►
From YouTube: OpenSSF TAC (April 18, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
E
B
C
G
G
The
governing
board
is
currently
in
process
with
finalizing
their
votes
for
the
appointed
seats,
and
so
that
process
will
run
through
the
end
of
this
week,
and
so
at
the
beginning
of
next
week
we
should
have
the
results
to
share,
and
so
I
take
back
what
I
said
last
time
and
the
the
next
tech
meeting
coming
up
on
May
the
second.
If
my
math
serves
me
right,
yeah
May,
2nd,
we'll
have
the
fulltack
the
new
tax
seated.
G
G
H
No
worries:
hey
folks,
a
quick
update
from
securing
software
Reaper's
work
group
a
reminder
that
our
our
mission
is
to
bring
together
all
the
maintainers
of
some
repositories
Registries
and
discuss
our
our
various
shared
problems.
I
chair
this
group
with
support
significant
support
from
Jacques
Chester.
H
Newman
we
meet
every
two
weeks
in
alternating
time
zones
to
maximize
coverage
across
the
time
zones.
We
usually
have
about
10
to
20
attendees.
Depending
on
our
agenda.
We
last
updated
the
attack
in
December
2022,
so
I
wanted
to
provide
a
couple
highlights
since
then.
So
one
is
around
salsa
we've
had
a
lot
of
discussion
and
collaboration
around
some
aspects
of
the
upcoming
salsa
1.0
specifications,
specifically
around
distribution
and
discovery
of
salsa
provenance.
H
We
work
together
to
publish
a
guide
to
Distributing
provenance
for
the
salsa
1.9
spec
and
that'll,
be
in
the
it's
in
the
release.
Candidate
now
we'll
be
in
the
final
version,
and
we
had
significant
input
from
many
folks
in
the
working
group
on
that
recommendation.
So
that
was
a
really
great
collaboration
and
we've
also
been
providing
some
light
support
for
npm
as
they
ship
build
provenance
and
beta,
and
you
know
determine
their
attestation
format
for
salsa.
H
We
also
in
the
last
couple
of
months
have
sort
of
finalized
our
survey
that
we
performed
of
Open
Source
software
repositories,
sort
of
aggregate.
All
the
data
kind
of
two
takeaways
from
that
one
is
that
we
published
a
blog
post
about
this
on
open,
ssf
blog.
We
also
sort
of
summarize
our
key
takeaways
and
recommendations.
So
all
the
things
in
those
takeaways
are
considered
actionable
things
that
we
could.
H
Ipi
support
is
currently
in
beta
I
think
this
would
be
the
first
software
repository
to
support
it
and
we'll
be
launching
this
week,
and
we've
had
a
lot
of
discussion
about
that
feature,
as
well,
specifically
between
the
pipi
and
the
npm
ecosystem,
which
is
kind
of
support
this
soon,
as
well.
I
think
some
upcoming
things
so
there's
been
a
lot
of
discussion
around
a
shared
data,
setup
malware,
probably
wanting
to
hone
this
in
the
open
ssf
in
some
way.
H
I
I
Okay?
Yes,
the
version
we
won
for
the
security
policy
in
for
open
ssf
project
and
content
and
resource
and
infrastructure.
We
have
a
shared
document.
The
link
is
in
the
meeting
notes
and
we
are
also
an
issue
open
in
the
working
group
of
vulnerability
disclosure
because
I
well
weeks
ago,
we
agreed
that
it
was
the
probably
the
best
group
that
we
have
to
discuss
this
new
policy.
I
It's
important
to
consider
that
open
ssf
is
part
of
Linux
Foundation
or
is
strictly
related
to
Linux
foundation.
So
the
idea
is
to
not
have
document
that
are
in
Conflict
both
internally
for
open
ssf,
for
example
the
inbound
and
the
outbound
security
policy,
but
also
with
the
Linux
Foundation.
