►
From YouTube: OpenSSF Town Hall Meeting (March 16, 2023)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
while
we're
waiting
to
start
thank
you
and
welcome
everybody
to
the
open,
ssf
Town
Hall.
We
we'll
get
rolling
in
just
a
minute
here,
but
while
we're
waiting
for
everyone
to
join,
please
take
a
moment
to
do
one
or
more
of
the
following
feel
free
to
use
the
Q
a
section
here
in
Zoom
to
ask
questions.
We
will
hold
questions
until
the
end.
A
Just
so
we
can
get
through
everybody's
presentations
quickly
enough
and
aim
to
leave
10,
hopefully
15
minutes
at
the
end
for
questions.
Please
consider
following
us
on
Twitter,
of
course,
Mastodon,
which
is
where
everyone
is
moving
to.
It
seems
as
well
as
on
LinkedIn
at
the
open
ssf.
A
We
will
distribute
these
slides
as
well,
for
in
fact
they
might
already
be
up
on
the
on
the
public
website,
so
feel
free
to
pull
these
down.
Follow
these
links
as
well
as,
of
course,
the
main
open
ssf
website,
and
finally,
we've
got
a
lot
of
great
training
material.
So
for
any
of
you
who
are
new
to
either
the
organization
or
to
to
our
Technologies
new,
to
thinking
about
security
and
open
source
software,
please
take
a
look
at
the
training
courses
that
we
have
put
up
and
made
available.
A
This
meeting
is
being
recorded,
and
why
don't
we
just
jump
in
as
with
every
meeting
of
the
Linux
Foundation?
We
I
just
want
to
make
you
aware
of
the
antitrust
policy
notice
that
we
have
here.
This
keeps
us
all
on
solid
legal
ground
as
we
work
together
and
collaborate
on
building
the
technologies
that
everyone
depends
upon.
We
also,
of
course,
are
Guided
by
the
openssf
and
Linux
Foundation
codes
of
conduct.
A
We
are
dedicated
to
providing
a
harassment-free
experience
here
for
participants
at
all
of
our
events
in
person
or
virtual,
and
we
expect
everyone
to
be
in
accordance
with
Professional
Standards,
so
definitely
appreciate
all
of
you.
Learning
more
about
these
of
the
links
provided
in
the
deck
as
I
mentioned,
feel
free
to
use
the
Q
a
button
to
submit
questions,
and
we
will
answer
them
as
we
can,
if
not
in
real
real
time
than
towards
the
very
end.
Thank
you
very
much
for
that.
We
have
a
chock
full
agenda
today.
A
This
is
our
first
town
hall,
since
August
apologies
for
being
a
little
bit
quiet
over
the
last
few
months,
but
I
will
give
for
any
of
you
who
are
new
to
the
open,
ssf
kind
of
a
quick
top
level
tour
of
who
we
are
what
we're
working
on.
A
What
some
of
the
interesting
announcements
have
been
since
August,
but
I
really
want
to
make
sure
that
we
can
pass
the
Baton
quickly
to
our
other
four
speakers
to
to
just
cover
some
go
into
depth
on
a
number
of
interesting
projects
here
at
the
open
ssf,
as
well
as
guidance
on
how
all
of
you
can
get
involved
in
the
runway
or
another.
A
So
let
me
dive
in
and
to
this,
this
is
really
just
an
opening.
I
myself
am
your
general
manager
at
the
open,
ssf
I've
been
on
the
project
for
nearly
a
year
and
a
half
now
and
I've,
it's
been
a
thrilling
experience,
it's
kind
of
like
a
fire
hose,
there's
so
much
going
on
across
the
community
every
day.
It's
really
just
an
honor
to
be
able
to
be
here.
A
The
open,
ssf's
purpose
is
to
enable
the
open
source
Community
to
collaborate
and
drive
Technical
Innovations
around
improving
the
state
of
security
across
open
source
software
and
the
software
supply
chain.
We
are
a
collection
of
initiatives
organized
by
working
groups
and
within
those.
Some
of
those
initiatives
are
software
development
projects,
but
some
of
them
are
also
other
kinds
of
projects,
developing
other
kinds
of
of
content,
be
they
specifications,
be
they
educational
materials.
A
A
It's
a
really
thriving
Vibrance,
very
circus-like
community
at
times
at
the
top
level-
and
this
is
how
we
are
organized
there-
is
a
governing
board
comprised
of
our
supporting
funders,
who
kind
of
help
make
sure
that
the
lights
stay
on
that
the
team
is
myself
and
and
the
staff
that
work
for
me
are
delivering
and
and
supporting
the
organization
every
way
possible
and
we've
got
a
few
committees
off
to
the
side.
But
the
real
Heart
of
Open
ssf
is
the
working
groups.
A
The
projects
and
the
technical
advisory
Council
that
tie
them
all
together,
I'll
go
into
depth
and
some
of
those
in
a
bit
I
do
want
to
note,
of
course,
that
the
open
ssf
is
supported
by
a
very
broad
set
of
both
Premier
members.
These
are
the
organizations
that
have
made
the
major
commitment,
both
in
the
form
of
some
cash
that
will
fund
our
operations
as
well
as
full-time
Engineers
working
on
different
projects,
we're
very
grateful
to
them
all
and
and
really
believe.
A
You
know,
we've
pulled
together
the
core
set
of
organizations
that
can
help
push
forward
better
security
and
open
source
software.
We're
also
further
supported
by
a
very
amazing
set
of
general
and
Associate
members
General
members
of
those
who
are
a
range
of
companies,
small,
medium
and
large,
who
will
also
believe
in
our
mission
and
Associate
members
are
other
non-profits
educational
organizations.
A
In
fact,
the
sum
total
of
these
organizations
recently
crossed
100,
which
is
a
landmark
for
any
type
of
organization
of
ours.
It
represents
a
scale
across
not
just
the
cloud
ecosystem
and
the
security
ecosystem,
but
but
into
various
sectors
like
finance
and
others,
and
we're
really
grateful
again
for
all
of
them
to
be
supporting
our
work
here.
A
In
fact,
we
just
recently
welcomed
a
bunch
of
new
members
and
and
I'm
really
most
most
excited
to
see
the
the
new
associate
members,
the
open
source
business
Alliance
and
the
python
software
Foundation
within
with
some
really
deep
engagements,
in
trying
to
work
together
to
improve
the
state
of
security
in
the
python
ecosystem.
But
thank
you
to
our
new
general
members
as
well.
A
If
your
organization
believes
in
what
we
do
and
would
consider
becoming
a
member,
we
would
love
to
talk
with
them.
Please
have
you
know
please
reach
out
by
emailing
us
at
membership,
openssf.org
and
there's
lots
of
ways
to
get
involved
with.
This
is
in
particular,
the
kind
of
organizational
support
that
helps
us
wake
up
every
day.
Thinking
about
ways
to
better
support.
The
community
and
I
also
want
to
emphasize
that
you
know
like
any
open
source
project.
What
really
matters
are
the
people
who
show
up
to
help
do
the
work.
