►
From YouTube: OSS-SIRT - 3 Execution (November 18, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
A
A
A
So
I
guess
mainly
for
Eric
since
Randall's
seen
this
a
lot
any
initial
Impressions
on
the
the
style,
how
we're
organizing
it
in
the
format
or
anything
you'd
like
to
share.
B
B
I,
like
the
links
in
each
section
too,
with
the
not
being
some
drawn
long
drawn
out
just
a
click
of
a
link.
That's
pretty
helpful.
B
Yeah
I
think,
as
things
kind
of
come
up
examples
of
key
metrics
and
things
like
that
will
be
key,
but
yeah
I
think
it's
looks
good
so
far,
yeah
for
sure.
A
Cool
what
we
need
to
do
is
to
get
the
content
of
all
the
sections,
basically
sussed
out
and
good
enough
to
start
to
share
more
broadly.
My
intention
would
be
to
share
the
plan
with
the
full
Sig
and
the
attack,
maybe
next
week,
if
we
can
get
through
some
of
this
and
then
eventually
to
the
governing
board,
probably
like
the
first
week
of
December
after
we
kind
of
have
some
comment
from
the
full
Sig.
B
Yeah
I
mean
I.
Think
I
would
need
very
specific
kind
of
ideas
of
what
you
want
finished
if
I
try
and
help
I
got
some
things.
I
got
to
get
done
before
Thanksgiving,
but
certainly
see
where
I
can
chip
in,
if
possible.
Well.
A
Specifically,
let's
take
a
look
at
some
of
these
goals
and
see
if
we
feel
the
milestones
kind
of
achieve
those
goals
and
kind
of
give
us
a
a
gut
check
on
the
estimates
we
put
down.
That
would
be
very
useful
to
do
right
now,
if
possible,.
A
C
A
A
It
does
keep
thing
I,
believe
it.
It's
I,
think
it
encrypts
communication
I,
hope
basically
provides
some
level
of
confidentiality
as
we
go
through
and
allows
the
researcher
and
the
maintainer
to
decide
who
gets
included
in
this
and
then
at
the
tail
end
of
it.
We
can
tack
on
things
like
write,
a
csaf
advisory
or
shoot
something
out
to
the
OSS
SEC
mailing
list
when
we're
done.
C
C
Well,
that's,
that's!
That's
where,
maybe,
towards
the
end
of
this
call,
we
can
switch
into
this
conversation
because
there
is
a
conversation
here
to
be
had,
because
the
reality
is.
Is
that
it's
not
as
complicated
as
you
think
it
is,
but
it
is
a
it
is
a
problem
and
we're
going
to
talk
about
vendor
agnostic
and
whatnot,
because
essentially
what
Vince
is
it's
a
bunch
of
AWS
Services
right
glued
together
right?
C
That
being
said,
there's
there's
some
things
that
we
could
possibly
improve
on
being
open
ssf
and
we
also
have
osv,
which
is
already
hooked
up
to
GitHub,
which
is
why
I
wanted
to
talk
to
you
about
that,
because
that's
what
I'm
looking
into
right
now,
okay,
so
yeah
so
I
can
I
can
deal
we
could.
We
could
skip
three
three
one
for
now
and
go
to
three
two.
If
you
want
sure.
A
Looking
down
on
the
section
3
plan
for
recruitment,
we
are
going
to
create
a
job
description,
we'll
review
that
with
the
Sig,
we'll
post
that
out
and
talk
to
the
foundation
to
start
a
vetting
process,
and
the
idea
here
is:
we
are
collecting
member
organization
donated
security,
people
that
will
be
volunteering
towards
this
effort.
A
Since
we
decided
we
wanted
to
be
a
volunteer
team,
we
will
select
that
initial
group
of
volunteers
and
Milestone
four
will
train
and
on
boredom
and
then
we
will
figure
out
some
type
of
how
we're
going
to
do
this
annually.
Is
there
going
to
be
rotation,
we
need
to
do
re-education
periodically,
so
we'll
figure
that
out
there.
A
Any
questions
or
feedback
about
the
Milestones
or
the
estimates
below
there.
C
B
Yeah
I
mean,
as
far
as
I
mean
there's
some
obvious
requirements
of
the
education
group,
probably
on.
B
So,
if
so,
assuming
that
those
are
those
are
good
to
go,
then-
and
you
know
obviously
that's
being
worked
on
to
some
degree
well.
A
B
B
You
know
sooner
rather
than
later
so
yeah
and
what
that
material
looks
like
you
know
not
just
taking
like
the
developer
certification,
but
you
know
what
what
above
and
beyond
those
types
of
things
are
required.
