►
From YouTube: OSS SIRT – Problem Space 1 (November 14, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Let
me
let
me
say
this
also,
because
there
was
a
part
of
this,
that
I
noticed
a
section
that
I
noticed
that
was
missing
in
all
of
this,
and
I
can
start
sharing
my
screen
sure,
because
I
have
been
educating
myself
a
lot
about
a
piece
search
nice
we
have
about
like
so
we
didn't
have
about
I
know
that
a
big
pain
point
is
basically
communicating
with
the
actual
projects.
I
think
that
we
should
communicate
with
some
projects
and
figure
out
how
this
all
could
be
useful
to
them.
C
A
B
A
Yeah,
but
it's
actually
really
good,
it's
actually
amazing,
but
it
was
discussed
in
that
video
that
getting
a
lot
of
reports
and
I
know
this
happens
in
Gen
2
a
lot,
but
getting
a
lot
of
duplicate
reports
is
a
major
pain
point
for
Upstream,
yep
and
I.
Know
that
irritates
some
people,
a
lot
yep
and
I
know
some
people.
Take
it
the
wrong
way
too.
So
I
think
that
that's
the
type
of
thing
that
perhaps
we
can
alleviate
because.
C
A
Know
that
also
is
so
one
thing
I
wanted
to
point
out
and
then
everything
that
I
I've,
seen
and
and
read
I
also
think
a
lot
of
it
is
that
a
lot
of
people
like
they
pre-assume
things
like
they
pre-assume
that
sending
a
report
Upstream
is
gonna,
cause
this
big
problem
and
obviously
I'm
talking
about
specific
people,
I'm
not
talking
about
bug,
Bounty
people
I'm
talking
about
a
lot
of
the
because
that's
the
other
thing
I
don't
know.
I
just
got
all
messed
up.
A
I
gotta
fix
that,
but
there
are
a
lot
of
people
that
have
like
security
teams
they're,
not
necessarily
pcert
teams,
if
you
will,
but.
A
Right
and
and
those
are
the
people
I'm
talking
about
yeah
I
tend
to
and
red
hat
is
one
of
them
and
they
don't
do
Upstream
because
they
don't
want
to
cause
a
friction
point
between
anyone
and
they
end
up
fixing
things
in
isolation
and
that
ends
up
creating
a
friction
point
in
it
of
itself
yeah
if
I
I,
wonder
if,
like
for
and
that
this
is
where
we
get
to
part
two,
which
is
to
survey
our
intended
audience,
because
first
has
a
video
that
I
saw
about
establishing
personas
and
establishing
your
audience.
A
So
I
move
the
table
out
and
I
kind
of
put
this
in
its
own
section,
and
then
this
is
where
the
section
two
part
comes
and
where
I'm
I'm
kind
of
battling
right
now,
yeah,
because
nowhere
here,
we
actually
recording
the
scope
of
what
actually
we
intend
like
and
the
problem
like.
After
doing
all
of
this.
A
B
A
B
A
B
A
We're
thinking
more
about
the
API
in
terms
of
like,
if
you
because
we're
trying
to
like
say
so,
we
really
have
two
products
in
SKF,
which
is
the
people
that
want
the
information
to
create
their
own
internal
information
like
their
own
security,
Champion
program,
yeah
yeah,
and
then
we
have
what
we're
calling
now
SKF
web,
which
is
basically
the
front
end
of
SKF,
which
is
the
labs
and
like
how
we
implement
it
and
how
we're
presenting
the
information.
A
C
A
Was
actually
gonna
ask
maybe
later
on
or
in
the
education
Sig
or
at
some
other
point
we
could
talk
about
including
the
security
happy
hour
and
SKF,
because
that
taxonomy
video
is
pretty.
A
A
B
I
agree
and
there's
there's
probably
throughout
both
of
these
plans:
Randall
there's,
probably
a
ton
of
stuff
where
we
said
here's
an
idea,
but
we
didn't
actually
write
down
steps
like
collect
data
review.
The
data
you
know
make
a
decision.
We
you
know
we
didn't
go
through
and
do
some
of
this
more
prescriptive
stuff
right.