A
We
have
a
tremendous
governing
board
who
really
helped
us
align
what
we're
doing
with
their
company's
initiatives
with
the
broader
state
of
the
ecosystem
out
there
they're
all
major
players
within
their
own
organizations
as
individuals,
but
it's
really
when
they
come
together
on
our
monthly
calls
or
supporting
the
different
committees
that
we
do,
but
also
really
driving
the
kind
of
personnel
investment
and
the
adoption
of
these
Technologies
into
those
their
own
organizations
where
they
really
shine
and
help
us
and
I'm
deeply
appreciative
of
each
of
one
of
them
who
are
participating.
A
The
open,
ssf
technical
advisory
council
is
really
those
the
technical
community.
The
technical
Council
most
focused
on
harmonizing
our
technical
efforts
at
the
open,
ssf
kind
of
loosely
coordinating,
Loosely
overseeing,
but
but
really
at
the
end
of
the
day,
helping
make
sure
that
everything
we
do
from
a
technology
point
of
view
is
meets
a
high
bar
for
quality
and
professionalism.
We
are
actually
about
to
kick
off
elections
for
the
next
technical
advisory,
Council
and
so
we'll
see
some
changes
in
this.
A
There
is
a
core
open,
ssf
staff
here
that
is
supporting
us,
both
obviously
here
worldwide,
as
well
as
specifically
in
the
Asia
Pacific
region,
and
it's
you
know
there
there
we
are
the
air
traffic
controllers,
we're
the
behind
the
scenes
orchestrators,
we
are
not
the
ones
who
fly
the
planes,
that's
all
of
you
and
all
of
our
members,
but
so
much
of
what
makes
this
Project
work
is
is
due
to
their
help,
so
I'm
very
grateful
for
my.
My
co-saf
clearly
make
it
fly.
A
So
let
me
cover
some
of
the
major
announcements
that
have
hit
since
the
last
time
we
met
here
at
a
town
hall
back
in
October,
we
announced
the
general
availability
of
six
store.
Six
store
is,
hopefully
all
of
you
know,
is
a
platform
for
signing
digital
artifacts
in
the
software
supply
chain
and
verifying
those
signatures
in
a
way
that
provides
greater
Integrity
to
to
the
distribution
of
software
in
a
world
where
we're
working
together
on
source
code,
but
so
often
we're
actually
Distributing
and
combining
binary
code.
A
You
really
want
to
know
that
it
comes
from
the
source
that
you
think
it
comes
from,
and
six
store
is
a
key
part
of
that,
and
it's
been
great
to
see
the
adoption
of
this
by
the
cloud
native
community
and
by
other
organizations
open
source
organizations
pushing
it
forward.
We
also
have
published
updates
to
the
concise
guides
for
developing
more
secure
software
and
evaluating
open
source
software.
A
I'd
say
if
you're
an
open
source
developer,
and
you
want
to
start
with
one
checklist
of
both
how
to
evaluate
code
that
you're,
considering
adopting
as
a
dependency
and
then
what
you
as
an
open
source
developer
and
your
other
co-maintainers
should
do
to
make
your
project
more
secure
and
make
sure
people
understand
that
you're,
taking
these
extra
steps
to
make
them
more
secure.
A
These
two
concise
guides
is,
are
perhaps
the
best
place
to
start,
and
all
of
them
have
links
to
lots
of
other,
or
both
of
them
have
links
to
lots
of
other
details
that
that
really
brush
things
out.
But
it's
a
great
checklist
to
get
to
get
started
with
if
you're,
developing
or
consuming
open
source
code.
A
You
know
with
a
little
more
depth
into
something
specific.
The
best
practices
working
group
has
developed
something
called
the
the
guide
for
coordinated
vulnerability
disclosure,
as
we
found
sometimes
bugs
get
found
security
bugs
get
found
and
released
to
the
wild
in
a
way
that
creates
a
lot
of
disruption
for
for
users
of
that
software
and
they're
Downstream
users
and
the
downstream
users
and
coordinating
a
major
disclosure
is
a
challenge,
and
it's
not
something
that
they
teach
at.
A
You
know
computer
science
courses
in
in
colleges
or
that
many
of
us
pick
up
and
as
we're
starting
our
computer
science,
educational
Journey.
So
this
is
something
that
we
would
love
to
see
open
source
developers,
particularly
maintainers,
particularly
leaders
in
open
source
organizations.
Pick
up
understand,
perhaps
even
read
ahead
of
time
before
the
next
major
bug.
Pops
up
that
you
know
they
have
to,
in
a
very
short
amount
of
time,
scramble
and
figure
out
the
right
way
to
coordinate
that
process.
A
Likewise,
many
of
you
are
perhaps
familiar
with
this
course
that
we've
developed
called
developing
secure
software.
We've
now
been
engaging
in
Translation
efforts,
the
first
of
which
is
a
translation
into
Japanese
that
which
is
just
like
the
English
language
course
available
for
free,
as
well
as
certifications
around
that.
So
we
do
see
extending
this
into
other
major
languages.
Just
because
you
know
English
is
not
a
language
we
can
assume,
is
universal
and
really
happy
to
see
this
happen.
A
Also,
since
August,
one
of
the
major
new
projects
to
come
in
to
the
open
ssf
is
something
called
the
secure
supply
chain.
Consumption
framework,
the
S2
c2f
guy,
is
a
framework
for
organizations
that
do
software
development
and
when
they
taken
a
dependency
on
open
source
software.
How
do
you
manage
that
dependency?
How
do
you
manage
updates
to
it?
How
do
you
I
have
a
basically
a
process
for
making
sure
that
you
are
able
to
fix
close-up
issues
and
and
for
your
upstreams
and
your
Downstream
communicate
that
appropriately?
A
That's
what
s2c2f
is
all
about,
and
it
nicely
complements
the
salsa
specification,
which
is
very
close
to
a
stable
release
and
we're
really
excited
about
that
too.
But
so
it's
a
very
complementary
framework
to
that,
and
just
like
with
salsa
you'll,
see
both
specification
work
and
supporting
the
software
being
built
inside
of
the
openssf.
Both
of
these
actually
are
efforts
of
the
supply
chain.
Integrity
working
group,
which
which
I
highly
recommend
folks
follow
We've,
also
started
to
publish
some
content
on
the
openss
blog.
A
That's
a
little
more,
a
little
more
high
level,
a
little
more
intended
to
reach
a
broader
audience.
We
felt,
at
the
anniversary
of
the
log
for
Shell
event,
I'd
like
to
show
disclosure
that
it
was
worth
noting
what
had
happened
since
then
What
how
the
industry
had
moved
on
from
that.
A
What
some
of
the
lessons
were,
but
also
some
of
the
changes
that
that
we've
seen
and
that
we
ourselves
have
been
pushing
for
ever
since
that
event,
and
so
that's
a
blog
post
we'd,
certainly
encourage
you
to
go
check
out
and
read.
We
also
have
started
to
play
quite
a
role
in
public
policy
relating
to
securing
of
software.
It
turns
out
a
whole
lot
of
governments
are
starting
to
ask
questions
about.
How
are
we
managing
security?
A
How
are
we
trying
to
to
sew
things
up
now
that
open
source
software
is
being
dependent
upon
for
critical
infrastructure?
We
have
an
internal
committee
called
the
public
policy
committee
that
talks
about
these
changes
that
are
happening
externally
and
how
we
might
want
to
address
them
publicly,
but
we
I
I,
one
of
the
things
we
did
was
put
out
a
public
statement
about
an
ax
that
was
proposed
in
the
last
Congress
called
the
securing
open
source
software
act
that
started
to
has
started
to
incorporate
many
of
these.
