►
From YouTube: OSS-SIRT SIG - Part of BEST WG (March 21, 2023)
D
A
A
B
C
B
E
F
C
E
B
It
another
minute
or
so
to
see
if
folks
roll
in
here's
our
agenda
for
such
that
it
is.
B
Well,
today,
in
the
tech
we
are
going
to
try
to
attempt
to
capture
an
official
vote
to
express
endorsement
of
the
plan
for
the
governance
committee.
B
Yeah
my
track
record
with
votes
so
far
is
oh
and
many.
B
D
I
I
did
submit
that.
D
Blatant
sales
pitch
for
OSS
cert
to
something
open,
Assistant,
Day,
nice
in
case
you're,
still
in
the
air
by
then
and
I
get
accepted.
I
will
I
was
very
very
clear
in
my
my
proposal
that
it
was
a
bleeding
pitch
so
anyway,.
B
Well,
it
could
just
be
a
kind
of
a
theater
of
the
Mind
session.
This
is
what
could
have
happened.
Sure
we're.
B
All
right,
well
I,
had
posted
a
link
in
many
of
the
slack
channels.
Last
week
there
is
the
open
source
security
Summit
in
Europe
coming
up
there.
The
call
for
papers
is
open.
If
anyone
is
interested
in
submitting
the
talks
there
I
know
we
haven't
even
gotten
to
North
America
yet
but
got
a
plan.
I'll
I'll
toss
a
couple
things
over
there
and
see
what
happens.
F
I
was
gonna,
say:
Europe
usually
has
a
pretty
strong
security
presence,
especially
the
past
couple
of
years.
I've
been
rather
impressed
with
the
turnout.
It.
B
We
chassis,
so
let
us
start
do
we
want
to
work
on
the
questionnaire
today
or
did
we
have
a
topic?
We
wanted
to
collaborate
on
to
keep
us
moving
forward,
whilst
the
bureaucracy
grinds
forward.
B
We
had
two
types
of
constituents
we
wanted
to
approach
in
the
plan.
The
first
was
Upstream
projects
and
maintainers
hey
what
types
of
services
would
you
enjoy
if
from
the
cert,
and
then
there
was
another
set
of
constituents,
actual
active
security
teams
kind
of
going
out
and
talking
to
them
to
try
to
learn
from
them.
What
has
worked?
What
hasn't
worked
so
that
we
can
potentially
refine
our
tactics.
F
Yeah,
if
we
focus
on
the
last
one
did
Vincent
Donna
never
give
us
any
feedback
from
his
experience.
Working
on
a
cert.
F
Okay,
I
wonder
if
it's
worthwhile
to
send
out
our
request
for
to
the
governing
board
for
contacts
with
their
certs.
That
way,
we
can
send
them
an
exclusive
survey
on
that
and
collect
it
directly
from
them,
instead
of
the
opposite,
where
we
request
it
and
they
eventually
provide
us.
The
response.
B
I
think
that
is
a
a
good
tactic.
B
So
what
types
of
questions
would
we
ask
a
member
cert
in
that
their
experiences
with
open
source?
Let's
work,
what
hasn't
worked.
F
I,
don't
know
that
we
need
the
experience
with
open
source
necessarily
I
think
we
can
certainly
ask
for
it,
but
I
think
highly
mature
and
robust
organizations
that
have
a
sock
or
a
security
incident
response
team.
That's
been
operational
for
a
while
there's,
probably
some
value
in
understanding
how
some
of
that
affects
large-scale
organizations
and
even
small
businesses,
particularly
where
you
have
communication
breakdowns
or
organizational
silos.
Some
of
the
challenges
that
they
experienced
in
getting
information
out.
F
There
is
also
useful
on
open
source,
because
not
all
maintainers
talk
to
us-
and
we
don't
know
where
they
all
are
so
I-
think
maybe
asking
it
from
a
perspective
of
a
postmortem
around
like
what
are
your
current
processes.
What
worked
and
what
didn't?
F
What
were
some
of
the
potential
pitfalls
when
your
cert
program
was
set
up
or
what
changes
would
you
like
to
see
made
to
your
cert
program?