A
Well,
I
plan
out
on
on
taking
a
little
bit
more
ownership,
because
I
know
that
we
have
membership
numbers
affected,
but
I
was
planning
on
actually
reviewing
now
that
I
have
a
better
grasp
of
everything,
because
Gen
2
security
team
is
not
a
piece.
B
A
B
And
you
know
the
the
P
comes
from
product,
which
generally
is
vendors,
so
you
know
they
have
to
have
these
types
of
things
to
protect
their
product
portfolio
and
just
yeah.
The
principles
are
the
same.
You
know
you
are
you
have
to
intake
information,
you
have
to
do
triage,
you
have
to
develop
a
fix,
you
have
to
release
a
fix,
so
it's
the
same
principles
can.
A
I,
ask
you
an
Intel
question
out
of
curiosity,
so
does
Intel
have
different
piece
search
for,
for
example,
different,
for
example,
Sky,
lake
or
coffee
lake
or
or
is
it
just
all.
B
One
big
thing:
there
is
a
one
Intel
piece
art
that
oversees
the
whole
portfolio
right,
but
they
were
in
more
of
a
distributed
like
red
hat
was
a
centralized
model
where
all
the
work
was
pretty
much
done
in
one
spot.
Right,
Intel
is
the
opposite
where
it's
distributed,
so
we
have
a
huge
security,
Champions
Network
and
when
the
issue
comes
in
when
we're
in
the
triage
stage
that
gets
delegated
out
to
a
product
team,
okay,.
A
B
And
when
you
bug
Bounty,
because
there's
payment
involved,
as
opposed
to
like
a
vendor
disclosure
program,
a
VDP
yep
generally
with
because
there's
contracts
involved,
the
bug
Bounty
stuff-
will
be
much
more
thoroughly
documented.
A
B
A
And
that's
another
thing
because
you
know
at
some
point:
it'll
happen
like
I'm
sure
AMD
is
part
of
the
there
has
to
be
because
we
do
AMD
has.
B
A
I
I
think
well
just
saying
like.
Wouldn't
it
be
something
that
we
should
involve
them
at
some
point
or
or
maybe
get
them
on
the
board,
because
amd's
not
on
here
at
all
and
well
and
in
the
spirit
of
like
being
multi-vendor,
because
I.
B
Know
Magento
AMD
is
part
of
first,
which
is
where
the
vendor
security
teams
chill
out.
Okay,
AMD
does
participate
in
open
source,
but
I'm
from
the
perspective.
We're
trying
to
address
I
I
am
currently
less
interested
in,
like
a
hardware
vendor's
perspective.
Okay,.
A
B
Because
because
there
are
there,
like
the
curl,
has
very
rigorous
processes
to
get
drivers,
and
you
know
new
feature
functionality
enabled
so
that
there's
that's
kind
of
a
managed
process
in
the
future
and
everybody
actually
had
a
dude
from
AMD
I.
Think
he's
in
the
vault
disclosure,
Sig
or
working
group.
I,
don't
know
if
he
hopped
on
the
Sig,
so
they
do
participate
with
the
open
ssf.
But.
A
B
That
they're
I
I
I'm
I
know
it's
the
fall.
Disclosures
group.
A
So
I
I
was
just
commenting
from
that
point
of
view
where,
like
because
I
know
that
also
being
part
of
Open
Source
I've
been
a
part
of
this.
Where,
like?
Why
do
you
impose
things
that
are
us-based
on
other
people
like,
and
then
it
becomes
a
oh
that's,
because
U.S
based
people
always
think
that
they're,
like
the
center
of
the
universe
and
I
I,
don't
want
to
be
a
part
of
that.
You
know
what
I'm
saying
yeah.
B
But
it
is
definitely
challenging
to
account
for
viewpoints
around
the
globe
and
we
try
to
be
as
neutral
as
we
can
but
yeah
now.
That
is
always
a
bottle
even
and
that's
like
I
was
on
a
call
with
wheeler,
where
somebody
jumped
on
him
for
saying
the
government-
and
he
was
not
specifically
talking
about
the
US
government
because
he
actually
does
do
work
with
Anissa
and
other
government
agencies,
but
they
in
because
he
worked
in
the
US
government
and
he's
a
U.S
citizen.
B
C
B
A
It's
happened
at
Homebrew
before,
because
GitHub
has
certain
issues
getting
into
China
so,
like
we've
been
blindsided
we're
like
Chinese
people
get
this
impression
like
we're
against
them
or
something,
and
it's
like
no.