A
Both
Technologies
and
ideas
that
that
we've
been
talking
about
others
have
been
talking
about
that.
Could,
we
believe,
could
lead
to
more
secure
software
by
default.
So
it's
fascinating
to
see
both
the
executive
side
of
the
legislative
side
in
United
States
in
Europe
in
the
Asia
Pacific
region
in
in
many
other
places,
start
to
wake
up
to
the
roles
that
they
can
play
in
both
setting
some
new
standards
and
demands,
but
also
hopefully,
providing
resources
for
that.
So
we're
really
hoping
to
encourage
that.
A
In
fact,
that
was
the
broader
message
of
another
blog
post.
We
made
on
engaging
policy
makers
and
the
ecosystem
on
open
source
software
globally.
My
my
LinkedIn
title
says
nerd,
Diplomat
and
I'm.
A
Finding
that
is
starting
to
be
much
more
relevant
even
to
the
public
policy
side,
where
simply
going
out
and
talking
about
what
we
do,
what
we're
doing
the
Technologies
we're
building
the
processes
we're
working
on
specifying,
but
also
the
relevancy
of
that
to
to
everybody's
interest
in
seeing
more
dependable,
secure,
critical
infrastructure,
just
that
continues
to
be
super
important
even
a
year
after
log
for
Shell,
even
even
as
we
go
into
into
2023
back
to
the
openssf
one
of
the
major
new
working
groups.
A
In
fact,
the
very
the
last
working
group
that
was
created
the
most
recent
working
group
that
was
created
I
I-
and
this
is
new
since
August-
is
the
open,
ssf
end
users
working
group.
This
is
actually
convened
by
a
number
of
participants
at
Citigroup
at
a
number
of
other
Financial
organizations
and
some
of
the
the
folks
who
serve
those
that
industry,
but
not
it's
not
exclusive
to
finance
by
any
means.
A
What
it's
intended
to
do
is
to
say
from
the
perspective
of
people
who
are
not
Cloud
providers
who
are
not
tools
makers
but
who
are
consuming
this
technology
and
who
are
having
to
put
it
to
work
in
critical
infrastructure.
What
what
are
the
Technologies?
We
should
be
building.
What
are
the
the
kinds
of
dashboards
we
could
should
be
building
the
kinds
of
processes
we
should
be
promoting
that
make
them
participants
in
in
this
entire
thing.
A
So
that's
what
the
end
users
working
group
is
focused
on
they've
already
been
working
on
some
technologies
relating
to
pulling
these
different
pieces
together
into
a
unified,
secure
software
Factory.
In
fact,
a
project
called
Fresca
is
underneath
that
working
group
and-
and
it's
a
really
exciting
way,
to
frame
a
lot
of
the
work
that
we're
doing
back
to
something
more
nitty-gritty,
We've
I
jumped
in
as
you're
many
of
you
are
familiar.
A
We
have
a
project
called
the
security
scorecards,
which
has
gone
from
strength
to
strength
based
on
the
success
of
an
API,
the
API
driven
kind
of
display
of
best
of
of
the
open,
ssf
best
practices
badges.
A
We
felt
it
would
be
useful
to
also
display
badges
derived
from
Project
scorecards
scores
that
from
the
million
different
repositories
that
we've
analyzed
so
those
scorecard
badges
are
now
able
to
be
shown
inside
of
GitHub
and
and
in
other
relevant
places,
with
a
pretty
easy,
pretty
easy
link
and
a
lot
of
the
work
from
the
open
ssf
was
put
together
and
summarized
at
the
end
of
last
year
into
the
2022
annual
report,
and
it
would
be
really
if
there's
one
thing
that
you
want
to
read
or
pass
off
to
your
manager
or
to
somebody
else
to
help
them
understand
the
breadth
of
work
that
we
work,
that
we
do
here
at
the
open
ssf.
A
The
annual
report
is
really
a
great
way
to
get
that
all
in
one
place,
we've
had
a
number
of
face-to-face
events
as
well.
Over
the
last
year.
Open
ssf
days
have
been
the
predominant
kind
of
vehicle
for
this,
and
we've
done
that,
both
here
in
the
United
States
back
in
last
May,
I
I,
but
also
since
August,
in
Japan,
in
Europe
and
as
well
as
meetups,
just
earlier
this
month
in
Tokyo
and
in
Hong
Kong
late.
A
Last
month,
we
also
had
a
booth
and
participated
quite
a
bit
as
a
sponsor
at
the
cloud
native
security
con
in
Seattle
a
few
weeks
ago.
All
of
this
is
about
getting
out
there
pulling
together
a
community
showing
our
faces
to
each
other
talking
about
the
tech,
but
also
building
a
sense
of
codependence
in
the
community,
so
that
we
can.
We
can
move
forward
on
some
important
projects
and
in
that
vein
of
the
one
upcoming
thing
I
want
to
put
in
front
of
you
is
that
openssf
day
is
coming
up.
A
May
10th.
We
still
have
a
cfp
open
for
this
for
one
more
day.
The
deadline
is
tomorrow
to
submit
a
talk
for
that.
We
hope
whether
you
submit
a
talk
or
not.
All
of
you
consider
joining
us
there.
It
is
happening
concurrent
to
the
open
source
security
Summit,
North
America,
which
is
another
great
reason
to
attend,
so
come
for.
Both
events
come
for
one
or
the
other,
but
it'd
be
great
to
see
you
there
in
person
and
with
that
I'd
like
to
pass
the
Baton
to
Michael
scavetta
Michael.
B
Co-Lead
the
alpha
omega
project,
as
well
as
the
identify
security
defense
working
group
I've
been
with
openssf
since,
since
the
Inception
and
I've
been
at
Microsoft
for
about
10
years,
where
I
lead
an
open
source
security
team
next
slide.
B
So
Alpha
Omega
is
a
is
a
project
within
within
openssf.
Our
goal
really
is
to
you
know
the
slogan
we've
been
using
is
turning
money
into
security,
so
we
are
funded
with
a
with
grants
from
Microsoft,
Google
and
AWS,
and
we're
extremely
thankful
for
that,
and
we've
been
able
to
take
that
money
and
put
it
toward
improving
the
security
of
the
very
most
critical,
open
source
projects
and
ecosystems,
as
well
as
looking
for
vulnerabilities
in
a
slightly
longer
tale
of
critical
projects,
just
not
in
the
top
100..
B
So
we've
had
We've
also
published
an
annual
report
at
the
end
of
last
year.
Please
please
go
read
it.
It
goes
into
lots
of
details
about
what
we
do
and
why
we
do
it.
I'm
told
I
have
the
wrong
mic
selected.
Thank
you,
I'm,
not
sure
it
looks
like
the
right
might.
Maybe
I'll
just
Mount
closer
to
the
mic
anyway.
B
So
super
happy
to
have
Jonathan
lycha,
and
can
you
send
a
yes,
sir,
who
joined
the
team
at
the
end
at
the
end,
in
the
beginning
of
the
end
of
2022
and
the
beginning
of
2023,
also
super
thankful
for
my
co-lead
Bob
Callaway
from
Google
and
Brian
Russell,
also
from
Google
and
helping
move
this
initiative
forward
and
making
great
things
happen
next
slide,
so
the
next
yeah
so
so
for
for
Alpha,
as
I
said,
you
know
we
we've
awarded
about
two
and
a
half
million
dollars
in
Grants.