If
you
had
all
the
time
and
energy
in
the
world.
B
I
think
those
are
all
great
questions
and
I
just
realized.
We
have
an
opportunity.
Next,
Thursday
is
a
the
monthly
meeting
of
the
first
piece
Sig.
So
if
we
had
our
questions,
I
could
pop
in
there
and
say:
hey
friends,
we
would
love
to
collect
some
information
from
you
and
kind
of
ask
those
groups.
A
Some
questions
generated,
but
I've
had
a
very
busy
a
couple
of
weeks,
so
I
haven't
been
able
to
put
them
on
a
Google
doc,
but
I
can
send
those
some
of
the
stuff
that
you
mentioned.
Emily
was
covered
in
that.
A
D
B
Then
we
also
have
the
tech
meeting
where
we
will
be
voting
again
on
whether
the
plan
is
a
good
idea
and
that'll
go
back
to
the
governance
committee,
which
will
be
on.
A
B
A
A
A
F
A
F
A
A
Next,
would
you
be
interested
in
receiving
security
updates
and
best
practices
from
assert
team
to
improve
the
overall
security
posture
of
your
project?.
A
A
It
I
had
just
best
practices
and
a
security
update,
regular
security
updates,
which
I'm
not
I,
wasn't
super
happy
about,
but
I
just
kind
of
copy
and
pasted
it.
Okay,
because
I
don't
really
know
what
regular
security
updates
means,
but
yeah.
B
A
E
E
A
F
A
C
C
F
F
That's
what
it
is,
the
one,
the
more
attacks
that
they
provide
the
more
ads
they
can
sell
you
and
make
money
off
of
okay.
So
the
most
common
type
of
incident
experience
in
the
past
I
think
that's
one
that
we
can
certainly
ask
of
an
organization
as
well
as
an
open
source
project.
F
F
That's
more
around
the
group
of
individuals
that
are
responsible
for
it,
so
whether
or
not
they're
surging
from
different
parts
of
the
organization,
but
I
think
this
question
can
probably
be
broken
down
even
further
like
do
you
have
an
sop
like
how
how
detailed
is
it
or
is
it
more
like
you
talked
to
Bob
and
he
just
shows
up
magically
and
fixes
things.
F
There's
a
few
different
of
the
larger,
highly
mature,
open
source
projects
that
will
have
their
own
or
foundations
that
do
this.
When
you
talk
about
Enterprises,
it
depends
on
what
kinds
of
incidents
we're
referring
to.
F
If
we're
talking
about
software
specific
incidents
that
is
probably
going
to
look
entirely
different
than
internal
facing
incidents
such
as
like
Insider
threat
kind
of
activities
and
how
they
manage
those
kinds
of
things,
but
that's
all
valuable
information
for
us
to
consider,
because,
if
there's
an
account
Takeover
in
an
open
source
project
that
you
can
basically
apply
an
Insider
threat
kind
of
mentality
to
what
they
would
be
able
to
have
access
to.
And
how
do
you
shake
that
turnover?
So
there's
a
lot
of
different
pieces
there
and.
A
A
A
You
want
to
know
something:
it
was
even
difficult
to
get
an
answer
for
David
Wheeler's
question.
That's
kind
of
why
I
wanted
that
question
in
here
about
like
how
many
people
legitimately
know
about
the
security
of
the
project,
because
even
huge
projects,
just
a
huge
project,
does
not
name
any
specific
projects
but,
like
you,
would
get
well,
there
might
be
this
one
guy
that
I
would
consider
him
pretty
prepped
up.
A
B
A
A
It's
true,
but
I
mean
some
of
those
Frameworks
probe.
I
would
say
our
kubernetes
level
because
we're
talking
like
the
react
realm
of
like
JavaScript
Frameworks,
they're,
they're,
big
boys,
they're
and
it's
not
I,
thought
it
was
a
very
inappropriate
answer
that
when
I
went
around
to
some
of
these
projects
last
year
offering
to
help
them
with
their
Badges
and
whatnot
they're
like
oh
we're,
not
interested
because
they're
not
doing
it,
so
we're
not
going
to
do
it.
So
we
don't
need
best
practices.