We
just
had
no
idea
that
it
just
didn't
work
like
it
was
the
first
person
that
told
us,
like,
oh
yeah,
we
have
like
this
separate
CDN
we've
set
up
to
like
mirror
all
your
stuff
and
you're
like
really.
You
could
have
let
us
know,
and
we
could
have
figured
it
out,
but
I
guess
that
works.
B
C
B
Might
be
something
we
need
to
carve
off
work
to
be
geographically
specific
and
kind
of
take
be
more
culturally
sensitive
to
how
training
needs
to
be
done
there
well.
A
The
the
though,
as
far
as
the
peace
cert,
let
me
bring
it
back
to
the
P
sir
yeah.
So
the
reason
I
say
that
is
because
I've
been
a
part
of
conversations
where
other
cultures
also
have
like,
for
example,
like
there's
certain
people
that
have
this
expectation.
It
happens.
A
lot
in
communities
like
gnome,
where
I'm
going
to
open
an
issue
and
I
need
a
response,
and
when
you
don't
respond
to
me,
I'm
going
to
be
rude
and
I'm
going
to
be
arrogant
and
I'm
going
to
try
to
be
like
that
person.
That.
B
A
I
think
that's
something
that
we
could
maybe
handle
with
the
Pea
cert,
maybe
because
I
know
people
that
have
abandoned
projects
and
gnome.
Just
because
there's
just
been
too
many
like
I
want
to
say,
like
dumb
people
I
know,
that's
not
the
best
way
to
describe
them,
but
I,
don't
know
what
the
right
word
is
like
privileged
people
or
people.
That
think
that
there
is
a
commitment
that
now
I
must
get
a
response,
and
you
didn't
respond
to
me
in
48
hours,
you're,
a
bad
person
and
it's
like
well.
B
We
absolutely
can
help
try
to
correct
some
of
that
perspective
by
encouraging
projects
to
have
like
a
security
policy,
a
security
MD.
That's
like
you
know,
lists
out
what
the
expectations
are
for
bug,
reporting
and
security
work
so
that
we
hopefully
can
deflect
some
of
the
more
aggressive
closed-minded
folks,
I.
A
B
C
A
Even
large
projects
that
feel
like
it's
too
much
of
a
distraction
to
open
themselves
up
to
this,
because
I
know
that's
another
thing:
that
a
lot
of
projects
feel
like
it's
too
big
of
an
issue
or
it's
a
two.
It
can
become
a
distraction
but
yeah,
okay,.
B
It
was
interesting
a
couple
so
first
does
conferences
focused
on
different
areas
and
they
have
a
piece
or
conference
every
year
and
it
was
the
one
right
before
the
world
shut
down,
2019.
and
or
2020
whatever.
B
Whatever
the
year,
yeah
March,
March,
2020
and
Microsoft
actually
did
a
pretty
extensive
analysis
of
their
reporter
stable,
so
to
speak,
people
who
report
issues
to
them
and
there's
and
they
were
looking
at
ways
to
improve
their
program
for
accessibility,
because
they
they
recognize
that
a
lot
of
people
like
in
the
research
Arena
security
researchers
can
be
on
the
autism
scale,
so
they're
trying
to
find
ways
to
adapt
their
program
to
be
friendlier
towards.
B
You
know
different
perspectives
and
ways
of
reporting,
I,
don't
know
if
that's
public,
but
if
you're,
if
your
company
is
a
first
member
I,
think
that
was
like
recorded.
You
can
get
hold
of
that
presentation.
It
was
really
interesting.
Research,
I.
A
C
B
And
we
probably
again,
we
have
friends
over
there,
so
we
could
ask
the
Mr
msrc
if
they
could
we'd
be
willing
to
potentially
share
that
presentation.
Again.
It
was
a
fascinating
research.
You
know
because
again,
they're
looking
to
try
and
make
to
optimize
and
to
reduce
friction
in
their
reporting
process,
no.
A
I
actually
really
think
in
fact
crow
that
that
could
the
aggregator
idea
or
like
The
Meta
piece
or
if
you
will
I
think,
would
help
bring
open,
ssf
and
also
Linux
Foundation,
make
them
more
involved
with
the
greater
Linux
community
at
large
yeah.
