►
From YouTube: OSS-SIRT - 3 Execution (November 18, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
A
A
B
B
A
Cool
what
we
need
to
do
is
to
get
the
content
of
all
the
sections,
basically
sussed
out
and
good
enough
to
start
to
share
more
broadly.
My
intention
would
be
to
share
the
plan
with
the
full
Sig
and
the
attack,
maybe
next
week,
if
we
can
get
through
some
of
this
and
then
eventually
to
the
governing
board,
probably
like
the
first
week
of
December
after
we
kind
of
have
some
comment
from
the
full
Sig.
B
A
A
A
It
does
keep
thing
I,
believe
it.
It's
I,
think
it
encrypts
communication
I,
hope
basically
provides
some
level
of
confidentiality
as
we
go
through
and
allows
the
researcher
and
the
maintainer
to
decide
who
gets
included
in
this
and
then
at
the
tail
end
of
it.
We
can
tack
on
things
like
write,
a
csaf
advisory
or
shoot
something
out
to
the
OSS
SEC
mailing
list
when
we're
done.
C
C
Well,
that's,
that's!
That's
where,
maybe,
towards
the
end
of
this
call,
we
can
switch
into
this
conversation
because
there
is
a
conversation
here
to
be
had,
because
the
reality
is.
Is
that
it's
not
as
complicated
as
you
think
it
is,
but
it
is
a
it
is
a
problem
and
we're
going
to
talk
about
vendor
agnostic
and
whatnot,
because
essentially
what
Vince
is
it's
a
bunch
of
AWS
Services
right
glued
together
right?
C
That
being
said,
there's
there's
some
things
that
we
could
possibly
improve
on
being
open
ssf
and
we
also
have
osv,
which
is
already
hooked
up
to
GitHub,
which
is
why
I
wanted
to
talk
to
you
about
that,
because
that's
what
I'm
looking
into
right
now,
okay,
so
yeah
so
I
can
I
can
deal
we
could.
We
could
skip
three
three
one
for
now
and
go
to
three
two.
If
you
want
sure.
A
Since
we
decided
we
wanted
to
be
a
volunteer
team,
we
will
select
that
initial
group
of
volunteers
and
Milestone
four
will
train
and
on
boredom
and
then
we
will
figure
out
some
type
of
how
we're
going
to
do
this
annually.
Is
there
going
to
be
rotation,
we
need
to
do
re-education
periodically,
so
we'll
figure
that
out
there.
C
B
A
B
B
You
know
sooner
rather
than
later
so
yeah
and
what
that
material
looks
like
you
know
not
just
taking
like
the
developer
certification,
but
you
know
what
what
above
and
beyond
those
types
of
things
are
required.
So
yeah
I
mean
they
look
good.
It's
just
I
definitely
need
to
nail
down.
You
know
what
that
that
training
is
going
to
look
like
prior
to
you
know,
probably
I
would
I
would
say
before
recruitment.
Obviously,
so
we'll
have
to
nail
that
down
right.
A
And
we
talk
about
that
more
specifically
in
section
two,
two
three
I
think
yeah
Staffing
requirements.
So
we
talk
about
training,
the
skills
we
need
and
well
before,
we're
all
done.
We're
going
to
need
to
have
a
requested
estimate
number
of
volunteers
for
the
first
year,
that'll
be
a
requirement
of
us
here.
A
C
B
A
Looks
good
to
meet
you
all
right
and
then
section
three
five
was
establishing
a
postmortem
culture.
Basically
anytime,
we
have
developed
a
process
that
anytime
we
have
incidents
or
engagements
with
up
reporters
or
Upstream
we're
going
through
and
reflecting
upon
that,
creating
Lessons,
Learned
and
being
able
to
improve
our
overall
process.
Is
there
so?
Basically,
it's
creating
the
process
creating
some
type
of
survey,
creating
executive
report
in
case
key
stakeholders
want
to
watch
in
on
that
and
then
train
the
program
manager
again
on
how
to
execute
on
this
process.
A
B
B
Some
you
know,
follow-up
fixes
that
may
need
may
be
needed
right
after
this
lesson
learned
additional
Staffing
or
not
just
process,
but
there
may
be
Project
Specific
stuff.
They
need
to
facilitate
with
somebody
else
to
get
to
get
moving
on,
not
just
the
data
collection.
So
the
best
way
to
word
that,
but.
A
A
B
A
B
B
B
C
B
I
don't
see
any
additional
problems
looks
good
to
me,
although
you
know
one
of
the
things.
Obviously
you
have
some
of
the
links
around
milestones
and
other
things,
and
these
arrows
for
stage
year.
You
know
year,
one
or
I,
don't
know
that
these
arrows
are
necessary
unless
they're
links
somewhere.
Are
they
going
to
be
Links
at
some
point.
A
B
C
That
was
just
because,
if
I
put
start
year,
one
it
breaks
the
table
sometimes
and
I
was
just
trying
to
make
it
look
sexier.
So
yeah,
that's
really
that's
the
only
technical
reason
as
to
why
I
did
that,
because
if
you
actually
write
start
or
end
the
variation
in
that
kind
of
screws
up
the
table,
yeah.
B
B
B
C
C
A
A
B
C
So
here's
here's
the
bottom
line,
so
let
me
be
honest
with
you.
Actually
Vince
is
actually
a
very
simple
application
to
build
yeah
in
general,
so
I
don't
so
they
didn't
build
a
whole
lot
of
it
like
a
lot
of
it's
actually
just
configurations,
and
there
you,
like
all
of
it,
is
AWS
basically
so
I
mean
we
could
use
that
like
so
here's.
