►
From YouTube: OpenSSF TAC Meeting (April 6, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Update
on
the
governing
board
off
sites,
around
figuring
out
where
decisions
are
made,
I
could
I
it
looks
like
kaye-
is
going
to
give
an
update
on
budget
planning
and
funding
stuff.
So
that's
great.
That's
an
important
one
k.
Will
that
also
include
what
we're
asking
of
the
working
groups
if
they
need
funding.
A
I
haven't
seen
that
k
has
come
through
yet.
Okay,
maybe
we'll
just
make
a
note
then
in
the
agenda.
Something
came
up
within
the
governing
board
around
helping
to
fund
working
groups
that
need
like
immediate
funding
for
cloud
compute,
and
things
like
that.
So
we
should
aim
to
also
discuss
that
and
I'll
just
make
a
little
note
here
in
the
agenda.
A
B
Okay
yeah.
Thank
you,
jennifer
yeah.
I
know
she
mentioned
yesterday
in
that
in
the
github
issue
that
we
have
kind
of
talking
about
this
about
meeting
the
requirement
from
the
working
groups,
and
so
I
I
know
I've
definitely
heard
quite
a
few
of
them
over
the
past
few
months.
So
I
think
we
can
have
a
pretty
decent
discussion
about
what
people
are
after.
B
C
The
future
meeting
agenda
items-
okay,
is
this:
I
have.
B
All
right,
well
with
that,
let's
see
we're
about
five
minutes
in
so
let's
go
ahead
and
get
started.
So
the
first
thing
on
the
agenda
today
is
the
final
working
group
review
for
security,
tooling
and
ryan
ware
is
here
to
talk
about
that
so
ryan.
I
know
you
kind
of
miss
the
other
one,
so
I'm
just
going
to
give
you
a
quick
rundown
of
how
we've
been
doing
this
essentially
give
us
an
overview
of
the
working
group.
If
you
want
to
highlight
your
readme
or
anything
else,
you
can
share
your
screen.
B
I
can
stop
sharing
and
then
we're
going
to
have
a
fairly
organic
q
a
session
about
you
know
what
you're
doing,
where
you
see
things
going
collaborations
with
other
working
groups,
sort
of
things
like
that.
So
with
that
I'll
leave
it
to
you
sure,
let
me
share
my
screen.
A
D
Excellent,
so
this
is
this
is
the
repeat
for
the
group,
and
I
I
really
just
wanted
to
go
through
this,
because
it
really
highlights
all
the
various
things
we're
trying
to
do
so
one
I
I
at
the
very
top.
I
want
to
make
sure
everybody
knows
that
they're
they're
welcome
to
come
and
join,
and
we
have
all
of
the
meeting
information
down
lower
in
the
document.
D
But
you
know
the
motivation
for
why
we're
trying
to
do
this
is
is
not
every
developer
is
a
security
expert.
You
know
there
definitely
are
developers
out
there
that
are
security
experts,
but
but
even
seasoned
developers
and
security
experts
make
mistakes
in
their
code,
and
you
know
we
want
to
make
sure
that
all
the
developers
out
there
no
matter,
you
know
what
their
level
of
expertise
know,
what
tools
they
could
be
using
to
weed
out
the
various
security
defects
that
that
get
into
their
code.
D
Does
that
make
sense
to
everybody,
yeah,
yep,
excellent
and
so
go
down
a
little
bit
more
here.
You
know
our
our
mission
is
to
identify
evaluate,
improve
an
ease
deployment
of
universally
accessible
developer-focused,
tooling,
to
help
the
open
source
community
secure
their
code.
This
space
allows
members
to
collaborate
together
on
these
goals.
That,
at
a
high
level,
is
exactly
what
we're
trying
to
do.
D
I
go
further
in
here
to
to
say
what
some
of
these
words
mean
to
what
we're
trying
to
do
so
to
identify
there
there's
a
huge
number
of
tools
out
there.
I'm
sure
you
all
know,
and
we
want
to
make
sure
developers
know
what
tools
are
available
out
there
to
them.
We
also
wanna
evaluate
those
tools.
Some
are
better
than
others.
We'd
like
to
make
sure
you
know,
people
know
what
tools
have
what
tools.
D
To
meet
the
needs
of
what
we're
trying
to
do,
we
definitely
want
to
weed
out
bad
tools
for
folks,
where
possible,
we
want
to
improve
these
tools.
There
are
some
tools
out
there
that
are
are
almost
really
really
good
and
we
want
to
help
figure
out
how
we
can
improve
those
tools
and
work
with
those
communities
where
needed.
We
want
to
develop
new
tools.
D
You
know
where
bandwidth
and
interest
are
the
constraints,
but
there
are
well
while
there
are
hundreds
of
security
tools
out
there
for
for
developers
to
use.
Obviously,
we
do
not
cover
everything,
since
there
are
new
vulnerabilities
that
are
coming
up
in
code
all
the
time
and
then
finally-
and
I
think
this
is
the
most
critical
thing
that
that
we're
trying
to
do
is
we
want
to
make
sure
it
is
easy
for
developers
to
go
and
say
here,
I'm
developing
this
new
python
application.