B
A
I
mean
they're
not
wrong,
but,
as
I
said,
I
was
offering
to
help
because
I
was
helping
one
of
the
Frameworks,
but,
as
I
said,
it
was
difficult
when
it
wouldn't
be
considered
simply
because
another
project
that
was
bigger
than
them
doesn't
do
secure
a
cert
team
or
does
it
have
the
security
team?
Even
then,
basically,
it's
just
a
non-starter
for
a
lot
of
projects.
It
doesn't
really
matter
what
the
reasoning
is.
It's
just
that
our
bigger
brother
doesn't
do
it,
so
we're
not
gonna.
Do
it.
F
Okay,
so
main
challenges
you
have
in
managing
whatever
the
security
of
the
thing
is
I
broke
out
some
options.
There
is
an
intake
communication
prioritization.
Is
it
the
fix
remediation
mitigation?
Is
it
notifying
impacted
users
of
to
upgrade
or
is
it
conducting
a
postmortem
I
bet
you
most
people?
Don't
even
do
the
post-mortem
part
of
it.
F
C
F
All
right
so
I
threw
in
early
mid
and
Senior
career
and
then
expert
in
the
specific
technology,
a
generalized
expert
in
infrastructure
or
a
language
specific
expert,
depending
on
what
it
is
that
they're
looking
for
I'm
sure
there's
other
categories
of
things
we
can
lump
in
there,
but
that
one
should
be
a
check
box
question.
If
you're
gonna
ask
it
so
they
can
select
multiple.
F
What
are
your
expectations
for
an
external
cert
team
in
respect
to
support
communication
and
response
time?
This
one
I
think
we
need
to
be
more
specific
and
probably
break
down
more
because
there
have
been
a
wide
variety
of
ways
in
which
various
Nations
have
attempted
to
provide
centralized
response
reporting
for
incidents,
and
there
is
a
lot
of
legislation
currently
and
in
Flight
around
when
you
report
incidents
as
they
occur.
F
So
this
one
I
think
is
is
a
very
complex
question
to
be
asking,
because
there
are
some
organizations
and
projects
that
are
not
interested
in
an
external
search
at
all,
and
then
there
are
some
of
them.
That
definitely
are,
and
some
of
them
have
an
expectation,
probably
that
an
external
security
incident
response
team
is
going
to
do
more
coordination
activities
with
federal
or
even
state
level
institutions.
F
F
B
D
F
F
F
B
A
B
The
way
I
just
imagine
in
my
experiences
a
lot
of
Enterprises,
don't
get
information.
They
don't
have
an
information
feed.
They
rely
on
their
commercial
tooling,
like
a
sonotype
or
a
sneak
or
coverity,
to
try
to
identify
some
of
these
problems
so
they're
getting
it
very
late
in
their
life
cycles,
as
opposed
to
potentially
going
upstream
and
getting
things
from
the
source.
Yeah.
F
E
A
Quick
that
that
I
read
a
report
that
apparently
this
year,
a
lot
of
people
have
been
exploiting
the
time
between
the
disclosure
of
a
vulnerability
and
patching
vulnerabilities.
Yeah,
not
till
I,
be
throwing
fingers
I'm
just
saying
gender
from
a
generalization
standpoint,
I
think
the
usage
has
doubled
from
2022
already.
B
D
D
B
D
B
F
I
was
gonna,
say
we
have
some
of
that.
There's
like
the
general
stuff
in
their
listing
here
and
then
there's
the
more
specific
things.
I,
don't
know,
necessarily
that
we
need
to
know
a
particular
product
or
vendor
commercial,
tooling,
that
they're
leveraging
or
an
open
source
equivalent,
but
at
least
getting
the.
D
No
yeah,
probably
yeah
sounds
reasonable.
F
Okay,
the
next
one
is,
do
you
already,
or
would
you
be
interested
in
learning
more
about
best
practices,
techniques,
security,
updates,
advisories
relevant
to
your
group,
product
project,
I
added
in
a
caveat
here
around
I
can
do
a
newsletter
like
this
week
in
cert
news.