B
Yeah
and
that's
definitely
something
we
talked
about
and
that's
an
option
and
we're
just
going
to
need
to
make
sure
that,
like
when
all
this
is
done,
we've
really
got
to
talk
with
Mike
Dolan
who's,
the
foundation
lawyer,
because
we
want
to
make
sure
that
both
you
know
the
projects
and
the
individuals
and
the
foundation
and
all
the
companies
involved
are
appropriately
protected.
So
you
know
no
one
is
you
know,
kind
of
inversely
put
at
risk
right
or
any
kind
of
liability
right.
C
B
A
B
Be
wrong:
oh
I
can't
believe
Francis
and
I
forgot
that
we
do.
We
definitely
that
we
must
have
kind
of
the
ethics
legal
conversation
and
have
things
very
clearly
documented,
so
that
everybody
understands
kind
of
what
the
expectations
are
all
around.
So
no
one
gets.
C
C
B
A
B
We
just
don't
want
to
lose
anything
like
if
so,
if
there's
an
idea
that
somebody
had
they
wanted
to
put
in
there
don't
make
sure
it
doesn't
get
lost,
it
is
still
tracked
somewhere,
but
it
can
be
a
different
number.
Yes,.
A
To
where,
in.
B
Section
two:
two
Milestone
14
and
15.
B
A
A
But
yes,
but
you
told
me
that
I
could
start
modifying
these
as
well
like
I
can
make
PRS
against
these.
A
B
Will
start
yeah
absolutely
again,
that's
why
I
want
I
need
to
start
casting
that
wide
net
because
it
you
know,
we
I've
been
so
wrapped
up
in
this,
since
you
know,
July
that
we
are
kind
of
blind
to
some
of
the
some
of
the
gaps
potentially
so
I
want
to
start
to
get
some
external
eyes
before
we
have
to
go
up
before
you
know
the
governing
board
and
whatnot.
A
B
I'm
actually
I'm
waiting
for
Brian
bellendorf
he's
the
foundation
managing
director.
I
asked
his
opinion
on
would
does
he
think
the
board
would
like
to
see?
You
know
one
like
a
PDF
one
PDF
or
would
the
way
we
have
it
broken
up
into
three
sections
with?
Is
that
acceptable
to
like
a
GB
member
or
not
so
I'm
waiting
on
feedback
there?
So
we
might
not
have
to
but
I
definitely
need
to
go
through
and
make
sure
it
flows
and
makes
sense.
A
B
Yeah
yeah,
but
I'll
probably
actually
print
it
out,
because
I
do
a
better
job
with
redlining
off
physically
and
then
I'll
as
I
find
problems.
I'll
go
back
and
start
filing
PR's.
C
A
Bear
all
right
cool,
so
yeah,
that's
all
I
have
for
that
and
I.
If
you
want,
we
can
go
back
to
mine.
If
anyone
has
any
comments.
I
did
a
draft
PR
of
what
I
had
so
far
moments
ago.
So
you
could
actually
see
it,
but
I
was
planning
on
flushing
this
out
more
and
trying
to
get
this
done.
B
B
A
Bear
I
was
also
gonna,
say:
I
saw
this.
C
A
A
B
A
I
enjoy
being
in
Linux,
I'll,
be
honest,
but
but
yeah.
So
that's
where
I'm
at
and
yeah
I
should
be
done
by
the
end
of
the
day.
I
think.
B
The
only
person
that
is
part
of
group
two
that
isn't
here
is
Art
and
you
know
Vicky
who's
kind
of
dropped
out
for
now.
B
A
Fair
well
I
know
she's
she's
been
providing
feedback,
but
I
know
that.
B
B
Have
any
other
thoughts,
anything
in
section
one
or
two
that
is
confusing,
or
you
think
we
need
to
work
on.
D
Yeah
I
think
I
think
Randall.
This
goes
to
something
that
you
brought
up
at
the
top
of
the
call
around
the
project
maintainers
and
speak
with
them,
as
I
was
going
over.
Some
of
this
work
internally
catching
up
internally
at
my
company,
the
coming
came
up
about
you
know,
talking
to
GitHub
and
yeah
I.