D
Securely,
does
this
jive
with
everybody's
understanding
of
what
this
working
group
should
be
doing.
E
Yeah,
I
think
that's
a
good
breakdown
explaining
out
each
of
those
things
more
specifically.
D
D
We
do
have
the
charter
in
here.
The
charter
does
call
out
it's
not
just
the
template,
we've
put
in
the
groups,
the
working
group
name
and
filled
out
the
the
appropriate
information
in
there.
We
do
have
our
meeting.
A
D
And
the
mailing
list
and
a
link
to
our
slack
as
well
as
google
meet
and
the
ossf
calendar,
where
we're
sharing,
making
sure
people
know
instead
of
just
telling
people
here.
This
is
when
our
meeting
is,
I
actually
point
them
at
the
calendar,
so
they
can
actually
see
it.
D
F
I
I
did,
if
I
I
don't
know,
if
it's
a
stupid
question
sorry,
but
like
oahuas,
has
some
tools
as
well
right.
So
is
this
kind
of
an
initiative
that
overlaps
that
one
I'm
just
trying
to
get
a
better
idea.
D
D
I
think
what
we're
trying
to
do
is
is
owasp
basically
has
a
list
of
of
every
tool
out
there.
That's
possible
there's
no
vetting
of
any
of
the
tools,
and
we
want
to
do
some
of
the
vetting
to
make
sure
people
understand.
Okay,
you
you
want
to
use
tool
a
or
tool
b.
You
don't
want
to
use
tool
c.
D
And
I
no
dis
on
what
oasp
has
done,
that
they
have
they've
done
some
great
work.
G
Yeah,
if
you
scroll
down
simon's
simon,
is
sleep.
G
So
the
the
da
scanning
is
that
include:
what's
up.
D
G
What
about
the
security
knowledge
framework
tool?
Is
that
included
here
or
it's
somewhere
else.
C
D
Hey
thank
you,
grub
and
actually
one
of
the
things
that
that
I
don't
have
in
here.
That
is
part
of
our
vision.
Is
you
know,
there's
really
a
feedback
loop
here
where,
where
we
have
tools.
A
D
We
are
trying
to
get
into
developers,
hands
and
and
make
part
of
their
processes,
and
those
tools
can
improve
the
quality
of
their
code,
and
you
know
we
can
make
sure
that
when
we
make
recommendations,
we
want
to
work
with
the
badging
program
to
figure
out
okay.
How
do
we
reflect
that?
These
folks
are
actually
utilizing
these
tools
and
doing
the
right
things
and
and
get
the
badging
program
to
show
some
of
the
relevance
of
what
we're
doing
with
these
two,
with
these
teams.
I
D
To
be
honest,
I
don't
know
at
this
point.
I
think
that
discussions
have
those
discussions
happened
before
I
jumped
on
board.
D
D
Absolutely
that
that's
a
a
part
of
I
think,
what's
critical,
what
this
group
needs
to
do
is
we
need
to
be
able
to
show
the
documentation
on
here.
Here's
how
you
go.
Do
this,
you
don't
need
to
be
an
expert,
we're
the
experts.
Let's
show
you
how
to
go.
Do
this
securely.
A
I
have
a
few
questions,
so
thank
you
for
the
great
presentation.
I've
been
really
excited
to
learn
about
what
this
group
is
doing
and
it
seems,
like
you,
have
a
really
ambitious
set
of
things
you're
trying
to
achieve,
which
is
very
exciting
in
terms
of
breaking
it
down.
Just
because
I
know
you
know,
time
is
of
essence
for
so
many
people
and
it's
hard
to
sometimes
get
people
to
commit
a
lot
of
time
to
working
on
these
projects.
A
You've,
you've
spanned
a
huge
range
of
things
here,
where
you're
trying
to
perhaps
like
and
correct
me
if
I'm
misstating
any
of
this,
but
like
you're,
trying
to
catalog
all
the
existing
tools,
maybe
benchmark
and
compare
and
contrast
them
give
advice
as
to
using
them
properly
so
that
people
can
gain
their
full
benefit,
developing
new
tools,
contributing
to
existing
tools.
A
A
Are
there
ongoing
work
efforts
around
like
someone
asked
about
the
service
catalog,
but
I
guess
that
benchmarking
piece
or
the
developer
guides,
or
any
of
these
meta,
like
coordination
or
orientation
across
different
tool,
sets
work
or
is
it
right
now
only
focused
on
and
not
to
say,
that's
a
bad
thing.
I'm
just
curious
only
focus
on
contributing
to
specific
existing
tools.
D
So
you
are
right,
there
is
a
huge
amount
of
work
here.
Yeah.
I
Know
I
mean
jennifer
I
hit
a
nail
on
the
head,
I
mean
I'm
looking
at
tool.