F
It
might
be
good
to
categorize
these
in
another
like
checkbox
equivalent
of
like
do
you
want
an
email
with
best
practices
and
techniques,
or
are
you
looking
for,
like
a
web
page
that
you
can
hit
on
occasion
so
something
that's,
either
push
information
out
or
make
the
information
available
to
people
to
come
to
you.
C
F
F
Specific
volumes
are
risk
you're
concerned
about
in
your
project
your
project.
If
we're
asking
a
bunch
of
Open
Source
projects
or
contributors
that
don't
have
any
previous
exposure
to
security,
this
will
be
very
difficult
for
them
to
answer,
because
they
may
not
know
what
risks
they
should
be
concerned
with.
F
Precede
answers
to
that
one,
however,
if
we
do
that,
we're
going
to
be
shooting
ourselves
in
the
foot
for
like
what
kinds
of
responses
we
could
potentially
get
there
like
there's
the
balance
between
are
you
concerned
about
somebody
taking
over
your
GitHub
account?
Like
that's
one
thing:
are
you
concerned
about
not
being
available
to
respond
to
security
incidents
because
you're
the
only
person
on
your
alias
and
then
you
have
the
more
common
things
of
like?
Oh
somebody
finds
a
memory
leak
or
somebody
has
a
remote
code,
execution.
F
Yeah
dump
and
runs
those
were
great,
so,
like
there's
all
of
those
things.
So
if
we
I
think
it's
a
good
question
to
ask,
but
I
think
we
need
to
have
a,
we
can
either
break
it
down
even
further
into
the
two
different
categories
of
like
you
managing
a
project
as
a
human.
F
What
concerns
do
you
have
about
a
security
risk
coming
to
you
or
being
presented,
and
we
asked
that
question
in
the
maintainer
workshop
not
too
long
ago
yeah.
We
have
some
good
kind
of
key
indicators
there,
but
so
maybe
flipping
it
a
little
bit
more
on
the
vulnerability
side
and
spoke
focusing
a
little
bit
more
intently.
There
would
be
beneficial.
B
C
I
will
post
a
link
to
howas
research
there,
we're
also
in
the
chat
to
zoom.
Just
give
me
a
second.
B
F
So
what
I'm
going
to
do
for
this
one
is
probably
break
up
into
two
areas.
After
pulling
the
GitHub
blog
Jonathan
is
going
to
share
with
us.
F
Okay,
what
areas
do
you
think
an
external
cert
would
provide
value
to
you
or
your
project
or
project?
This
is
kind.
F
Cool
got
it:
how
do
you
currently
prioritize
or
categorize
security
incidents?
Would
you
be
open
to
adopting
an
approach
or
a
framework
recommended
by
the
cert?
This
one
would
probably
be
beneficial
to
list
a
few
of
them.
F
Because
there's
categorization
of
vulnerabilities
and
the
criticality
of
vulnerabilities
and
then
there's
the
prioritization
of
fixing
specific
vulnerabilities,
which
may
vary
some
people,
don't
like
CVSs
scores
they
like
other
kind
of
scoring
mechanisms
and
then
there's
actually
categorizing
security
incidents
into
different.
Like
constructs,
whether
or
not
it's
a
design
flaw
that
caused
a
particular
compromise
to
occur,
it
may
not
necessarily
be
a
vulnerability.
It
could
be
a
misconfiguration
of
the
project
or
a
GitHub
setting
misconfiguration.
So
there's
a
lot
of
different
things
there.
B
F
Okay,
do
you
have
any
policies,
procedures
or
guidelines
for
dealing
with
or
managing
incidents?
Can
these
be
shared
with
the
cert
related
to
three
and
four
yup.
B
Yeah,
so
we're
asking
like
about
details
about
the
team
and
kind
of
what
blah
blah
blah,
what
their
challenges
kind
of
intake
communication.
So
we
probably
should
move
this
one
up.
Next
to
that,
when
we
do
the
survey
so
they're
kind
of
grouped
yep.
F
So
I
think
this
is.