So
yeah
I
mean
they
look
good.
It's
just
I
definitely
need
to
nail
down.
You
know
what
that
that
training
is
going
to
look
like
prior
to
you
know,
probably
I
would
I
would
say
before
recruitment.
Obviously,
so
we'll
have
to
nail
that
down
right.
A
And
we
talk
about
that
more
specifically
in
section
two,
two
three
I
think
yeah
Staffing
requirements.
So
we
talk
about
training,
the
skills
we
need
and
well
before,
we're
all
done.
We're
going
to
need
to
have
a
requested
estimate
number
of
volunteers
for
the
first
year,
that'll
be
a
requirement
of
us
here.
C
A
Royally
yep
I
do
let
me
correct
that.
A
Section
three
here
is
where
we
actually
this
is
this-
is
the
group
that
would
need
to
engage
with
the
education
say.
This
particular
goal
is
developing
the
onboarding,
documentation,
playbooks
and
then
training
to
help
get
the
volunteers
up
to
speed.
B
Fortunately,
you
know
my
neighbor's
dog
isn't
going
crazy.
C
A
B
Had
a
couple
typos
in
here
that's
impacting
year,
one
one
and
Define
rep
hop
for
treatment.
Oh.
B
A
Looks
good
to
meet
you
all
right
and
then
section
three
five
was
establishing
a
postmortem
culture.
Basically
anytime,
we
have
developed
a
process
that
anytime
we
have
incidents
or
engagements
with
up
reporters
or
Upstream
we're
going
through
and
reflecting
upon
that,
creating
Lessons,
Learned
and
being
able
to
improve
our
overall
process.
Is
there
so?
Basically,
it's
creating
the
process
creating
some
type
of
survey,
creating
executive
report
in
case
key
stakeholders
want
to
watch
in
on
that
and
then
train
the
program
manager
again
on
how
to
execute
on
this
process.
A
It
shouldn't
be,
it
should
be
the
reverse.
We
should
have
service
level
objectives
and
then
SLO,
parenze
and
slis.
B
Or
3.5
on
the
post-mortem
right
should
there
be
an
additional
step
once
the
facilitation
of
the
process
is
there
and
the
stakeholder
feedback
collection,
and
should
there
be
some
planning
phase
as
well
we're
planning
for
the
next?
You
know
stage,
so
we
know
what
the
postmortem
the
issues
were.
B
All
of
that
should
there
be
you
know,
is
there
a
scenario
where
there'll
be
additional
tasks
that
the
program
manager
will
have
to
you
know
set
up
like
you
know,
a
phase
two
part
of
the
process
to
to
fix
those
those
issues
from
the
post-mortem,
so
we're
creating.
A
So
Implement
post
boredom
Improvement
findings
back
into
existing
processes.
Yeah.
B
Something
like
that
and
track
any
existing
tasks,
something
like
that.
So.
B
Some
you
know,
follow-up
fixes
that
may
need
may
be
needed
right
after
this
lesson
learned
additional
Staffing
or
not
just
process,
but
there
may
be
Project
Specific
stuff.
They
need
to
facilitate
with
somebody
else
to
get
to
get
moving
on,
not
just
the
data
collection.
So
the
best
way
to
word
that,
but.
A
I
added
track
improvements
to
ensure
completion,
timely
completion.
A
A
B
A
That
is
specifically
on
this
process,
so
we
could
move
that
down
to
the
whole
hiring
the
PGM
or
we
can
keep
that
here
with
the
postmortem
piece.
I
died
that
doesn't
matter.
B
Mean
is
that
just
part
of
3-2
and
recruitment,
or
is
that
there's
a
recruitment
just
more
the
process
of
recruiting.
A
Recruitment
is
specific
to
the
volunteers.
Okay,.
B
A
All
right,
so,
let's
take
a
look
at
that
hire
the
program
manager,
any
feedback
on
those
items
there,
while
I
go
back
and
adjust
numbering.
B
A
It
work
on
web
stuff,
yeah.
B
C
B
I
don't
see
any
additional
problems
looks
good
to
me,
although
you
know
one
of
the
things.
Obviously
you
have
some
of
the
links
around
milestones
and
other
things,
and
these
arrows
for
stage
year.
You
know
year,
one
or
I,
don't
know
that
these
arrows
are
necessary
unless
they're
links
somewhere.
Are
they
going
to
be
Links
at
some
point.