Chains
are
put
together
and
there's
no
coordination
between
lots
of
disparate
tools,
since,
like
inputs
of
one
don't
fit
the
outputs
of
another
and
all
those
things
so
I'd
like
to
you
know
how
these,
how
you
chain
them
together
and
how
they
cooperate.
D
Definitely-
and
you
know
we're
trying
to
do
something-
that's
that's,
hopefully
a
little
bit
short
of
trying
to
boil
the
entire
ocean.
You
know
at
the
end
of
the
day,
so
so
fortunately
there's
like
was
mentioned
earlier.
Oh
wasp
has
a
list
of
tools
out
there.
You
know
there.
There
are
certain
places
where
we
can
go
steal
a
lot
of
this
information
from
already-
and
you
know,
at
the
end
of
the
day,
we
have
a
huge
amount
of
work
that
we
have
to
get
done.
D
The
work
that
we
need
to
do,
I
think,
is
critical
to
the
ossf
charter
at
the
end
of
the
day,
if
a
developer,
who
is
not.
D
Doesn't
know
how
to
use
a
tool
or
where
to
go,
find
a
tool
to
go
help
him
develop
secure
code.
Then
you
know
we
at
the
beginning
of
their
development
process.
Don't
have
the
right
hooks
into
what
they
need
to
do
and
we
need
to
fix
that
and-
and
you
know,
we're
never
going
to
do
this
all
at
once.
D
A
Yeah
that
makes
a
lot
of
sense,
I'll,
put
a
suggestion,
an
unsolicited
suggestion
out
there
and
if
it's
not
interesting,
throw
it
away.
But
when
I'm
looking
at
something
like
this
is
you
know
a
huge
undertaking
and
it's
very
admirable,
and
I
love
that
you're
bringing
together
so
many
parties
to
finally
talk
about
these
topics.
I'm
wondering
if
maybe
like
a
preliminary
way
of
capturing.
A
I
guess
the
ideas
that
are
coming
up
and
the
problems
might
be
somewhat
analogously
to
when
open
ssf
was
launched
and
michael
scoveda
sent
out
a
paper
that
was
basically
like
threat,
modeling
the
open
source
ecosystem
and
was
painting
this
broad
view
for
like
understanding
and
improving
open
source
security.
I
wonder
if,
like
a
similar
project
could
be
undertaken
for
tooling,
like
it
might
make
sense
to
write
a
white
paper
amongst
the
folks
in
this
group
around
like
what
are
the
big
problems
here
in
tooling.
A
What
are
we
trying
to
solve
because
there's
things
around
benchmarking
that
have
come
up?
There's
things
around
developer
guides
and
deployment.
There's
things
around
like
inconsistent
input
and
output
to
chain
tools
together
and
like
a
million
other
things
that
have
come
up,
I'm
wondering
like
as
a
preliminary
effort
toward
doing
these
bigger
projects,
even
just
writing
down
people's
views
on
this,
because
it's,
I
think,
it's
very
powerful
those
thoughts
as
well.
I.
D
A
Yeah
yeah,
I
think
that
could
be
really
cool
because,
like
one
thing,
I'm
noticing
and
like
I,
this
comes
up
a
lot.
I
guess
in
my
life,
when
you
are
really
interested
in
really
big
problems
that
are
almost
too
massive
to
know
where
to
start,
I
find
that
writing,
like
a
research
plan
or
road
map
or
a
set
of
research
questions
can
intrinsically
be
very
interesting.
So
I
think
I
think,
from
the
perspective
of
this
group
that
that
could
be
really
cool.
A
A
second
question
that
I
had
if
we
can
scroll
up
to
the
vision,
so
you'd
mention
that
there
could
probably
be
ways
of
expanding
upon
the
vision.
So
you
talk
about
improving
the
perception
of
security
and
open
source,
which
is
definitely
something
that
needs
to
happen
for
sure.
I'm
wondering
on
top
of
that,
like
are
there
visions
in
terms
of
outputs,
like
things
that
are
realized,
either
by
developers
or
by
projects
in
general
around
what
this
tooling
achieves,
or
what
this
tooling
group
achieves
like
through
those
tools,
I
guess.
D
Yeah,
I
mean-
and
I
think
we
touch
on
that
elsewhere,
but
but
you
know
I
I
do
think
having
that
as
part
of
the
vision
is
probably
a
a
very
good
input,
because
you
know
at
the
end
of
the
day,
one
of
the
things
that
we
want
to
make
sure
when
developers
integrate
these
tools
into
their
development
processes,
is
that
we
want
to
make
sure
that
it's,
you
know
almost
transparent
to
them.
D
What
the
tools
are
doing-
and
I
think
documenting
that
is
is
part
of
the
vision-
is
actually
something
we
should
do.
You
know
at
the
end
of
the
day,
we
don't
want
developers
to
be
fighting
tools
in
in
in
having
you
know,
doing
having
huge
amounts
of
effort
to
get
these
tools
in
place
and
used.