This
is
an
interesting
one
to
ask,
because
there
are
some
projects
that
are
very
responsive
to
adopters
that
come
to
them
with
questions
about
like
hey
I
found
the
security
flaw
or
I
found
this
issue,
can
you
fix
it,
and
some
projects
will
ask
for
long
information
from
their
adopters
to
be
able
to
help
diagnose
it
I
think
this
one
could
probably
be
expanded
with
what
kinds
of
information
do
you
request
from
somebody?
That's
reporting
an
incident.
What.
E
B
F
F
F
Yeah
remember
just
five:
how
can
I
start
best
aligned
with
your
project
sdlc
to
minimize
disruption
and
minimize
security
issues
effectively
alignment
questions
are
usually
tricky
for
most
Engineers
to
be
able
to
answer.
C
F
F
The
only
thing
that
I
can
see
that
we're
missing
is
if
we
are
planning
on
sharing
this
with
existing
company
certs
and
trying
to
get
some
of
this
information
out
of
them,
maybe
asking
them
for
a
timeline.
An
incident
did
not
go
well
from
a
resolution.
That's
really
tricky
to
get
out
of
teams,
particularly
given
the
sensitive
nature
of
most
incidents.
A
I
have
also
some
discarded
questions
if
you
want
me
to
go
through
the
ones
that
I
thought
I
needed
to
either
work
on
or
come
back
to.
E
D
F
We
can
actually
add
that
after
number,
three
number
of
people
that
respond
or
manage
a
security
incident
because
we
have
different
groups,
you
can
ask
a
follow-on
question
of
how
do
you
feel,
like
that's
the
right
size
for
the
kinds
of
incidents
that
you
work
with
yeah.
A
F
That
goes
down
to
prioritization
and
categorization
on.
How
do
you
currently
prioritize
or
categorize
security
incidents?
Would
you
be
open
to
adopting
an
approach
a
very
much
so
that
one
should
be
broken
out
into
two
questions?
How
do
you
currently
prioritize
them
and
then
would
you
be
willing
to
opt
to
adopt
something.
C
F
C
A
E
C
I'm
curiosity
is
the
original
plan
of
this
cert
to
be
available
for
all
open
source
projects
or
targeted,
originally
at
like
the
top
10
or
top
100
critical,
open
source
projects
and
like
reach
out
to
them
and
say
hey,
we
are
assert.
We
are
here
for
you
because
you
are
critical
like
what
is
who
is
the
target
initially.
B
Well,
we
are
still
defining
that.
F
So
I
I
was
gonna
say
so.
Originally
the
list
of
services
that
were
going
to
be
provided
would
be
lightweight,
introductory
Services,
primarily
focused
around
coordination
and
communication,
and
that's
open
to
everyone,
as
well
as
some
educational
aspects
of
it
so
trying
to
teach
everyone
to
fish
where
we
can,
instead
of
just
doing
the
fishing
for
them.
F
We've
also
talked
about
advocating
for
a
framework
where
projects
can
establish
their
own
local
cert
and
then
foundations
that
have
projects
within
them
would
have
their
Foundation
levels
search,
and
then
this
one
would
sit
outside
and
above
all
of
that,
as
like,
the
sort
of
last
resort
was
one
of
the
terms
that
we
threw
around
a
while
ago.
B
And
historically,
this
community
is
super
distrustful
and
does
not
invite
Outsiders
in
so
it's
going
to
take
us
time
to
earn
trust
so
I
think
initially
we
probably
wouldn't
turn
many
people
away,
but
at
some
point
we
will
need
to,
and
we
have
it
in
the
plan
that
we
need
to
decide
kind
of
what
the
the
bug
bar
so
to
speak,
is
affect
how
we
can
how
and
who
we
can
help
yeah.
It's
definitely
something
we
need
to
solve
at
some
point.
Jeffrey.
A
F
A
C
C
I
yeah,
yeah
I
think
I
see
a
cert
right
as
an
incident
response
pool
to
deal
with
only
like
coming
in
for
instant
response,
so
those
are
very
sporadic
and
and
sort
of
incidental
sort
of
events
with
training
and
education.
That
seems
like
a
longer
term
relationship.
C
F
C
F
So
if
you
go
to
our
repo,
let
me
find
it
there's
a
few
different
areas
that
we
talked
about
within
the
execution
and
the
course
Services
function.