A
B
C
That
was
just
because,
if
I
put
start
year,
one
it
breaks
the
table
sometimes
and
I
was
just
trying
to
make
it
look
sexier.
So
yeah,
that's
really
that's
the
only
technical
reason
as
to
why
I
did
that,
because
if
you
actually
write
start
or
end
the
variation
in
that
kind
of
screws
up
the
table,
yeah.
B
B
Yeah,
you
can
leave
them.
You
know,
like
I,
said
it's,
it's
not
that
big
of
a
deal
to
me.
I
was
just
curious
because
they're
there
and
they
don't
seem
to
have
a
function.
So
that's
it's
fine
yeah
cool
I'm,
not
over
I'm,
not
an
overly
OCD
person
or
anything.
B
C
That
there's
anything
can
I
merge,
28
probe.
C
Basically,
what
I
did
is
I
I
installed
I
made
a
configuration
and
I'm
going
to
do
this
to
all
the
repos.
So
if
you
actually
wanted
to
just
go
in
and
format
all
the
documents
automatically,
you
could.
C
A
A
Let's
talk
about
the
tooling
a
little
bit
and
if
you
wanna
stay
around
Eric
great.
If
you
want
to
leave
great
no
harm,
no
foul.
B
Yeah,
it's
not
that
I
don't
want
to
stay
around.
Oh
I'm,
gonna
mute
myself,
I'll
be
back
in
just
a
minute.
All
right.
C
So
here's
here's
the
bottom
line,
so
let
me
be
honest
with
you.
Actually
Vince
is
actually
a
very
simple
application
to
build
yeah
in
general,
so
I
don't
so
they
didn't
build
a
whole
lot
of
it
like
a
lot
of
it's
actually
just
configurations,
and
there
you,
like
all
of
it,
is
AWS
basically
so
I
mean
we
could
use
that
like
so
here's.
C
A
The
benefit
would
be
the
fact
that
that
is
a
tool
that
is
in
use
today
by
the
vendor
piece
of
community.
Correct
and
assert,
is,
you
know,
very
well
established
entity
within
the
vulnerability
disclosure
Community
right,
so
it
would
be
kind
of
giving
back
and
showing
appreciation
for
their
efforts
if
we
were
able
to
contribute
to
that
project.
Technically,
you
know
if
it
does,
if
it's
not
fit
for
purpose,
then
it's
not
fit
for
purpose.
C
A
C
So
that's
what
I'm
saying
like
like
I
could
even
make
it
like
a
hundred
percent
compatible
with
their
API,
because
it
is
all
open
source
like
I.
Just
sent
you
the
vulnerability.
Note
API
I
can
produce
the
exact
same
thing,
so
I
can
make
it
work
exactly
the
same.
Just
under
the
hood.
It's
not
running
a
bunch
of
AWS
services
or
to
Django,
and
it's
easier
to
contribute
to,
because
kind
of
is
a
lot
more
modern
kind
of
where,
like
run-in
developers,
what
they're
playing
with
nowadays.
C
Yeah,
it's
basically
kind
of
like
Glenn's
thing
too,
because
basically,
this
is
the
same
thing.
I
went
through
with
Glenn's
with
SKF
yeah
and
that's
why
we
decided
to
rebuild
SKF
and
Astro
and
in
solid
and
using
graph
databases,
but
it's
not
a
difficult
app.
That's
why
I'm
asking
like
I
can
Gronk
something
like
this
together
and
make
like
a
proof
of
concept
fairly
easy
and
it
I
can
make
this
vulnerability.
Node
API
work
exactly
the
way
they
have
it
and
I
don't
need
to
use
Cognito
and
all
of
those
AWS
serverless
stuff.
C
A
A
You
know
if
we
have
any
Cloud
infrastructure,
the
default
credits
we
get
are
from
Azure
right,
so
we
would
need
to
overcome
that
hurdle
as
a
step
one
anyway.
Well.
C
That
would
be
the
way
that
we
would
so
Glenn
is
not
wrong
in
what
he
did,
except
the
fact
that
you
have
to
make
a
kubernetes
cluster
and
basically
running
it
on
Azure
is
essentially
running
it
in
your
own
kubernetes
cluster
yeah
and,
as
you
know,
chances
are,
is
that
next
year,
I'll
probably
be
like
around
a
lot
more.
So
if,
if
things
happen,
I
will
be
around
where
I
can,
like
you
know,
be
the
de
facto
it
guy.
A
So,
let's
start
and
issue-
and
let's
put
it
underneath
goal
three:
two
now,
which
is
the
tech
stack
and
let's
start
to
gather
requirements
for
a
OSS
cert.