D
We
want
to
make
sure
that
they
just
integrate
the
tools
and
and
whenever
they
have
a
problem,
and
they
make
a
mistake,
you
know
they
look
at
the
output
from
what
the
tools
are,
giving
them
and
say:
oh
crap
yeah,
I
didn't
mean
to
put
that
in
and
I'm
sure
as
developers
we've
all
had
that
moment
where
we're
like.
Oh.
E
Had
to
fill
out
things
like
this,
where
you've
got
kind
of
overlapping
ideas
of
here's,
an
objective,
here's
a
scope,
here's
a
vision,
it
I
feel,
like
I'm
being
forced
to
restate
things.
I
looked
at
the
the
readme
template
that
we
have
for
the
for
open,
ssf
wide
and
you
aren't
actually
obligated
to
put
in
a
vision
if
you
don't
want
to,
but
anything
that
they
clarifies
what
the
scope
is
for.
People
is
is
probably
helpful.
Sure
I
think
that's
pretty
well
captured
and
what
you
have
for
motivation
and
objective.
A
Yeah
that
all
sounds
really
good.
I
I
think
it
would
be
cool
to
see
a
bit
of
a
near-term
and
longer-term
timeline
as
well
like
thinking
about
within
the
next
couple
of
quarters
or
next
year,
whatever
what
would
be
the
target
states
that
you'd
like
to
achieve
compared
to
the
longer
term,
mostly
because
the
whole
boiling
the
ocean
thing.
But
I
really
appreciate
what
you
said
in
particular
around
making
these
things
well
integrated
and
transparent
to
the
developers,
and
all
of
that
I'm
really
excited
and
really
agree
with
that
vision.
D
Yeah
I
mean
at
the
end
of
the
day
you
know
my
career
has
been
as
a
developer
and
I
I
understand
what
developers
want,
at
least
for
the
most
part,
and
you
know
being
able
to
go
focus
on
things.
I'm
trying
to
create
as
a
developer
is
really
what
I
want
to
be
doing,
and
I
want
to
be
focused
on
security.
Although
I
I
am
focused
on
security
but,
and
you
know,
we
want
to
figure
out
how
to
enable
them
to
go.
Do
that.
G
You
know
projects
and
things
like
this
or
that's
going
to
work
with
other
working
groups
separately.
Is
there
any
plans
to
you
know,
use
this
working
group
as
a
primary
group
for
all
the
tools
use
inside
openness
yourself.
D
So
there
is
not
any
plan
on
doing
that.
As
far
as
I
know,
I'm
open
to
a
discussion
around
that
if
we
think
it's
needed,
but
I
I
think
the
working
groups
themselves
best
understand
the
tools
that
that
they
need
to
help
them
accomplish
their
goals,
and
you
know
I
I
don't
even
know
all
the
tools
that
the
various
working
groups
may
be
working
on.
That
said,
I
again
I
I'm
open
to
discussion
around
that.
F
I
wanted
to
ask
like,
if
I
know
like
this
is
still
a
work
in
progress
right,
but
if
somebody
like
had
a
suggestion-
or
you
know
like
some
tool,
we
could
add
to
the
list
that
could
be
beneficial
because
I've
been
like
researching
some
open
source
security
tools,
myself
the
way
to
do
that
to
imu
ryan
or
like
submit
a
github
request.
What's
the
best
way.
D
I
would
I
would
submit
a
github
request,
but
you
know
I
I
will
take
suggestions
in
absolutely
in
utterly
any
form
that
they
can
come
in.
So
I
I
would
recommend
just
creating
a
github
issue
because
that's
the
easiest
way
for
it
to
be
tracked
and
make
sure
that
it
gets
dispositioned
but
yeah.
Definitely
you
know
I
will
take
things
in
in
any
way.
D
Because
the
last
thing
I
I
would
I
would
say,
is
you
know
I
don't
know
all
of
the
tools
out
there.
My
wife
regularly
reminds
me,
I'm
not
omnipotent,
so
please
share
and
help
as
much
as
possible.
B
Well,
thank
you,
ryan.
That
was
definitely
very
helpful.
There's
some
quick
sort
of
housekeeping
things
questions
we
have
to
ask.
So
you
guys,
I
know
the
answers
to
these
things,
but
just
to
get
it
make
it
official.
B
You
guys
do
meet
regularly
correct
yes,
every
other
week,
yes
and
then-
and
you
guys
have
a
a
working
group
that
is
of
more
than
say,
four
people.
D
Yes,
we
regularly
have
like
ten
two
dozen.
B
Awesome
yeah
so
going
forward.
You
know
we
we
hope
to
have
more
regular
updates
from
working
groups
going
on
within
the
tactics.
Keep
everybody
in
sync.
So
thank
you
so
much
for
coming
and
giving
us
this
presentation
definitely
informative
and
definitely
sounds
like
there's
a
lot
of
interest
and
some
potential
for
collaboration
with
other
working
groups,
which
is
the
whole
point
of
you,
know
getting
everybody
together
here.
