seek
to
understand
any
outside
influences
or
additional
factors
to
consider
prior
to
engaging
in
rendering
decision
on
engagement
and
execution
accordingly,
so
that
one's
good.
D
The
intent
of
the
of
how
that
is
structured
is
such
that,
if,
let's
say
several
consumers
of
an
open
source
project
were
coming
to
the
cert
and
say
hey,
we
think
that
there's
a
real
vulnerability
with
this
project
and
the
project
is
not
doing
anything
about
it
that
we're
not
going
to
necessarily
go
knocking
on
their
door.
Unless
it's
like
it's.
C
C
E
B
E
E
E
E
E
Just
break
down
I
I
I'm
a
broken
record
here,
but
I
think
the
word
coordinates
or
coordination
would
address
my
yes,
we
can
all
be
self-sufficient
and
empowered
and
learn
from
our
experiences,
but
when
those
shared
issues
come
up,
they
are
indeed
shared,
and
if
the
cert
coordinates,
that's
I
mean
it's
a
word.
We
chose
many
years
ago
to
mean
no
we're
not
telling
you
what
to
do.
No
we're
not
being
completely
hands
off
for
those
who
want
to
play
we're
going
to
get
the
information
shared
and
create
the
facilitate
the
facilitate.
E
D
D
The
cert
will
consider
all
information
provided
seek
to
understand
any
outside
influences
or
additional
factors
to
be
considered
prior
to
engaging
and
render
a
decision
on
engagement
and
execution.
Accordingly,
the
search
shall
balance
the
needs
and
constraints
of
the
Project's
requesting
support,
as
well
as
the
needs
of
the
consumers
of
those
projects
to
the
Practical
extent
possible
foreign.