B
We
have
another
million
or
so
earmarked,
and
these
are
currently
spread
out
over
five
organizations,
so
node
jQuery,
Eclipse,
rust
and
python
Foundation.
B
We
chose
these
number
one
because
these
are
extremely
critical,
ubiquitous
structural
ecosystems
and
and
tools
and
platforms,
and
it's
really
important
that
these
things
are
safe,
because
these
are
things
that
when
people
build
things
on
top
of
the
next
couple,
slides
are
just
as
a
I'm
not
going
to
read
them.
But
please
read
them
when
you
when
you
look
at
the
slides
later
or
tonight,
but
what
what
I
think
impresses
me
most
about
how
alpha
works?
B
Is
you
know
we
work
very
closely
with
these
organizations
to
come
up
with
the
a
directional
strategy
on
the
types
of
things
that
we
we
all
want
to
see
happen
from
a
security
perspective,
and
then
we
get
out
of
the
way
and
we
let
let
the
organizations
choose
how
best
to
implement
and
have
how
best
to
go
chase
those
things
we've
been
really
happy
with.
If
you
go
to
the
next
slide,
there
have
been
a
number
of
individuals
that
have
been
hired
into
these
organizations
a
lot
of
cleanup.
B
Eclipse
has
is,
is
doing
security
audits
of
Jenny
jcube
and
mosquito
they've
hired
three
people
to
to
take
on
security
work
within
the
eclipse.
Foundation
next
slide.
B
Rust
is
doing
some
some
excellent
work,
including
higher
security
engineer
and
a
GitHub
security
scanning
partnership
with
their
their
integrity
is
a
secret
scanning
integrator
next
slide
and
python.
Surfer
Foundation
is
hiring
a
security
developer
in
Residence
as
well,
so
next
slide.
So
the
the
point
of
all
that
is
that
you
know:
we've
we've
found
that
you
know.
While
money
doesn't
solve
all
problems,
some
problems
can
be
solved
with
appropriate
funding
and
I.
B
Think
the
open
source
ecosystem
is
one
of
those
that
has
been
for
a
long
time
neglected
from
a
from
a
a
serious
funding
perspective,
I'm
glad
I'm
super
thankful
and
appreciative
to
everybody
involved
that
we're
able
to
move
the
needle
here.
So
that's
all
on
the
alpha
side,
the
Omega
side,
oops,
sorry
that
one
the
Omega
side
is
about
tools
and
automated
automated
analysis
at
scale
scanning.
B
So
we've
we've
built
some
tools.
All
these
tools
are
open
sourced
and
available.
Now,
including
you
know,
tools
that
orchestrate
you
know,
lots
of
different
static
analysis
tools,
a
portal
for
which
is
still
in
development,
but
a
portal
for
triaging
and
managing
lots
and
lots
of
security
findings.
B
Assurance
assertions
to
give
a
to
essentially
measure
and
then
write
apply
policy
to
the
security
quality
of
Open
Source,
which
is
different
than
metadata
like
is
it
maintained,
or
does
it
have
publicly
known?
Cbes
Assurance
assertions
is
more
like
when
we
scanned
it
with
a
static
analysis
tool.
B
So
coming
soon,
we
are
planning
to
do
more
Alpha
engagements,
more
tools,
we're
advancing
all
of
these.
Every
day
we
have
been
speaking
at
conferences,
we're
going
to
continue
to
do
that.
B
We
have
a
mentorship
program
that
will
be
announced
pretty
soon
we
are
looking
at
or
partnering
with
some
universities
on
on
how
to
you
know,
essentially
helps
students
kind
of
build
the
next
generation
of
security
researchers
and
with
a
focus
on
open
source
security
and
a
automated
vulnerability
fixed
campaign,
so
that
with
ideally
the
push
of
a
button
we
can
get
fixes
out
to
thousands
or
tens
of
thousands
of
projects
for
these
ubiquitous
vulnerabilities
that
we
find
We've
also
been
helping
out
in
the
vulnerability
management
space,
helping
to
advance
disclosure
policy
and
process
so
that
when
we
find
vulnerabilities,
how
can
we
report
them
like
we
have
to
write
down
what
we're
going
to
do
so
that
we
can
repeat
it
and
do
it
do
it
reliably,
and
how
does
that
work
with
with
automated
vulnerability
reporting
next
slide?
B
Oh
we're
also
going
to
have
some
swag
at
some
point,
so
stay
tuned.
If
you
want
to
get
involved,
there's
a
public
meeting
on
it's
the
first
Wednesday
of
every
month,
so
the
next
one
is
April
5th
come
help
us
improve
our
tools,
we're,
but
all
of
our
tools
are
on
GitHub
public
get
involved.
Come
chat
with
us
on
SLAP
we're
super
friendly.
B
A
C
C
All
right,
awesome,
hello,
everyone,
my
name
is
Josh
Brussels
I'm,
the
vice
president
of
security
at
a
company
called
Angkor.
We
are
the
people
behind
the
sift
and
gripe
scanners.
You
may
have
heard
of
but
I've
kind
of
been
around
security
forever.
So
I'm,
not
if
you
want
to
know
more
just
search,
Google
or
something
so,
let's
jump
right
into
it.
C
C
These
are
the
I
guess
work
in
progress
at
the
moment.
Some
of
this
is
farther
along
than
others,
but
obviously
anytime.
You
start
a
group
like
this
there's
a
certain
amount
of
like.
Why
are
you
here
and
that
always
sounds
silly.
Every
time,
I
start
a
new
group
or
work
with
a
new
group,
and
but
it's
really
important,
because
you
have
to
Define
your
scope
and
make
sure
you're
not
often
left
field.
Doing
who
knows
what
that.
C
So
kind
of
the
things
we
list
here
are
what
we're
we're
really
trying
to
focus
on.
Is
we
want
to
work
with
projects?
It's
very
easy
to
not
invent
it
here,
anytime,
you
create
a
a
new
project
or
a
group,
or
anything
like
that,
and
there's
a
lot
going
on
in
S1
I
tell
people
that
every
time
we
have
an
s-bomb
everywhere,
meeting
I
learn
about
some
new
group
or
effort
or
project
or
something
going
on
in
the
outspomb
world.
C
That
I
didn't
know
about
I
thought
I
knew
a
lot
of
this
stuff
and
it
is
very
clear
I
do
not
so
the
first
big
focus
is
that
we
want
to
work
with
groups.
We
don't
want
to
replace
groups,
we
don't
have
any
intention
of
doing
it
ourselves
if
someone
else
is
working
on
it.
We
want
to
be
the
connections
between
two
other
groups
that
maybe
aren't
talking
today
and
I'm,
going
to
skip
the
next
one
and
go
to
there.
C
They
call
the
landscape
and
just
search
for
it
on
Google
and
take
a
look
at
it
and
it's
a
really
nice
way
to
visualize
an
enormous
number
of
projects
and
how
they
interact
in
the
cncf
universe,
and
we
would
like
to
do
something
similar
with
s-bomb
and
the
purpose
of
that
is
to
help
groups
and
projects
and
people
find
one
another
and
understand
exactly
what's
going
on
and
so
we're
putting
together
a
proposal
for
that
again.