So.
B
D
Suggestions
or
comments,
please
don't
hesitate
because
we
have
a
lot
to
do
and
I'm
I
I'm
happy
to
help
our
get
help
on
how
we
get
to
where
we're
trying
to
go.
B
Awesome,
thank
you.
So
much
excuse
me.
So
the
next
thing
on
our
agenda
today
was,
I
believe,
to
be:
oh,
no,
okay,
so
the
next
one
we
have
is
a
proposal
from
the
oasis
folks.
So
we
have
derrick
here
to
present
this
actually
came
up
in
another
working
group.
So
some
of
you
may
already
be
aware
of
this,
but
they've
been
doing
some
work
and
this
has
some
potential
sensitivity.
So
I
will
let
him
explain
and
and
describe
the
proposal
and
how
we
can
move
forward
after
that.
B
So
derek
you
want
to
take
it
away.
Do
you
have
a
presentation
to
share
or.
B
H
B
Unfortunately,
you're
the
mail
that
you
sent
me
went
straight
to
my
junk
folder,
which
seems
to
be
a
common
problem
for
open,
ssf
mail
that
I
get.
I
don't
know
if
other
people
have
this
problem
as
well,
but
am
I.
A
H
Okay,
so
what
we
are
proposing?
Actually,
I
should
just
start
with
the
organization,
because
I'm
not
sure
that
everybody
here
knows
exactly
what
we
do.
We
are
a
non-profit
organization,
that's
been
operating
for
about
five
and
a
half
years
now,
with
the
pilot
program
to
improve
open
source
security.
That's
the
general
mission.
H
The
way
that
has
manifested
over
time
is
mostly
through
security
auditing.
We
focus
specifically
on
closing
classes
of
bugs,
rather
than
just
doing
a
security
audit
saying,
here's
a
list
of
problems
go
fix
them,
and
I
think
that
is
the
key
distinction
for
open
source.
Is
that
actually
this?
H
The
tooling
working
group
is
a
a
wonderful
example
of
how
we
operate.
I'm
actually
really
interested
in
the
work
that
you
guys
are
doing
over
there
and
I'm
probably
going
to
join
those
discussions
myself.
H
We
find
some
immediate
areas
that
they
could
potentially
improve,
and
then
we
look
at
when
they're
doing
their
next
major
release
for
their
software
and
we
perform
a
security
audit
of
that
release.
This
is
because
a
lot
of
features
get
deprecated
or
replaced
with
something
else
or
new
features
get
implemented.
You
have
a
lot
of
green
code,
so
that
is
the
best
time
to
perform
an
audit
of
a
project
because
you're
not
wasting
resources,
auditing
things
that
are
going
to
be
deprecated
or
you
know.
H
H
H
We
pull
our
information
from
as
many
sources
as
possible
and
then
we
go
to
our
advisory
council,
which
is
made
up
of
security
experts
to
further
whittle
down
our
targeting
the
goal
being
that
we
are
proposing
the
most
critical
projects
that
we
can
back
with
data
and
say
these
are
what
we
need
to
be
working
on.
I
can
share
a
few
of
those
today.
H
H
Over
time
we
have
built
a
network
of
12
security
firms
and
25
audit
teams,
and
we
use
an
rfp
system
for
each
of
these
projects
that
we've
already
completed.
So
we
will
put
out
an
rfp.
We
will
say
we
want
this
particular
project
to
be
audited.
We
take
proposals,
we
don't
only
look
at
cost,
we
actually
look
at
the
full
proposal
and
who
is
doing
the
work
and
whether
they're
qualified
to
be
working
on
this
particular
project
if
they
have
any
published
work
in
this
area,
so
on
and
so
forth.
H
H
And
also
importantly,
all
of
our
work
is
done
in
public,
which
means
our
research
is
published
on
our
website.
You
can
go
to
ostif.org
and
look
at
every
project
that
we've
completed.
They
are
all
on
there.
We
publish
the
full
research
paper
as
well
as
a
10-minute,
read
synopsis
which
just
covers
you
know
what
we
did.
There
were
this
many
problems,
they're
all
fixed.
Now
you
know
if
there's
any
potential
conflicts
where
a
developer
didn't
want
to
fix
something
because
they
didn't
feel
it
was
a
bug,
that's
disclosed
there.
H
H
Again
for
the
project
selection
process,
the
securing
critical
projects
group
has
been
fantastic
for
our
targeting
the
project
that
the
linux
foundation
has
conducted
with
lish
over
at
harvard
has
given
us
a
lot
of
good
data
on
what
companies
are
actually
using.
Google
and
openssf
have
the
criticality
score
project.
We
draw
data
from
that.
H
H
Council
made
up
of
experts.
Those
experts
tell
us
whether
yeah
a
particular
project
that
we're
looking
at
is
important
or
not.
Based
on
you
know
the
type
of
exposure
that
you
know
the
attack
surface
of
that
particular
application.
H
So
we
have
a
link
to
the
project
list
here.