Think
that's
under
M3
right
there
talking
to
all
these
people,
IBM
Red
Hats,
canonical
Gen
2,
but
there's
nothing
in
there
about
GitHub
and
the
reason
that
came
up.
D
Actually,
my
my
manager
brought
it
up
as
a
possibility
because
they
just
introduced
their
privately
identified.
D
D
So
the
Curious
item
that
came
up
the
question
that
came
up
when
I
was
sharing.
The
progress
of
the
project
here
was:
are
we
going
to
be
including
GitHub
folks
or
are
they
intentionally
not
included
here?.
B
D
Welcome
yeah
I
think
as
I
was
speaking
to
it
with
my
managers.
We
were
kind
of
looking
at
what's
going
on
and
where,
where
this
is
evolving
was
my
understanding
was
these
were
listed
because
those
were
areas
or
organizations
where
there
were
connections
had
and
I
do
know
that
there
there
are
one
or
two
in
the
greater
group
that
are
part
of
what
we
have
so
I
figured.
It
might
have
just
been
just
random,
just
throw
something
on
there
and
it'll
grow
as
it
as
it
as
it
grows,
I,
either,
naturally
or
otherwise.
D
B
And
the
group
there
is
well
established
within
the
the
Linux
CBD
community.
You
know
they're
kind
of
equivalent
to
almost
the
distros
list
which
I
don't
GitHub
is
not
part
of,
but
yeah.
They
have
valuable
experience
and
I
don't
mind
like
talking
to
Madison
and
Xavier
and
all
those
folks
they're.
C
D
B
But
if
you
want
to,
we
could
add
them,
and
we
again
the
volume
group
is
when
Wednesday,
I,
think
and
generally
Madison
shows
up
with
how
we
could
ask
her
there,
because
she's
a
little
like
Xavier
helps
run
the
security
Labs
group
within
GitHub
and
Madison
is
more
part
of
like
their
what's.
The
pacered
I
think
essentially.
C
A
I
was
gonna
say
out
for
for
M4
my
ideology,
I,
don't
know
if
this
is
possible.
Crow
but
I
know
you
know
something.
It's.
A
B
Folks,
they're,
mostly
over
in
England,
so
it'd,
be
a
very
early
call.
A
Well,
I
think
it'd
be
good
to
maybe
get
considering
that
they
kind
of
have
like
the
bug
of
the
century
or
had
like
the
the
vulnerability
of
the
century.
I
feel
like
it
would
be
really
interesting
to
get
their
side
of
it
and
what
they
think
like
something
of
a
meta
piece
or
how?
What
would
it
be
useful
to
them
or
would
alleviate?
Would
it
alleviate
any
problems
for
them,
or
how
can
we
alleviate
any
problems
for
them,
because
I'm
sure
that
ending
up
on
the
front
page
of
every
news,
article
site
is
not
useful.
B
Right
yeah,
we
can
talk
to
Mark
Cox.
He
has
a
lot
of
experience
with
open
source
coordination
and
was
internally
involved
in
the
log
for
Jay
and.
C
C
B
B
And
they
actually
just
do
something
which
I
thought
was
interesting.
Openssl
does
pre-disclosures
where
they
said
a
week
from
now
something's
going
to
happen
and
I
thought
that
was
super
useful.
Unfortunately,
Downstream
consumers
didn't
necessarily
but
I
thought
that
was
super
useful
to
get
the
actual
people
that
need
to
do.
The
moving
of
the
bits
on
notice.
B
A
log
for
Shell
level
issue,
you
know,
possibly
you
know
I.
My
job
is
Crisis
Communications.
That's
what
I
do
I
talk
to
the
media
all
the
time,
there's
others
of
us
that
do
this
type
of
stuff.
We
definitely
can
provide
pointers
and
coaching,
but
I
don't
want
to
like
become
the
mouthpiece
for
a
project
when
they
don't.
They
might
not
want
that,
but
it's
definitely
an
option.
We
can,
you
know,
offer
if
they're,
if
they
are
shy
and
don't
want
to
or
want
help
making
a
press
release
well.
B
Yeah
and
it's
hard,
a
a
unscary
press
statement
is,
is
harder
than
you
think
put
together.
Yeah.
B
B
Yeah
again,
that's
something
we
could
help
if
the
the
team,
the
developer,
doesn't
understand
how
to
do
it.