C
A
The
benefit
would
be
the
fact
that
that
is
a
tool
that
is
in
use
today
by
the
vendor
piece
of
community.
Correct
and
assert,
is,
you
know,
very
well
established
entity
within
the
vulnerability
disclosure
Community
right,
so
it
would
be
kind
of
giving
back
and
showing
appreciation
for
their
efforts
if
we
were
able
to
contribute
to
that
project.
Technically,
you
know
if
it
does,
if
it's
not
fit
for
purpose,
then
it's
not
fit
for
purpose.
C
A
C
So
that's
what
I'm
saying
like
like
I
could
even
make
it
like
a
hundred
percent
compatible
with
their
API,
because
it
is
all
open
source
like
I.
Just
sent
you
the
vulnerability.
Note
API
I
can
produce
the
exact
same
thing,
so
I
can
make
it
work
exactly
the
same.
Just
under
the
hood.
It's
not
running
a
bunch
of
AWS
services
or
to
Django,
and
it's
easier
to
contribute
to,
because
kind
of
is
a
lot
more
modern
kind
of
where,
like
run-in
developers,
what
they're
playing
with
nowadays.
C
Yeah,
it's
basically
kind
of
like
Glenn's
thing
too,
because
basically,
this
is
the
same
thing.
I
went
through
with
Glenn's
with
SKF
yeah
and
that's
why
we
decided
to
rebuild
SKF
and
Astro
and
in
solid
and
using
graph
databases,
but
it's
not
a
difficult
app.
That's
why
I'm
asking
like
I
can
Gronk
something
like
this
together
and
make
like
a
proof
of
concept
fairly
easy
and
it
I
can
make
this
vulnerability.
Node
API
work
exactly
the
way
they
have
it
and
I
don't
need
to
use
Cognito
and
all
of
those
AWS
serverless
stuff.
C
A
A
C
That
would
be
the
way
that
we
would
so
Glenn
is
not
wrong
in
what
he
did,
except
the
fact
that
you
have
to
make
a
kubernetes
cluster
and
basically
running
it
on
Azure
is
essentially
running
it
in
your
own
kubernetes
cluster
yeah
and,
as
you
know,
chances
are,
is
that
next
year,
I'll
probably
be
like
around
a
lot
more.
So
if,
if
things
happen,
I
will
be
around
where
I
can,
like
you
know,
be
the
de
facto
it
guy.
C
Because
let
me
also
say
this
real
quick
just
just
for
for
notion.
So
if,
if
we
wanted
to
rebuild
Vince
one
way
that
you
could
go
with
it
again,
you're
kind
of
married
and
that
whole
thing
but
I'm
just
saying
you
could
take
Firebase
and
do
exactly
what
they
did
because
all
they
did
is
they
took
Firebase
glued
it
all
together,
and
that
is
Vince.
C
But
you
run
into
that
same
problem
that
what
happens
when
I
don't
want
Firebase
anymore
you're
stuck
in
Firebase
yeah.
So
that's
the
same
thing
now
there
is
an
open
source
alternative
called
Super
Bass,
but
it
just
came
out.
It's
not
very
mature,
not
something
that
I
would
use
professionally
yet,
but
yeah.
A
C
Because
they
do
have
osv
and
I
think
that
we
can
integrate
that
and
I
know
it
doesn't
get
a
whole
lot.
That's
just
the
database,
though,
isn't
it
it's
a
database,
but
it
also
Aggregates
GitHub
security,
advisories
Pi
PA,
which
I
don't
know
what
that
is
rust
security
and
the
Global
Security
database.
So
it's
all
merged
and
they
even
have
scanners.
A
A
C
C
A
A
Need
to
figure
out,
you
know,
get
some
requirements
of.
How
is
what
is
there
a
set
of?
Is
it
a
set
of
tools?
Is
it
one
tool
that
we're
going
to
use
to
do
case
management
Communications,
be
able
to
include
people
into
those
closures
to
be
able
to
Output
to
things
like
osv
and
OSS
Security
lists
your
new
the
siren
proposal
we
have
about
making
like
a
communication
service
at
the
back
end
of
things.
A
C
A
C
A
C
Because
if
I'm
not
mistaken,
they're
two
different
things
right,
the
vulnerability
note
is
completely
separate
from
the
like
you're
talking
about
an
advisory
like
a
well
from
my
understanding.
The
way
Vince
works
is
when
you,
when,
when
a
reporter
comes
in
and
opens
up
a
case,
it
gets
assigned
a
vulnerability,
ID
or
a
vuid
yeah,
that's
just
for
tracking
right,
and
that
also
has
a
an
ID
number.
Now,
that's
basically
what
what
is
the
vulnerability?
C
A
End
of
it
yes,
you're
right
when
you're
ready
to
go
public,
that
and
that's
we
would
want
to
probably
think
about
part
of
this
proposed
tool.
We
may
want
the
one
of
the
outputs
to
be
like
an
electronic
machine,
readable
advisory
like
using
the
c-stat
csash
standard.
Okay,
all
right
the
unit
automatically
does
that,
so
the
maintainer
doesn't
have
to
worry
about
that.
A
C
A
C
C
A
B
A
A
A
A
We
want
to
hire
some
developers
and
you
know
either
write
or
make
a
composite
application
ourselves
cool.
Let's
get
that
in
there
and
that
way
we
can
explore
and
figure
that
out
as
we
go
along
bear-
and
we
have
you
know
in
that
discussion
from
Francis.
We
have
a
bunch
of
suggested
tools
already
and
that's
probably
one
of
the
next.