C
Because
let
me
also
say
this
real
quick
just
just
for
for
notion.
So
if,
if
we
wanted
to
rebuild
Vince
one
way
that
you
could
go
with
it
again,
you're
kind
of
married
and
that
whole
thing
but
I'm
just
saying
you
could
take
Firebase
and
do
exactly
what
they
did
because
all
they
did
is
they
took
Firebase
glued
it
all
together,
and
that
is
Vince.
C
But
you
run
into
that
same
problem
that
what
happens
when
I
don't
want
Firebase
anymore
you're
stuck
in
Firebase
yeah.
So
that's
the
same
thing
now
there
is
an
open
source
alternative
called
Super
Bass,
but
it
just
came
out.
It's
not
very
mature,
not
something
that
I
would
use
professionally
yet,
but
yeah.
A
C
Because
they
do
have
osv
and
I
think
that
we
can
integrate
that
and
I
know
it
doesn't
get
a
whole
lot.
That's
just
the
database,
though,
isn't
it
it's
a
database,
but
it
also
Aggregates
GitHub
security,
advisories
Pi
PA,
which
I
don't
know
what
that
is
rust
security
and
the
Global
Security
database.
So
it's
all
merged
and
they
even
have
scanners.
A
C
No,
but
but
private
Communications,
no,
no,
but
what
I'm
just
saying
is
in
terms
of
this
Vince
uses,
CV
or
cves
I
believe
the
common
vulnerability
database
yeah.
A
C
C
A
A
Need
to
figure
out,
you
know,
get
some
requirements
of.
How
is
what
is
there
a
set
of?
Is
it
a
set
of
tools?
Is
it
one
tool
that
we're
going
to
use
to
do
case
management
Communications,
be
able
to
include
people
into
those
closures
to
be
able
to
Output
to
things
like
osv
and
OSS
Security
lists
your
new
the
siren
proposal
we
have
about
making
like
a
communication
service
at
the
back
end
of
things.
A
C
A
Again,
think
about
you
have
a
security
researcher
that
doesn't
know
what
open
source
project
to
go
to.
How
do
they
contact
us?
How
do
we
keep
that
private
until
we
can
find
the
right
parties
and
get
them
talking
to
each
other.
C
A
C
Because
if
I'm
not
mistaken,
they're
two
different
things
right,
the
vulnerability
note
is
completely
separate
from
the
like
you're
talking
about
an
advisory
like
a
well
from
my
understanding.
The
way
Vince
works
is
when
you,
when,
when
a
reporter
comes
in
and
opens
up
a
case,
it
gets
assigned
a
vulnerability,
ID
or
a
vuid
yeah,
that's
just
for
tracking
right,
and
that
also
has
a
an
ID
number.
Now,
that's
basically
what
what
is
the
vulnerability?
C
A
End
of
it
yes,
you're
right
when
you're
ready
to
go
public,
that
and
that's
we
would
want
to
probably
think
about
part
of
this
proposed
tool.
We
may
want
the
one
of
the
outputs
to
be
like
an
electronic
machine,
readable
advisory
like
using
the
c-stat
csash
standard.
Okay,
all
right
the
unit
automatically
does
that,
so
the
maintainer
doesn't
have
to
worry
about
that.
A
C
A
C
A
Was
your
statement
Eric.
A
And
that's,
we
have
I,
put
jira
and
Confluence
as
an
option
and
Atlanta
at
last
Atlanta.
C
A
B
A
A
C
I
will
I
will
get
you
figures
on
all
that
this
weekend.
Yes,.
A
A
We
want
to
hire
some
developers
and
you
know
either
write
or
make
a
composite
application
ourselves
cool.
Let's
get
that
in
there
and
that
way
we
can
explore
and
figure
that
out
as
we
go
along
bear-
and
we
have
you
know
in
that
discussion
from
Francis.
We
have
a
bunch
of
suggested
tools
already
and
that's
probably
one
of
the
next.
B
C
Okay,
I
will
get
you
figures
on
that
and
I
will
I
will
try
to
figure
that
out.
I
will
try
to
do
a
yeah
and
I
will
just
throw
something
like
a
stub
in
there
for
byi,
and
did
you
want
me
to
open
another
issue
about
what
our
requirements
are
for
said
tool
yeah.
C
A
And
that's
why
and
I
also
want
to
have
want
the
tool
to
be
ongoing
and
have
it
be
configurable
and
adjustable
to
our
needs.
So
I
want
to
have
a
body
to
do
that.