I
can
share
it
with
everyone
in
the
tag
we're
just
not
sharing
it
publicly.
I
I
don't
want
to,
you
know,
put
it
on
youtube
forever
and
because
this
is
recorded,
I'm
not
going
to
shout
it,
but
everyone
in
the
tech
can
see
what
our
project
list
is
and
our
reasoning
for
why
things
were
selected
or
excluded.
H
We
actually
included
all
of
the
projects
that
we
considered
but
took
out
for
some
reason
and
why
the
critical
advantages
that
we
have
as
an
organization
are
that
we
are
very
well
equipped
to
deal
with
open
source
specific
problems.
H
So
if
you
have
a
decentralized
project
that
has
no
leadership,
no
corporate
entity,
no
bank
account
they
can't
handle
money
without
causing
problems
et
cetera.
We
can
handle
all
of
those
issues
and
do
all
of
the
cons
security,
consulting
work
without
making
them
take
a
bunch
of
extra
steps.
In
order
to
make
this
happen,
so
we've
solved
the
major
issue
of
how
do
you
direct
money
to
get
security
results?
We
we've
tried
to
get
across
that
bridge
essentially
and
then
what
to
expect
from
this
project?
H
Obviously,
security
fixes
are
going
to
come
every
time.
We
do
an
audit
there's
a
few
or
a
lot
depending
on
the
project,
but
our
focus
is
not
just
on
finding
bugs.
It
is
longevity.
So
if
we
find
bugs
our
audit
teams
are
tasked
with
explaining
to
the
developer
how
those
bugs
were
found,
what
mistake
was
made?
How
you
can
improve
your
tooling
to
prevent
this
from
reoccurring
in
the
future
as
your
project
matures
so.
H
H
It
also
gives
an
opportunity
for
our
backers
to
get
credit
for
supporting
us,
because
we
make
sure
that
companies
that
back
us
get
credit
for
the
research.
That's
being
done,
we
put
their
logos
on
the
front
page
of
the
research.
I
think
everybody
in
every
single
blog
post
that
we
do
so
on
and
so
forth.
H
The
pr
and
media
plan
is
a
work
in
progress.
Google
has
specifically
asked
us
to
add
this,
because
google
is
on
board
for
this
project
that
unfortunately
kim's
on
vacation.
So
we
can't
talk
too
much
about
that
right
now,
but
she'll
be
back.
H
And
then
we
can
talk
about
the
key
benefits.
We
are
an
io,
an
irs
501c3,
so
we
are,
if
you
donate
to
us,
it
is
tax
deductible.
H
H
We
give
comprehensive
assistance.
This
means
that
we
are
solving
edge
case
problems.
Like
I
discussed
earlier.
You
know
what
financial
issues,
because
they
don't
have
a
bank
account
or
if
the
project
has
one
developer,
that
doesn't
understand
how
to
apply
security
fixes.
We
can
assist
them
directly
with
that
by
contracting
someone
to
write
security
fixes
for
that
project
and
then
obviously
make
a
public
statement
saying
you
know.
Maybe
this
project
needs
help
from
the
community.
H
H
We've
completed,
16
projects
with
780
000
in
funding,
spread
that
out
over
five
and
a
half
years,
and
you
can
see
how
much
money
we've
been
working
with
during
this
time.
We've
learned
a
lot
of
lessons:
we've
built
a
large
network
of
cyber
security
firms
to
do
audit
work,
and
we
have
also
built
a
very
large
advisory
council
which
has
helped
us
tremendously,
with
policies
and
procedures
and
getting
effective
work
done
and
they're
a
fantastic
resource
for
us.
H
H
H
H
So,
as
I
mentioned
before,
we
try
to
time
our
audits
to
the
most
effective
window,
for
you
know
not
reviewing
deprecated
features
and
making
sure
we
get
that
green
code.
That's
going
to
be
there
for
a
while,
so
we
specifically
went
and
audited
version
111,
which
was
the
version
that
implemented
tls
1.3,
which
is
a
new
cryptography
standard,
and
they
had
also
completely
rewritten
the
pseudo-random
number
generator.
H
H
We
worked
together
to
secure
the
funding
it
took
us
about
six
months,
but
we
found
it.
We
conducted
audits
of
the
tls
1.3
code
and
we
had
jp
amazon
review
the
pseudo-random
number
generator
because
of
this
effort.
15
potential
security
problems
were
fixed.
Now
this
was
alpha
software,
so
we
can't
call
them
cves
or
anything
like
that,
but
these
problems
were
corrected.
As
a
result,
I
see
dan
has
his
hand
raised.
E
Yeah,
hey,
I
was
just
curious.
Openssl
is
kind
of
like
the
the
poster
child
for
most
things
that
we
do
usually
when
I
hear
somebody
explain
why
open
ssf
exists,
it
kind
of
goes
back
to
that
that
heartbleed
history
absolutely.
H
E
H
E
That's
easier
with,
with
this
particular
situation
that
you
were
just
talking
about.