There
is
a
David
that
is
following
this:
well,
the
discussion
with
the
Linux
Foundation,
Council
and
yeah
I
think
it's
ready.
I
The
working
group
will
not
be
the
disclosure
as
being
keep
posted
by
me
in
the
channel
and
in
the
Ripple,
and
the
idea
is
to
have
a
sort
of
approval
or
first
approval
or
and
feedback
by
the
TAC
group
to
be
sure
that
we
are.
We
are
aligned,
especially
from
all
the
sentences
and
the
I
mean
idea
concept
and
everything
that
can
be
really
bought
to
legal
and
not
just
to
the
security
or
the
procedure.
Here
is
the
issue.
I
C
To
put
things
in
context
as
part
of
our
guidance,
we
recommend
that
all
open
source
projects
have
a
security
policy
documented
that
describes
how
they
handle
defects
and
reports.
It's
important
for
us
to
kind
of
drink,
our
own
champagne,
so
to
speak.
So
I
I
strongly
agree
with
Luigi's
proposal.
We
still
probably
need
to
over
the
words
for
like
eight
months,
but
the
I
joke,
I
I
think
it's
actually
pretty
in
a
pretty
good
State,
but
we
we
should
talk
about
it.
I
Yeah,
in
addition,
it
is
also
it's
part
of
the
score
card.
I
mean
the
scorecard
check
if
we
have
a
security,
dot,
MD
and
I
think
it's
a
good
idea
if
we
show
that
it's
possible
to
have
a
security.md
or
a
security
process
as
a
foundation.
In
addition,
GitHub
now
have
a
very
good
way
to
report
to
handle
cve
and
in
general
security
issue,
because
every
repo
can
collect
their
own
security,
rep
wrapper
by
researcher
and
handled
by
the
maintainer.
I
So
we
don't
need
to
have
a
sort
of
a
unique
point
in
contact
or
multiple
email,
because
we
can
have
just
an
email
if
someone
want
to
contact
us
via
email
for
a
lot
of
reason.
But
if
the
pro,
if
the
vulnerability
or
the
security
issue
is
in
a
project
that
we
posted
in
GitHub,
the
reception
can
just
just
open
a
vulnerability
report
in
the
in
the
repo.
This
help
has
to
keep
my
order
and
everything.
I
guess.
C
I
I
Yeah
and
yeah
I?
Think
it's
important.
It's
the
first
version.
It
can
be
improved.
There
is
no
pgp
key,
for
example,
at
the
moment,
because
we
need
to
understand
how
we
want
to
share
secret
in
the
foundation.
That's
not
easy
and
other
thing,
and
there
is
also
the
save
Fable
that
is
temporary
removed
because
the
Linux
Foundation
Council
suggests
for
now
to
not
publish
that
kind
of
save
fiber
and
but
yeah.
I
J
K
No
worries
thanks
David,
just
echoing
Michael's
comments
from
the
written
chat
and
my
own
feedback.
This
is
fantastic
I
agree.
I
would
suggest
looking
at
how
something
like
spdx
short
codes
work
such
that
there
would
be
a
machine
readable
in
addition
to
the
human
readable
form
in
a
marketing
of
a
good
security.md.
I
I
It
was
that
was
too
complex,
but
maybe
I
have
just
misunderstood.
It
so
definitely
open
to
review
and
change
my
mind
honestly.
It's
very
easy
to
change
my
opinion.
If
you
have
a
good
arguments,
so
no
problem
and
MVP
also
to
happen
issue
in
the
repo,
because
I'm
trying
to
track
in
all
the
job
in
GitHub
for
a
lot
of
reasons,
especially
because
it's
like
we
lose
the
conversation
so
better
if
it
is
public
on
GitHub
and
yeah.
But
thank
you.
J
Yeah,
so
real,
quick
first
as
far
as
you
know,
identifying
who
to
report
to
the
security
insights
spec
is
is
really
what
not
not
spdx,
but
as
far
as
the
Safe
Harbor
goes,
we
got
some
interesting
feedback
regarding
the
safe
harbor.