Actually,
so
it's
under
2.0.
Let
me
copy
and
paste
this
into
chat,
so
you
have
access
to
it,
so
this
was
kind
of
an
initial
Step
at
defining.
F
What
that
looks
like
we
didn't
want
to
immediately
exclude
the
ability
to
provide
responses
to
teams
that
need
help
but
focus
on
it
from
the
perspective
of
people
are
not
likely
to
going
to
come
to
us
first
without
establishing
that
level
of
trust.
So
the
primary
focus,
at
least
initially,
is
on
doing
that
Outreach
and
advocacy,
and
explaining
to
folks
hey
we're
here:
hey
we
have
these
resources
that
would
be
beneficial
to
you.
F
If
you're
responding
to
an
incident,
let
us
know
and
we
can
come
and
help
and
issuing
it
more
in
a
guidance
fashion,
initially
partnering
with
those
projects.
Some
of
them
may
already
have
a
security
incident
response
team
or
they
might
have
a
security
focused
individual
on
their
maintainer
team,
that
this
could
help
augment
some
of
that.
But
we
didn't
want
to
exclude
that
activity.
F
C
If
I
understand
this
is
It's,
sorry
Randall,
what
I'm
understanding
you
saying
is,
like
all
for
the
services
say
here
or
assert,
but
then
also
demonstrate
proof
of
like
we're,
not
like.
You
know
some
Rando
from
nowhere
like
we
actually
know
what
we're
talking
about,
with
resources
being
provided
to
back
up
the
identity,
sort
of
yep.
E
B
If
you
look
at
section
2.4
of
the
plan,
we
have
a
model
for
our
community
engagement
of
how
work
could
come
to
the
cert,
whether
it's
a
researcher
or
an
upstream
team,
and
then
the
different
Downstream
groups.
We
would
also
work
with.
B
A
F
I
want
to
make
sure
that
I'm
understanding
it
correctly
is
the
expectation
that
a
project
who
has
just
undergone
under
once
a
major
incident.
Do
they
contact
us
after
the
fact
and
say:
hey.
We
just
dealt
with
this.
How
could
we
make
it
better
and
we
review
with
them
how
they
conducted
their
activity
and
provide
indicators
for
improvement
areas
yep.
C
Something
that
would
actually
be
like
even
more
potentially
useful
is
just
like
I
mean
when,
when
I
first
ran,
we
ran
into
an
incident
a
former
employer
and
we
hired
an
instant
responder
and
we
were
like
okay.
How
do
we
handle
this
in
the
future
and
like
the
guy,
as
one
of
the
things
that
he
delivered
to
us,
was
a
run
book
for,
if
you
run
into
this
incident
in
the
future,
here
are
the
things
that
you
should
do
like
it
was
Doctor
related.
C
So
it
like
he's
like
here's,
how
you
preserve
a
doctor,
container's
memory,
so
that
if
it
needs
to
get
run,
you
know
if
we
need
to
dump
this
information
by
or
if
we
need
to
dump
memory
out
of
a
doctor
container
like
this
is
how
you
preserve
it,
so
that,
like
you,
can
do
so
in
the
future.
You
know
stuff
stuff
like
that
like
this
is
the
kind
of
like
run
book
sort
of
information
that
was
that
was
really
helpful
for
future
cases.
B
B
But
we
said
exactly
that.
We
would
like
to
provide
maintainers
a
Playbook
of
what
to
do
how
to
handle
an
incident
perfect,
which
this
group
could
participate
in
or
benefit
from.
A
C
I'm
going
to
answer
that
immediately
because
I
have
an
opinion.
I
feel
like
assert
is
supposed
to
be
reactive
as
a
primary
goal,
but
then
also
be
you
know.
I
feel
like
the
open
ssf
in
general
is
designed
to
be
a
proactive
effect,
whereas
the
cert
is
intended
to
be
reactive.
So,
like
everything
else
at
EPL
ssf
is,
is
the
proactive
part
of
it.