We
definitely
can
you
know,
share,
there's
a
lot
of
good
resources
around
how
to
do
that.
I
helped
write
the
3-1
standard,
so
I,
unfortunately
know
more
about
it
than
I.
Should.
B
We
didn't
talk
about
severity
scoring,
but
that
normally
it's
the
development
team
or
the
well
that
take
a
step
back.
That's
normally
a
point
of
contention
because
the
person
that
should
do
the
scoring
is
the
developer
and
their
security
trusted
advisors
because
they
understand
how
the
software
works
best,
but
the
researcher
also
almost
always
does
their
own,
and
it's
almost
always
yeah.
B
That's
something
we
definitely
you
know.
If
somebody
wanted
us
to
help
out,
we
could
help.
We
could
provide
training
and
resources,
but
normally
that's
something
like
the
developer
or
their
security
liaison
handles,
but
who
knows,
bear
bear
and
there's
other
ways.
There's
like
there's
a
couple
other
scoring
things
that
you
know
maybe
more
appropriate
and
the
the
Boggle
with
the
CVSs
is
everybody
takes
that
score?
Not
everybody.
Downstream
consumers
take
that
score
and
don't
do
any
of
their
own
risk
calculation
on
it.
B
They
just
take
the
because
CVSs
describes
how
the
pro
the
vulnerability
works
right.
It's
not
meant
to
be
a
severity.
It's
not
meant
to
be
an
indication
of
risk,
and
you
know
it's
up
to
that
team,
because
you
know
it's
whoever
implemented
that
software
in
an
Enterprise,
you
know
a
developer
or
security
team.
That's
outside
of
their
org
can't
tell
them
where
their
critical
data
is
what
their
business
risks
are.
What
the
risk
appetite
is
that's
really
up
to
the
the
user
of
the
software
to
determine
kind
of
what
the
risk
is
right.
C
B
Because
you
know
that
it's
a
semi,
it's
mostly
mathematics,
based
and
you
know
it's
if
x,
then
y,
you
know,
plus
a
plus
b,
there's
a
formula
behind
the
score,
and
it's
just
based
off
of
how
the
attack
how
the
exploit
works
is
the
it
triggers
a
number
and
again
that
might
not
a
bank
might
have
compensating
controls
or
made
of
already
disabled
things
so
that
vulnerability
isn't
even
exploitable.
So
again,
so
I
can't
attend
doesn't
really
mean
a
whole
lot
right.
A
A
Yep
yeah,
it's
true
I
will
continue
doing
this
I'll
finish
it
up
and
I
will
I
will
put
my
PRS
ready
to
review
when
it's
ready
to
review
and
yeah
I.
Think
we're
I
think
we're
making
progress
with
this
I'm,
also
making
a
lot
of
progress
on
education,
but
that's
another
call
good
so,
but
yeah
everything
is
that's
what
I
have
so
far.
B
A
C
B
Right
anything
else,
Jennifer
or
Emily.
You
want
to
see
a
dress
today.
B
B
Yeah,
our
art
has
not
had
as
much
time
to
focus
on
this
is
his
job.
He
took
a
new
job
in
his
it.
It's
ramping
up
now.
Finally,
and
so
any
any
help
we
can
give
Art
would
be
appreciated.
C
B
B
If
we
don't
have
the
exact
model
in
stone,
when
we
turn
the
report
in
that's
okay,
but
we
need
to
say
these
are
the
things
we're
going
to
look
at
and
consider
and
we
I
would
suggest.
We
have
some
skeleton
of
a
proposal
proposed
set
of
services.
It
doesn't
need
to
be
everything
and
we
know
we're
going
to
adjust
based
off
of
learnings,
and
you
know
the
whole
section.
One
is
talking
to
a
lot
of
Upstream
folks
we're
going
to
learn
a
lot
there.
B
That
may
want
us
to
adjust,
but
we
should
have
like
three
or
four
things
we
are
going
to
commit
to
the
first
year.
So.
A
B
C
A
But
would
that
be?
Would
that
be
a
fair
way
to
go?
Is
that
more
we're
going
to
be
kind
of
like
this
engagement,
facilitator
or
because
that
would
facilitate
a
lot
of
this?
Because
a
lot
of
this
we
have
well
some
of
it's
the
same.