Don't
want
to
go
into
all
the
details,
but
what
was
the
original
text
was
very
U.S
Centric.
Obviously,
vulnerability
reporting
can
go
around
the
world.
J
A
second
problem
is
that
it
is
an
unfortunate
reality
that
some
security
researchers
go
Rogue,
so
they'll
report
but
they're
going
to
report
and
simultaneously
either
attack
or
help
attackers.
So
saying
we
won't.
You
know,
hey
it's
as
long
as
you
report,
it's
okay,
that
you
simultaneously
attack.
People
is
not
really
what
we're
going
for.
E
J
E
K
It's
it's
cmaa,
yep
I'm,
a
strongly
agreeing
with
Jonathan
here.
This
is
well
understood
in
all
the
hacker
communities
that
I
know.
Okay,
that
that
is
the
policy
and
I
can
certainly
offline
cite
plenty
of
Precedence.
Where
hackers
have
reports,
sorry,
where
researchers
have
reported
vulnerabilities
in
production
systems
and
then
been
sued
for
having
done
so.
E
There's
an
entire
document,
that's
held
by
disclosed
IO
that
has
a
long
long,
history
of
all,
of
the
different
cases
where
security
researchers
have
been
legally
prosecuted
by
organizations
for
engaging
in
in
ethical
research.
So
this
is
something
that
we
need
to
carve
out
in
this
policy
that
this
is
allowed
in
behavior
and
that
we
will
not
be
chasing
them
legally
and
that
they
are.
This
is
allowed
like
this
is
allowed
and
we
waive
cfaa.
E
J
I
I
I,
obviously
I'm
I'm,
absolutely
in
favor
of
making
sure
that
they
are
legally
safe.
The
feedback
I'm
getting
from
legal
counsel,
though,
is
that
the
original
text
that
was
proposed
basically
says
in
many
ways:
it's
open
season
on
our
systems
and
feel
free
to
take
everything
and
take
them
down,
and
that's
not
the
goal
either.
J
K
E
K
Check
on
that
is
within
the
open,
ssf
no
I'd
want
to
have
the
TAC
chat
with
all
of
the
maintainers
before
committing
them
to
that,
but
I
would
suspect.
The
answer
here
is
no
I
know
a
lot
of
other
open
source
projects.
Do
that
and
support
that
I.
Think
the
the
challenging
question
for
a
safe
harbor
is
stepping
outside
of
Open
Source
projects
and
into
commercial
spaces.
That's
where
it's
trickier.
Yes,.
E
G
G
A
Sorry,
I
I
think
we
actually
did
enable
GitHub
private
reporting
on
every
project
under
ossf
and
look
I'm
trying
to
find
a
repo
that
it
is
not
enabled
on
which
tells
me
that
it's
enabled
on
everyone.
Okay,
I
I,
haven't
found
one
yet
so
this
may
be
moved.
We
could
obviously
revisit
it
and
turn
it
off,
because
I
think
it
was
done
at
the
org
level.
G
I
C
E
E
We
need
to
cat
meow.
We
need
to
go
through
this
document
with
the
working
group
and
and
review
the
legal
wording
changes,
but
I
did
want
to
remind
the
TAC
that
if
you
would
like
to
review
this
document
before
voting,
I'm
hoping
that
we
can
do
a
vote
next
attack
meeting
on
this
document
as
to
whether
or
not
we
should
adopt
it
or
not
or
the
tax
should
adopted
or
not.
E
B
E
No,
this
is
not
this.
This
is
the
vulnerability
disclosure
working
group.
This
is
the
open
source
security,
Foundation
vulnerability,
disclosure
policy.
This
is
our
outgoing
reporting,
mostly
associated
with
how
alpha
omega
will
be
reporting
security,
vulnerabilities,
there's
a
tie-in
which
is
the
link.