This
is
kind
of
like
back
to
Michael's
concept
of
you
know.
How
can
we
turn
money
into
security?
C
Well,
we
want
to
turn
money
into
s-bombs
in
this
case,
so
we're
looking
to
get
that
funded
at
some
point
in
the
near
future.
I'm
going
to
jump
back
up
then
there's
the
spdx
python
Library.
One
of
the
things
we
did
early
on
was
because
Kate
Stewart's
involved.
She
she
said,
you
know
we
have
this
spdx
python
Library.
It
needs
some
love
and
attention.
C
It
would
be
lovely
if
we
could
have
the
open,
ssf
fund,
then
and
I'm
super
proud
of
this
project,
because
this
is
an
instance
where
the
openssf
took
some
of
their
funds
and
they
sent
them
into
another
project.
Like
excuse
me,
the
spdx
work
is
not
happening
inside
the
open,
ssf,
so
I
think
this
is
very
forward
thinking
and
it
really
impressed
me
that
the
open,
like
there
wasn't
even
a
second
thought
about
it
like
Yep.
C
This
is
a
project
that
means
some
funding
to
get
some
work
done,
we're
absolutely
on
board
with
this,
which
is
awesome,
and
then
the
the
last
thing
on
the
list
is
what
we're
calling
connecting
resources
to
open
source
and
what
we
mean
by
this
is.
It
is
very
common
when
you're
part
of
a
working
group
to
have
someone
show
up
and
say,
I
want
to
help,
and
then
sometimes
you
have
things
they
can
do.
C
But
rather
this
is
an
instance
where
we
want
to
send
people
in
to
do
the
work,
because
you
there's
no
way
we
can
show
up
to
an
open
source
project
and
say:
oh
hey,
you
should
do
s-bombs
they're
going
to
be
like
oh
hey.
No,
we
shouldn't
go
away,
and
so
this
one
we're
working
on
its
early
days,
but
I'm
I'm,
extremely
hopeful,
because
I
think
there's
a
lot
of
people
in
s-bomb
everywhere
that
are
saying,
like
I
have
folks
who
want
to
help.
What
can
they
do?
C
And
we
also
don't
want
to
just
like
send
people
out
into
the
world
with
no
direction
or
purpose,
because
that's
that
isn't
going
to
be
good
for
anybody
and
jump
to
the
next
one
Brian,
and
then
this
is
just
kind
of
the
group
right.
This
is
where
we
are.
We
meet
every
other
Tuesday
1105
is
not
a
typo
I.
We
start
five
minutes
early
and
five
minutes
early
on
the
hours,
because
we
all
have
bio
breaks
and
too
many
meetings
as
it
is
next
meeting
March
28th
join
us
everyone's
welcome.
C
We'd
love
to
talk
to
you.
We've
got
a
great
group
of
people.
We've
got
a
bunch
of
cool
ideas.
We've
been
working
hard.
It's
it's
not
a
lot
of
Hands-On
at
the
moment,
but
we're
definitely
a
lot
of
planning
so
by
all
means
and
jump
in
slack
if
you
want
So
yeah.
Thank
you
everyone.
If
anyone
has
questions
or
anything,
find
me
on
slack
or
ask
them
here.
Thank
you.
A
Thank
you,
Josh,
and
turning
now
to
Christine
and
Jay
right
would
be
leading
the
conversation
on
diversity
and
inclusivity
in
the
open,
ssf.
E
All
right,
so
thanks,
Ryan
and
so
quickly.
My
name
is
Christine
and
I
lead
the
open
source
program
office
at
F5
I've
been
sitting
in
on
open
ssf
meetings
for
a
little
over
a
year,
primarily
in
the
best
practices
working
group.
Next
slide.
F
Hi
I'm
Jay
I
am
a
member
of
the
open
source
strategy
ecosystem
team
at
Microsoft.
My
co-lead,
this,
the
Deni
education
sync
with
Christine
by
Coley
risk
dashboard
Sig
under
the
identifying
security
threats
working
group
coming
in
as
a
vice.
As
a
co-vice
chair
of
the
supply
chain,
Integrity
working
group
and
I
co-lead,
the
S2
c2f
Sig
under
the
supply
chain,
Integrity
working
group
yeah
I,
have
to
be.
E
All
right,
yes,
next
slide,
so
just
to
kind
of
give
you
a
quick
just
like
Josh
said
in
the
wire.
We
here
is
that's
a
good
question
and
to
just
the
history
behind
this.
Is
that
one
of
the
mobilization
plans
stream
one
was
around
security,
education
and
so-
and
this
was
then
adopted
by
the
developer,
best
practices,
working
group
and
the
goal
for
this
thing
I
wanted
to
adopt.
E
It
is
because
there
is
traditionally
cyber
security
is
not
something
that
a
good
cyber
security
hygiene
or
even
just
good
security
practices
is
not
something
that
has
been
paid
attention
to.
In
addition
to
that,
there
is
a
shortage
of
cyber
security
professionals,
so
wanted
to
adopt
this
stream
to
basically
put
that
into
into
motion,
and
so
the
first
part
of
that
is,
there
were,
like
three
streams
were
created
out
of
that
to
tackle
this
problem
in
in
different
in
different
areas,
one
included
just
curating
and
seeing
what
was
out
there.
E
The
second
was
related
to
expanding
the
content,
based
on
the
findings
from
the
curation
process,
and
there
was
a
third
around.
How
do
you
reward
and
incentivize
developers
who
either
go
through
the
training
or
what
kind
of
certifications
should
be
there,
and
part
of
that
was
also
like?
How
can
you
get
meaningful
employment,
so
this
education
plan
was
put
together,
refined
and
reviewed
and
formalized,
and
as
we
were
going
through
that
process,
we
noticed
that
there
was
some
gas
related
to
diversity,
equity
and
inclusion.
E
Some
parts
of
the
plan
that
needed
a
little
bit
more
fleshing
out.
So
that's
where
Jay
and
I
kind
of
like
put
our
hand
out
and
said,
we
would
like
to
form
something
that
would
specifically
be
tackling
these
and
some
of
the
initial
goals
that
we've
talked
we've
thought
about
is
like:
how
can
we
look
at
the
education
materials
and
make
them
more
accessible
specifically
to
underrepresented
groups,
so
as
we're
looking
at
creating
the
content
or
even
looking
at
expanding
the
training,
what
did
we
need
to
pay
attention
to?
E
Additionally,
we
were
looking
at
seeing.
How
can
we
ensure
that
the
pathways
to
success
were
made
available
to
the
same
underrepresented
groups
and
what
are
some
of
like
the
barriers
that
seem
to
be
there,
whether
traditionally
in
software
or
even
like,
specifically,
in
cyber
security,
and
we
find
that
this
actually
aligns
really
well
with?
If
you
look
at
the
U.S
cyber
security
strategy
that
was
released,
I
think
about
a
couple
of
weeks
ago,
there's
a
section
4.6
that
you
can
read
out
here
and
it's
looking
at.
E
We
need
to
take
a
comprehensive
and
a
coordinated
approach
and
how
we
want
to
expand.
Cyber
Workforce
needs
to
look
at
improving
diversity
and
making
sure
that
the
educational,
the
training,
Pathways
and
the
path
to
success
are
are
in
place,
and
so
this
that
really
aligns
with
the
why
we
are
doing
what
we
are
doing
and
there's
the
small
group
that's
been
meeting
our
regularly.