It
sounds
like
that
was
happening
without
support
of
open
ssf,
but
but
also
maybe
going
forward
what
is
in
conjunction
between
the
two
organizations.
H
Sure
what
I
would
ideally
like
to
do,
if
we
were
fully
backed,
would
be
circled
back
and
do
a
security
audit
of
critical
libraries
like
openssl
every
time
they
do
a
major
release
that
implements
a
lot
of
new
features
or
makes
sweeping
changes
to
their
code.
H
So
I
I
think
that
that
will
give
us
the
surety
that
we
would
want
from
projects
that
are
at
that
level,
where
they
are
just
so
widely
deployed
that
we
need
to
be
looking
at
them
all
the
time
that
can
get
expensive.
H
E
So
the
cii
stuff-
I
guess
you
know
you'd
sort
of
done
a
call
back
there
to
when
the
cii
initiative
had
had
funded
stuff,
and
I
wasn't.
A
E
L
A
huge
number
of
really
important
improvements
were
made
that
I
think
most
observers
would
say
were
long
overdue,
like
10
plus
years
overdue,
but
yes
be
that
as
it
may,
the
cii
did
fund
open,
ssl,
a
lot
of
really
important
improvements
were
made
and,
of
course,
once
those
improvements
were
made,
they
have
continued
within
the
the
mass
reformat,
the
mass
restructuring
to
make
to
eliminate
a
lot
of
systemic
problems.
L
H
L
E
I
I
did
it
I'll
save
that
for
halloween,
when
I
want
a
ghost
story-
oh
touche,
so
then
so
then
not
to
belabor
this,
but
just
across
our
different
working
groups
is
there
anything
that's
active
with
openssl.
H
L
L
E
Okay,
great
thanks
for
allowing
the
digression
there
derek.
K
H
Tangent,
we
were
actually
talking
to
josh
over
at
let's
encrypt
about
their
security.
We
were
just
having
a
conversation
and
he
said
that
there
was
a
dependency
that
he
was
concerned
with
and
that
was
unbound
dns.
H
H
We
did
an
audit
of
unbound.
There
were
48
changes
made,
including
a
critical
rce
as
a
result
of
our
work.
H
Can
I
zoom
more
quickly
through
this?
Yes,
okay
osf
is
trying
to
raise
2.3
million
dollars
to
operate
for
an
entire
fiscal
year.
That
is
to
complete
what
we
estimate
to
be
25
projects,
and
that
is
the
projects
that
appear
on
this
list.
So
I'm
hoping
this
is
going
to.
Let
me
change
tabs.
Let's
see
for
freaks
out,
I'm
gonna
have
to
stop
sharing
and
reshare
one
moment.
H
H
H
B
So
I
think
this
is
definitely
great.
I
think
the
the
big
question
that
I
have
is
what
would
you
like
from
the
tac?
What's
next
steps,
what
would
you
like
to
have
from.
H
H
So
if
this
is,
you
know
an
idea
that
you
guys
support,
I
would
love
for
things
to
just
be
kicked
upstairs,
so
that
we
can
have
the
appropriate
conversations
with
trying
to
get
this
funded
and
getting
the
work
started.
We
are
ready
to
deploy
immediately.
So
I
mean
we
have
25-ish
security
teams
at
our
disposal.
H
We
can
get
a
lot
of
work
done
in
parallel
very
quickly
it.
It's
literally
a
matter
of
funding
if,
if
we
get
funded,
work
begins
tomorrow,.
A
Offending
peace-
I
see
kay-
isn't
here
so
I'll,
give
like
an
unofficial
update,
but
I
defer
to
k
if
she
corrects
anything
that
I
have
because
I'm
I
didn't
prepare
it,
but.
E
A
A
We
still
have,
I
think,
one
more
iteration
to
get
through
to
figure
out
how
all
that
workflow
is
going
to
look.
But
ultimately,
we've
been
talking
within
the
governing
board,
around
short-term
funding,
internal
working
groups
and
medium
term,
like
within
the
next
couple
of
quarters,
launching
a
program
for
external
applications
where
we
can
route
funding
through
that
mechanism.
A
So
I
would
anticipate
like
nothing
is
set
in
stone
currently,
but
I
imagine
it
will
be
pretty
soon,
but
I
would
anticipate
that
sometime
in
the
summer,
we
would
be
able
to
open
up
to
funding
external
projects
and
we'll
create
some
kind
of
proposal
mechanism
for
that,
so
just
to
kind
of
have
that
on
your
horizon.
It's
probably
within
the
next
like
handful
of
months,
and
that
will
become
like
a
publicly
open,
I'm
imagining
it's
an
rfp
process
and-
and
we
could
probably
work
with
you
guys
in
that
regard
as
well.
M
If
I
could
also
bring
up
a
point
as
well,
one
quick
thing
I
just
wanted
to
mention
too
about
our
research
teams
and
kind
of
how
we
work
in
general
is
we're
very
much
an
international
organization
as
well.