There
is
a
link
to
a
proposed
policy,
which
is
the
automated
vulnerability
fix
campaign,
but
that
will
not
be
finished
and
complete
and
going
out
and
shipping
with
this
policy,
it
is
currently
a
raft
that
is
being
bounced
around
that
a
snake
for.
B
B
E
D
C
C
We
also
are
trying
to
solicit
participation
in
a
cvd
guide
for
open
source
consumers,
and
we
have
a
presentation
scheduled
at
openssa,
North
America,
simplifying
vulnerability,
coordinating
vulnerabilities
and
disclosures
at
open
source
projects.
Madison
Oliver
and
I
will
be
doing
that
as
part
of
the
ossna
and
we
are
will
have
a
Blog
coming
out
very
soon
imminently.
That's
actually
on
your
desks
for
comment
getting
to
know
the
open
source,
vulnerability
format.
C
As
a
reminder,
the
vulnerable
disclosures
working
group
has
about
16
active
members
and
15
to
20
kind
of
people
that
float
in
and
out
from
time
to
time,
we
are
focused
on
trying
to
improve
secure
overall
security
of
Open
Source
software,
the
ecosystem
by
helping
mature
and
Advocate
well-managed
vulnerability,
reporting
and
communication
things
like
security
MDS.
This
is
all
of
our
member
projects
and
sigs
and
we'll
talk
briefly
about
each
one.
In
the
coming
slides,
CBD
guides,
we
produce
guidance.
C
We
currently
have
a
document
focused
on
open
source
projects
and
maintainers
on
how
they
can
conduct
themselves
via
widely
accepted
industry,
coordinated
vulnerability,
disclosure
practices.
We
have
a
reverse
of
that
guide,
focused
at
security,
researchers
or
finders,
helping
them
understand
how
best
to
interact
with
open
source
and
how
they
might
find
ways
to
best
collaborate
with
developers.
And
again
we
have
that
CBD
guide
for
consumers
coming
and
ideally,
we
can
find
some
wonderful
developers
someday
that
will
help
us
provide
some
tooling
and
scripts
that
will
automate
some
of
those
practices
to
help
maintainers.
C
The
osv
we've
just
reinvigorated
our
relationship
with
those
folks
live
in
Sydney
Australia.
So
are
not
up
right
now
to
talk
at
the
attack,
so
we
had
to
move
a
meeting
to
accommodate
them,
but
osv
is
a
standard
with
which
producing
and
consuming
vulnerability
information.
The
open
source
way
provides
both
human
and
machine,
readable
data.
C
They
if
you
get
a
security
advisory
from
GitHub.
It's
also
in
the
osv
format.
Fun
fact:
we're
looking
to
engage
with
the
cve
board
to
talk
about
some
challenges
with
the
data
quality
of
some
open
source
projects
there
and
continue
our
partnership
and
collaboration
with
them
as
they
roll
out
their
new
Json
format.
C
The
open
source
security
incident
Response
Team
Sig.
This
is
a
spin-off
of
the
mobilization
plan,
and
this
is
the
tldr
on
this
is
to
proposals
to
create
a
team
of
Upstream,
open
source
security
incident
handlers
and
to
work
with
maintainers
and
researchers
and
consumers
of
Open
Source
to
help
get
things
fixed
more
quickly.
We
currently
have
a
funding
proposal
that
is
under
review
by
the
governance
committee.
The
plan
is
always
open
for
comment
and
feedback.
We
would
love
to
hear
additional
thoughts
on
how
this
idea
could
be
implemented.
So
patch
is
welcome.
C
Take
a
look
at
the
issue
and
provide
us
any
feedback.
You
have
and
again
we're
looking
specifically
for
feedback
from
the
governing
board
on.
If
this
is
something
that's
viable,
that
they're
interested
in
funding
and
supporting
or
not
and
there's
a
couple
if
the
plan
is
approved,
we
have
two
software
projects
in
there.