F
F
And
that's
not
something
we
have
written
into
the
scope
of
the
cert,
but
I
would
suspect
that
having
a
report
of
some
kind
from
the
cert
to
the
technical
advisory
Council
of
like
here's,
the
common
requests
and
things
that
we're
finding
and
then
have
the
attack.
Take
action
on
those
would
be
a
good
feedback
loop
that
could
be
Amplified.
C
B
F
B
B
And,
depending
on
who's
answering
the
survey,
I
think
you're
going
to
get
different
results.
Yeah
I
think
the
maintainers
will
talk
about
I,
don't
have
resources,
I
need
help.
How
can
you
help
me
so
I
think
that'll
be
reactive,
but
commercial
Enterprises
are
going
to
say
I.
Need
you
to
tell
me
all
about
all
this.
Tell
me
tell
me,
tell
me
tell
me
so
they're
going
to
want
the
proactivity
yep,
so
it's
just
we'll
have
to
walk
that
tightrope.
F
So
I
think
my
recommendation
for
right
now
is
cleaning
up
that
list
of
questions,
seeing
how
we
could
refine
it
and
provide
multiple
choice
or
check
box
options,
hopefully
eliminate
any
fill
in
the
blank
or
we
can
and
then
once
you
get
finalized
figuring
out
where
we
need
to
have
deviations
for
a
non-open
source,
focused
version
of
the
questionnaire
and
then
figure
out
who
we're
going
to
send
stuff
out
to.
C
A
question
potentially:
are
there
any
cases
we
may
not
have
considered
that
are
good
examples
of
previous
incidents
that
we
should
use
as
case
studies
like
you
know,
what
are
there
already
things
that
are
out
there
that
have
been
published,
that
we
can
learn
from
and
like
some
of
the
ones
that
I
can
think
of
is
like
back
when
autumn
Adam
Baldwin
worked
for
npm
and
before
npm
was
bought
by
GitHub
npm
used
to
publish
a
lot
of
instant
response
things
on
their
blog
that
were
really
really
like.
C
I
learned
a
lot
from
those,
and
so
you
know
there
may
be
other
incidents
that
are
folk
that
have
targeted
open
source
that
you
know
the
community
may
know
about
that.
We
may
not
have
considered
the
department
we've
been
posted
about
that
we
could
learn
from.
F
So,
there's
always
stuff
that
we
don't
know
there
are
blogs
and
Publications
about
incidents
that
we
could
potentially
leverage
I.
Think
it's
a
matter
of
discovery
of
what
those
are
and
which
blog
posts
are
good.
Exemplars
I
also
believe
that
there
are
organizations
that
do
an
excellent
job,
writing
postmortems
about
incidents
that
break
down.
Actually
what
happened,
however,
I
haven't
really
seen
a
lot
of
discussion
around
the
process
and
execution
portion
of
performing
a
security
response.
B
So
we
did
account
for
this
generally
in
section
1.1,
Milestone
five,
where
we're
going
to
re
review
the
existing
coordinated
vulnerability
disclosure
media
art.
So
we
can
definitely
add
into
that.
If
we
had
specific
examples
or
have
a
note,
Google
open
source
ir
and
spend
a
day
reading,
so
we
can
definitely
add
a
task
to
the
plan
specifically
to
that.
A
A
B
F
B
F
B
Take
the
action
to
look
up
how
to
eventually
transfer
the
finalized
questionnaire
into
SurveyMonkey
I
used
to
have
an
account.
Does.
B
A
C
A
B
B
Well,
except
11.,
those
different
thing
has
multiple
options:
awesome.
B
Next
Thursday
is
the
pcert
call.
I
can
announce
it
in
the
governance
committee
pending
on
the
attack
vote
in
an
hour.
C
I
make
a
just
an
action
item
for
someone
to
do.
I
I
may
I
do
sometimes
make
these
meetings,
sometimes
don't
at
the
end
of
when
this
thing
is
created.
Can
you
ping
me
the
list
and
I
will
send
this
or
ping
me.
The
questionnaire
and
I
will
send
it
to
the
gitup
stars,
because
I
have
slot
Channel.
I
am
part
of
the
slack
Channel
there,
and
so
I
can
share
it
to
those
people
as
well
yeah.