E
The
groups
started
meeting
regularly
December
last
year
and
we've
been
talking
about
like
what
are
the
different
things
that
we
need
to
do,
and
the
folks
from
different
backgrounds
spanning
or
this
educational
folks,
who
are
specifically
looking
at
targeting
some
of
the
communities
that
we
want
to
reach.
So
that's
basically
who
we
are
and
why
we're
doing
this
so
I'll
hand
it
over
to
Jay
next
slide.
F
So,
in
order
to
do
this
effectively
right,
we
wanted
to
identify
really
a
few
Focus
areas
that
we
wanted
to
to
hone
in
on,
and
you'll
see
those
Focus
areas
off
to
the
left
hand
up
to
the
left-hand
part
of
the
slide.
We
really
want
to
Target
in
advocacy
and
communication
as
a
first
one.
So
what
kind
of
what
kind
of
stewards
are
we
going
to
be
in
this
space?
F
And
how
are
we
going
to
communicate
that
out
to
the
community
at
large
and
we
we
really
want
to
understand
those
things
and
then
research
and
thought
leadership
what's
already
out
there
what's
already
out
there?
What
are
some
of
the
great
things
that
a
lot
of
organizations
have
already
done
and
what
a
lot
of
the
thoughts
out
there
around
the
eni,
including
how
to
be
better
allies
and
and
respective
cultures
and
spaces
partnership
development?
F
Who
can
we
partner
with
what
organizations
are
doing
some
of
this
great
work
out
there
that
we
can
lean
on?
How
do
we
reach
up
into
into
the
LF
and
reach
across
to
other
communities
and
organizations
underneath
and
see
what
kind
of
efforts
they
have
going
on,
whether
or
not
we
can
collaborate
and,
of
course,
training
and
engagement?
F
What
kind
of
training
is
currently
out
there
and
then,
and
how
can
we
better
orchestrate
ourselves
to
meet
some
of
that
demand
and,
of
course,
as
we
March
over
into
the
education
element
down
into
the
schools
and
into
the
different
educational
institutions,
where
we
have
those
underrepresented
communities
or
the
of
those
underrepresented
voices
that
we
can
Target
and
provide
those
kind
of
resources
too?
F
Well
that
leads
us
into
the
right
side,
where
we
talk
about
some
of
the
things
that
we've
done
thus
far,
so
we've
we've
aligned
ourselves
around
the
groups
that
we
want
to
Target
now.
This
is
important,
and
this
is
important
because
we
didn't
just
look
domestically
with
this
and
I
think
that's
something
that's
extremely
important.
F
We
took
a
global
look
at
this
and
really
challenged
ourselves
to
think
dynamically
about
what
true
d
e
and
I
is
including
what
it
means
to
be
allies,
as
I
said
before,
we
wanted
to
make
sure
that
that
being
aware,
where
constructiveness
of
Mind
here,
we
wanted
to
make
sure
that
we're
allies
in
other
places
where
there
might
not
be
as
many
resources
and
what
kind
of
resources
can
we
provide.
So
we
we
went
ahead
about
this.
F
We
went
about
this
in
a
way
where
we
said
how
can
we
expand
our
thoughts
and
how
can
we
use
this
tool
that
we
have
to
do
that?
F
A
large
part
of
that
is
including,
and
then
Mike
talked
about
this
earlier
within
the
alpha
omega
project
and
and
the
colleges
and
universities
pilot
that
that
is
currently
being
designed,
the
mentorship
opportunities
there
in
interview
skills
opportunities,
the
Outreach
opportunities
you
know,
looking
at
whether
or
not
we
can
get
institutions
I
believe
we
want
to
start
with
at
least
one
to
two
institutions
to
get
this
to
get
this
off
the
ground,
but
really
targeting.
F
Do
we
look
at
you
know
other
institutions
and
other
Latin
or
predominantly
Latin
institutions
and
other
you
know:
where
do
we
go
and
actually
partner
with
organizations
to
get
some
of
the
stuff
off
the
ground,
so
that
stuff
is
extremely
important
as
well,
and
what
what
this
allowed
us
do
when
you
see
that
final
bullet
comment,
there
we
constructed
and
and
I
and
I
can't
wait
to
show
this
to
any
new
people
who
actually
join
and
we'll
talk
about
how
you
can
join
here
in
in
the
next
couple
of
slides,
but
we
constructed
this
amazing
spreadsheet,
probably
the
first
of
his
kind.
F
When
we
put
together
this
this
list,
Global
list
of
organizations,
partnership
opportunities-
we
even
are
boiling
it
down
to
sponsorship
Etc.
So
that's
that's
gives
you
an
idea
of
how
we
went
about
our
thought
process.
The
things
we've
done
done
thus
far,
and
and
this
next
slide,
let's
talk
about
what
we
got
coming
up
next
and
Christine
and
I
are
both
the
collab
on
this
one.
So
next
slide,
please.
F
Next,
as
I
said
to
you
before
our
four
focal
points,
those
four
focal
points
they
they're,
they
lend
themselves
to
have
a
higher
calling
so
to
speak.
So
one
of
the
things
that
we
have
coming
up
next
is
perhaps
lobbying
for
centralized
Deni
Stig
of
which
the
education
sync
Falls
underneath
and
then
we
can
expand
that
out
now
to
outreach.
We
can
take
those
other
pillars,
advocacy
communication.
They
could
be
their
individual
on
six,
so
that
gives
the
opennesses
up
as
a
whole
fuel.
F
To
then
reach
to
you
know,
make
the
make
the
reach
a
little
shorter
into
the
LF
and
how
we
build
that
Bond
and
how
we
expand
across
to
the
other
other
organizations,
so
you'll
see
that
there
we
do
have
in
the
o,
Open
Source
Summit,
coming
up,
Christine
and
I'll
be
hitting
the
hitting
the
stage
once
again
to
to
talk
about
our
Deni
efforts,
we'll
be
focusing
on
also
Outreach
across
the
different
security
conferences
as
well.
F
E
Yeah
so,
as
we
kind
of
look
Jay
mentioned,
go
back
to
the
slide
when
we're
looking
at
some
of
the
opportunities
we
want
to
actually
be
on
like
alpha
and
omega
as
an
example,
we
want
to
also
reach
out
to
the
other,
open,
ssf
working
groups
to
see
if
there's
any
opportunities
to
collaborate
with
them.
So
that's
one
of
the
things
that
we
want
to
look
at
and
there
are
existing
Linux,
Foundation,
dni
initiatives
or
programs
such
as
LFX
mentorship.
E
Where
can
we
go
in
and
actually
partner
with
them
as
well
and
I
started
that
the
way
we
began?
The
subcommittee
was
under
the
education
six,
so
I
want
to
go
back
with
our
learnings
and
go
back
and
refine
that
plan
so
that
we
can
include
any
of
the
work
we're
doing
especially
things
around
Partnerships
and
as
we
think
about
what
we
want
to
do
in
the
future.
E
One
of
the
things
that
is
measuring
the
effectiveness
of
what
we're
trying
to
do
in
the
education
and
overall
requires
us
to
actually
be
very
thoughtful
about
how
we
are
resourcing
the
statistics,
because
a
large
number
folks
that
we
need
to
reach
may
not
be
places
where
it's
really
actually
easy
to
measure
some
of
that
work.