C
One
is
the
siren
service,
which
is
a
vulnerability
communication,
advertising
service
being
able
to
try
to
find
ways
to
get
all
of
the
different
methods
of
advertising,
fixes
more
penetrated
throughout
the
industry
and
then
there's
a
tool
that
cert
CC
created,
called
Vince
and
unfortunately,
its
current
implementation
is
not
super
open
source
friendly.
The
code
is
open
sourced,
but
the
implementation
is
super
tied
to
AWS.
So
we're
looking
at
potentially
trying
to
find
ways
to
make
that
more
portable
being
able
to
anyone
could
use
that
software
in
any
environment
they
wanted.
C
So
we're
looking
to
retool
some
of
that
and
provide
that
back
Upstream
to
the
Vince
crew
I
mentioned
openvex
openvex
is
a
simple
implementation
of
the
Vex
vulnerability
exploitability
exchange
standard.
This
is
a
project
that
is
donated
and
I'm
waiting
on
my
dear
friend
Dan
Lawrence.
To
give
me
an
update
from
legal
on
how
that
IP,
review
and
transfer
is
coming,
but
this
sig
is
focused
on
supporting
the
openvex
spec.
There
is
some
tooling
associated
with
it,
and
then
one
of
our
biggest
goals
is
to
further
the
industry
collaboration.
C
There
are
many
members
that
participate
with
sisa's,
s-bomb
and
Vex
efforts,
we're
looking
to
expand
that
potentially
working
with
Oasis
with
the
csaf
standard
working
on
security,
working
with
security
scanners,
things
like
spdx
and
Cyclone
DX,
and
anyone
that's
interested
in
sharing
information
about
Vex,
which
is
just
a
way
to
State
your
Effectiveness
to
a
vulnerability.
We
think
there's
a
lot
of
value
in
that
and
right
now,
we're
not
looking
for
any
feedback
from
the
tech,
but
patches
and
comments
are
always
welcome.
C
You're
welcome
we
missed
you.
Yesterday
we
had
a
great
call.
Everyone
should
check
out
the
video
autofix
Sig,
which
is
heading
up
headed
up
by
Jonathan,
is
a
way
for
security.
Researchers
to
more
quickly
share
vulnerability
reports
at
scale,
and
the
goal
is
not
to
honk
off
all
the
open
source,
maintainers
we're
trying
to
find
best
ways
and
tools
and
methods
that
they
can.
C
Leverage
he's
currently
got
his
specification
for
the
vulnerability,
Fix
Auto
fix
campaigns,
and
also
that
disclosure
vulnerability
disclosure
policy
which
isn't
directly
related,
it's
related,
but
it's
not
directly
for
the
autofix.
So
again,
as
Jonathan
mentioned
and
Luigi
mentioned,
please
review
both
Luigi's
policy
and
also
Jonathan's
Auto
fix
proposal.
That
would
be
super
groovy.
C
D
C
C
I
heard
you
mentioned
discussing
OSB
with
the
cve
board.
I
briefly
got
disconnected
what
outcome
I'm,
not
looking
for
the
TAC
to
do
anything.
I
know:
half
of
the
cve
board
members,
so
I'm
just
waiting
to
try
to
find
a
love
connection
between
Sydney
and
Washington
DC
so
that
we
can
talk.
They
have
some
questions
about
data
quality
and
looking
to
find
ways
to
improve
that
interoperability
and
kind
of
ease
the
ability
for
Upstream
maintainers
to
be
able
to
report
vulnerabilities
and
get
the
cve
identifier.
So
right
now,
there's
nothing.
K
G
G
C
G
Add
questions
add
comments
in
there
and
we
will
continue
to
refine
that
once
the
incoming
attack
is
finally
seated
I
think
we
will
have
a
further
discussion
around
how
to
turn
this
document
into
more
of
an
action
plan.
So
I
guess
more
to
come
on
that
front,
but
just
wanted
to
call
everyone's
attention
to
that.