M
A
lot
of
our
teams
are
not
based
in
the
u.s
and
are
either
based
in
europe
or
on
asia,
pacific,
and
because
of
that,
I
feel
like
we
get
a
very
diverse
pool
of
talent
that
we're
working
with
and
because
of
that,
we
kind
of
have
that
cross-border
trust
and
rapport
set
up
with
these
organizations
and
then
regarding
the
funding
piece
yeah.
Absolutely
it
is
going
to
take
a
good
amount
of
funding
to
get
this
going,
but
I'm
really
excited
that.
M
Given
that
you
know
open
ssf
is
the
organization
that
that
is
showing
or
demonstrating
that
kind
of
cross-industry
collaboration
and
and
really
getting
things
done
for
the
good
of
everybody
involved
and
we're
offering
a
solution.
I
think
that
would
very
much
accomplish
that,
and
you
know
figuring
out
how
to
get
it
funded
is,
I
would
say,
a
top
priority
and
and
again,
and
I
definitely
understand
that
there
needs
to
be
a
very
formal,
and
you
know
fact-based
process
for
doing
this.
M
But
at
the
same
time
I
just
want
to
bring
up
the
point
that
time
is
of
the
essence
as
well,
and
you
know
we
very
much.
We
have
the
boots
on
the
ground
so
to
speak
on
the
front
lines
ready
to
do
this
work
and
it's
just
a
question
of
getting
the
the
resources
in
place.
H
Yeah,
that's
pretty
much
where
we're
at
we're
not
chasing
glory
or
notoriety
here,
so
that
anybody
who
backs
us
is
going
to
get
credit
for
it.
We're
you
know
we're
participating
in
the
open
ssf,
because
this
helps
us
perform
our
function,
which
is
making
things
better
so
giving
the
open,
ssf
credit
and
giving
all
of
our
backers.
Credit
is
a
large
priority
for
us,
because
that
facilitates
us
doing
more
work.
H
K
H
The
2.3
million
is
for
us
to
run
full
tilt
maximum
capacity,
I'm
probably
working
overtime
in
those
that
proposal,
so
we
can
work
with
a
smaller
amount.
We
would
have
to
shorten
the
list
and
prioritize
things,
but
yeah
we
could
work
with
a
smaller
amount.
M
That's
not
an
issue
yeah
and
it's
we
can
very
much
make
it
incremental
as
well.
So
if
we
get
enough
funding
to
start
and
start
showing
results,
it's
certainly
not
a
like
a
kickstarter
all
or
nothing
kind
of
a
thing
where
we
can
certainly
get
started
with
what
can
be
what
resources
can
be
provided
and
then
iterate
from
there
build
from
them.
H
Yeah
exactly
we
have
a
track
record
now
with
the
projects
that
we've
completed,
but
if
companies
are
more
comfortable
contributing
to
us
on
a
regular
basis,
you
know
for
ongoing
support
that
would
work
we're
open
to
anything
but
yeah.
I
I
feel
like
even
with
just
google's
support,
we'll
be
able
to
get
started
at
least
and
and
show
you
know
some.
H
Yeah,
I
should
also
mention
that
we
tend
to
work
very
quickly,
so
I
mean
if
we
do
25
projects
at
once,
it's
probably
going
to
slow
down
a
bit,
but
we
our
turn
around
from
getting
funded
to
having
a
final
report
is
approximately
six
weeks.
So
we
we
can
work
very
very
quickly
once
we
have
backing.
B
Cool,
so
it
sounds
like
there's
definitely
interest
here.
You
know
in
the
other
meeting
I
heard
a
lot
of
interest
for
this
and
and
in
this
meeting
as
well,
it
sounds
like
kind
of
our
next
steps
here
to
try
to
prioritize
and
figure
out
our
budgeting
requirements,
hopefully
sooner
rather
than
later.
I
know
this
is
not
the
only
one
that
is
asking
for
funds.
You
know,
there's
other
working
groups
that
can
have
some
immediate
need
as
well.
So
we
definitely
need
to
prioritize
that
so
I'll
bring
it
up
with
kay.
B
We
do
have
a
a
planning
meeting
every
monday.
Typically,
when
we
talk
about
some
things
like
this,
hopefully
we
can
start
accelerating
that
and
then,
since
we
ran
out
of
time
today,
some
of
these
discussions
and
k
wasn't
here
we'll
put
back
on
the
tac
meeting
for
next
time
as
well.
So
we'll
we'll
work
to
try
to
get
this
accelerated
a
little
bit,
maybe
get
some
answers,
but
thank
you
so
much
for
taking
the
time
to
present
today
I
another
short
notice
and.
H
B
You
so
much
and
apologies
for
not
getting
into
everything
on
the
agenda
item
today.
Folks,
we'll
move
those
to
the
next
meeting
and
we'll
continue
on
so
hope.
Everyone
has
a
great
week
and
we'll
see
you
guys
later
yeah.
Thank
you,
everybody.
Thank
you.
So
much.