So,
when
I
look
at
our
strategic
Partnerships,
who
may
already
have
that
information,
how
can
they
actually
provide
ethical
and
accurate
sources?
So
that's
the
risk.
F
So
you
have
here
where
you
can
come
find
us
where
you
can
come
join
where
you
can
come
be
a
part,
see
some
of
the
great
work
that
we're
doing
and
be
part
of
that
great
work
as
well.
We
meet
every
other
Tuesday
at
11,
A.M
Eastern.
Our
next
meeting
is
March
28th.
You
could
find
us
on
slack
that
slack
channel
right
there
yeah.
We
got
some
big
things
coming
and
thank
you
guys
for
listening.
A
Thank
you
so
much
Christine
and
Jay.
This
is
incredibly
important
work.
The
work
of
the
open
ssf
will
only
be
successful
if
we
can
really
broadly
reach
everybody
involved
in
the
software
community
and
ecosystems,
so
your
work
is
incredibly
important.
Thank
you.
So
much
for
this
and
and
to
bring
us
home
I
wanted
to
get
David
wheeler
on
the
mic
to
talk
with
you
all
about
how
to
get
involved
in
the
open
ssf
in
our
various
working
groups
and
projects.
David.
Do
you
want
to
take
it
from
here?
D
Next,
so
thanks
very
much
for
letting
me
talk
next,
so
we've
got
a
number
of
different
working
groups
and
I'd
like
you
to
very
much
think
about
gee.
What
could
I
be
involved
in?
What's
interesting?
What
do
you
find?
You
could
add
value
in
these?
Shows
our
various
working
groups,
projects
I'm,
going
to
look
on
real,
quick
note:
the
real,
quick
best
practices,
identification,
awareness,
education,
vulnerability,
disclosures?
How
do
we
improve
vulnerability,
disclosures
and
use
this
working
group,
the
voice
of
public
and
private
sectors?
D
We
have
a
top
level
project.
Sig
store.
Identifying
security
threats
is
all
about
metrics
reviews,
security.
Tooling.
We
want
to
improve
the
state
of
art
security
tools,
as
mentioned
earlier,
absolutely
includes
that's
bombs.
Securing
our
software
repositories
supply
chain
Integrity
includes
both
salsa
and
sgc2f
securing
critical
projects
trying
to
identify.
What's
what
are
critical?
How
do
we
analyze
them
and
some
Associated
projects,
including
say
Alpha
Omega
next.
D
So
this
is
an
attempt
to
show
how
our
various
projects
and
sigs
work
together
and
the
real
Point
here
is.
There
is
no
one
Silver
Bullet,
and
indeed
our
projects
span
all
the
way
from
in
developers
heads
through
source
code
management,
building,
packaging
handling
dependencies,
all
the
way
out
to
end
users,
and
so
we
basically
have
projects
that
go
throughout
all
of
those
processes.
Next,.
D
And
so
really
what
I
want
to
emphasize
in
a
very
very
short
time?
Is
we
really
want
more
participation?
You
know
if
you're
not
already
involved
in
the
open
ssf,
please
get
involved,
there's
a
lot
of
ways
to
get
involved
listed
a
few
here,
we're
going
to
talk
about
just
a
few
in
the
next
couple
slides.
But
my
point
really
is:
if
you're
interested,
Come
and
Talk
come
and
find
out,
what's
going
on
and
see
if
there's
a
you
know
something
that
speaks
to
you
next.
D
So
an
obvious
one
is
joining
a
technical
working
group.
We
have
online
meetings
pretty
much
all
the
working
groups
meet
every
other
week.
D
You
can
join
them
by
actually
showing
up
at
a
meeting
or
even
just
various
other
mechanisms
that
we'll
talk
about
in
a
moment,
but
that's
certainly
a
way
to
find
out.
What's
going
on,
see
how
you
can
help
next,
then
public,
meaning
like
say
this
one.
You
know
we
we'd
love
to.
Have
you
here,
love
to
have
participation
next.
D
We
use
slack
for
our
real-time
Communications.
We,
this
is
not
recorded
forever,
so
this
is
not,
for
you
know,
major
things
that
need
to
be
recorded
for
posterity,
but
things
like
hey
I've
got
a
question.
Where
is
this?
Where
is
that
you
know
please,
we've
we
have
way
to
quickly
answer
those
kinds
of
questions.
Next,
you
know
following
us
following
that
we've
got
a
lot
of
different
presences
and
various
kinds
of
social
media.
We've
got
a
couple
links
right
here.
Next.
D
We
have
a
number
of
maybe
lists
sign
up
if
you
in
particular,
though,
all
the
working
groups
have
mail
lists,
a
member
of
these
sigs
and
projects
have
their
own
enables
you
to
communicate
and
work
with
in
an
async
way.
Next,
and
of
course,
you
know
hey,
you
can
provide
feedback
on
this
very
meaning
right
now,
we're
having
today
film
survey.
How
are
we
doing?
How
can
we
improve?
D
Fundamentally
openssf
is
all
about
collaboration,
and
so
we
really
need
to
have
everyone
collaborating
together
to
make
the
world
a
better
place.
Next.
A
Okay,
thank
you,
David
and,
and
poor
David
I
I
told
him
to
make
sure
that
we
left
time
for
questions
and
answers
at
the
end,
but
just
do
want
to
continue
to
emphasize
how
important
it
is
to
to
to
get
involved
and
what
the
opportunities
are
so
I'm
gonna
stop.
Sharing
I'm
gonna
ask
everybody
to
turn
on
their
cameras.
If
they
can,
and
hopefully
you
can,
let's
see,
turn
mine
on
there.
We
go
and
I
I'd
like
to
go
through
some
of
the
questions.
A
I've
been
asked,
but
actually
I
want
to
start
with
some
that
were
kind
of
answered
and
taken
off
the
Q,
a
thing
because
there
was
one
one
that
seemed
to
be
pretty
important
from
Tad
Taylor.
A
Are
there
particular
projects
or
areas
that
are
more
in
need
of
volunteers,
help
than
others
now
I
I
feel
like
every
project
under
openssf
could
use
more
I,
don't
think,
there's
any
who
are
like
whoa
too
many
volunteers,
no
more
needed
if
you
ever
get
a
sense
that
it's
maybe
hard
to
figure
out
where
that
locus
of
activity
is
definitely
tell
us,
tell
me
personally
tell
because
what
we're
really
trying
to
be
is
as
transparent
about
where
the
community
activities
are
and
that
kind
of
thing
we
know
that
sometimes
as
Zoom
centered
culture
can
make
it
hard
for
people
to
participate.
A
But
we
really
try
to
emphasize.
You
know,
get
things
done
over
async
tools,
that
kind
of
thing,
but
well
the
one
I
would
love
to
draw
some
attention
to.
Is
the
security
scorecard
effort
I?
We
would
love
to
see
more
folks
participate
in
that
it's
it
writing
code.
Helping
us
move
that
along
they've
got
a
really
ambitious
roadmap
for
this
year
and
we've
got
some
resources
to
help.
Do
some
work
on
that,
but
that's
a
place
where
some
volunteer
time
would
be
incredibly
High
leverage.
A
A
Child
every
one
of
them
can
use
some
help.
I
I
think
the
most
important
thing
is
find
something
that
really
interests.
You
become
a
a
user
of
that
code.
You
know
a
consumer
of
it,
get
to
understand
it
well
and
that'll
just
naturally
happen.
You'll
find
bugs
you'll
you'll,
find
things
to
add.
You
know
get
get
to
know
folks,
but
but
I
really
appreciate
the
broad.
A
The
broad-based
kind
of
like
query
of
where
somebody
with
some
some
time
could
be
able
to
help
us
further
in
the
mission
and,
if
you're
not
quite
sure,
find
a
working
group
that
is
like
in
a
domain
you're
interested
in,
because
that
might
be
one
way
of
understanding
the
different
things
going
on
under
that
working
group
and
then
get
more
specific.
As
as
you
as
you
learn
more
there
isn't
any
anybody
else
want
to
add
anything
from
the,
but
thank
you.
Okay
and
I'll
make
another
plug
for
the
Dei
effort
as
well.
A
That's
one
that
also
could
use
lots
of
voices,
lots
lots
of
help
from
people
to
get
involved.
There
was
another
question
that
got
answered
very
quickly:
moved
on
I
want
to
just
bring
up,
which
is
I,
I
feel
obligated
to
mention
it
this
week,
which
is
from
Christoph,
will
AI
be
used
for
the
industrialization
of
vulnerability,
hunting
and
Foss.
Ask
Chad
GPT
for
all
I
think
it's
SQL
injections
in
projects,
Michael
scavetta
I,
think
I'll
pass
that
one
to
you.
A
Where
do
you
see
chat,
gbt,
potentially
making
it
possible
to
you
know,
find
find
security
holes
more
quickly,
and
is
there
a
role
for
that
at
the
open,
SSS.
B
I,
so
I
I
think
that
Ai
and
ml,
especially
are
emerging.
Gpt3
gpt4
will
make
both
Defenders
and
attackers
better.
So
if
Defenders
don't
get
on
board
and
and
use
AI
to
make
better
decisions
and
find
better,
you
know
find
things
that
are
cheaper.
Faster
attackers
are
going
to
so
it's
inevitable
that
we're
gonna
go
there.
B
I,
don't
I,
don't
know
if
it's
it's
just
incremental
like
we're
going
to
have
a
decade
or
two
of
antivirus
Cat
and
Mouse,
maybe
we'll
see,
but
we
all
need
to
be
very
cognizant
of
it.
I
know
that
AI
is
being
used
in
some
places
to
you
know,
essentially
share
it
out
false
positives
and
do
better
prioritization
things
like
that.
I
think
that
there's
a
there's,
you
know
a
thousand
times
more
that
we
could
do
with
AI
the
next.
The
next
couple
years
gonna
be
interesting.
A
Thanks
Michael
David,
do
you
have
a
comment
on
this?
Is
your
thought
on
this
yeah.
D
D
So
you
know
Defenders
need
to
take
advantage
of
the
Technologies
where
it
makes
sense
we're
still
trying
to
figure
out.
You
know
where
it
where
it
makes
was
useful,
whereas
not
mean
gpt4
is
just
recently
coming
out,
come
out
official.
At
least
that
said
you
know
we
are
always
interested
in
improvements
and
so
on
The
Good.
D
So
I
think
there
is
room
for
hope,
longer
term
here
and
we're
still
trying
to
figure
out
exactly
where
these
Technologies
come
into
play.
A
Yeah
and
inside
the
open,
ssf
I
think
this
is
the
kind
of
thing
I
might
Merit
its
own
working
group
at
some
point,
or
at
least
a
dedicated
kind
of
group
to
focus
on
because
I
don't
know
where
it
would
live
right
now,
under
our
current
kind
of
hierarchy.
Let's
move
on
I
I
want
to
ask
one
from
the
current
open
queue
from
Gil
Yehuda,
which
is
McGill
says
long
ago.
The
stack
was
represented
by
four
letters.
Lamp
today,
dependency
trees
are
in
the
thousands.
A
Cves
are
published
at
an
increasing
rate,
but
researchers
note
that
most
are
not
event
exploitable.
That
suggests
we're
heading
towards
a
scalability
failure.
What
can
the
open
ssf
do
to
address
the
volume
of
work,
so
we
can
address
Security
in
more
efficient
ways
such
as
through
bulk
categories,
I'm,
not
sure
what
he
means
by
both
categories,
but
I'm
thinking.
This
might
be
something
that
Christine,
Jay
or
Josh
might
have
some
insight
on.
Do
one
of
the
three
of
you
want
to
want
to
jump
for
this.
C
A
Yeah
well,
I
think
I.
Think
really
that
part
answering
this
question
as
part
of
the
story
of
the
open
ssf.
You
know
I
think
it's
through
a
combination
of
tools
like
salsa
and
stc2f,
that
we
get
to
a
sort
of
process,
implementation
and
conformance
it's
through
Sig
store
and
that
that
we
sign
artifacts
through
this
and
can
systematically
check
their
their
veracity
without
having
to
recompile
the
world
from
scratch.
It's
through
things
like
s-bombs
that
and
and
increasingly
Technologies
like
Vex.
A
That
will
help
us
drive
automation
around
handling
of
of
those
CVS
at
scale
to
hopefully
get
to
the
point
where
Enterprises
can
have
a
dashboard
each
morning.
That
gives
them
only
only
the
things
that
they
have
to
worry
about
and
not
try
to
boil
the
ocean
by
updating
every
component
every
day
it's
kind
of
my
take
I
and
and
Jay
I,
don't
know
if
you
wanted
to
throw
in
anything
about
stc2f
and
salsa
in.
There
is
perhaps
ways
to
help
address
that.
F
So
you
know
the
the
beauty
of
of
partnership
and
collaboration,
so
we
you
know,
bringing
in
s2c2
up
and
thinking
about
dependency
management.
Also,
you
know
the
evolution
of
salsa
from
from
it
it's
in
its
Inception,
it's
an
initiation
incubation
into
what
has
become
to
now.
What
is
actually
thought
around
the
build
portions
and
the
source
portions
and
then
and
then
and
then,
where
all
of
that
can
come.
F
It
just
creates
a
situation
where
we
can
now
think
about
end
to
end
supply
chain
security,
and
this
is
a
caveat
to
what
what
Brian's
just
said
when
we
consider
the
tools
that
are
available
out
there
and
and
the
tools
that
are
available
in
the
open
out
there
and
those
tools
that
we
can
then
conceptual.
F
You
know
and
concept
think
about
in
their
application
implementation
into
these
Frameworks
in
the
work
efforts
that
this
there
is
no
place
that
we
can't
go
considering
how
we
address
supply,
chain
security
problems
and
and
we're
doing
that
as
a
community
which,
which
is
which
is
always
amazing,
to
see
amazing
to
witness.
F
We
got
bumps
and
bruises
right
as
every
as
every
Community
does,
but,
but
you
know,
as
we
March
four
we
March
forward
hand
in
hand
and
the
The
Innovation
that
gets
created
as
a
result
can
only
be
looked
at
in
awe.
So
you
know
that's
the
thing
about
s2c2f,
and
it's
also
also
think
about
that.
That's
not
the
that's,
not
the
Finish
Line!
That's
still!
That's
still
the
beginning.
A
Very
much
so,
okay
I'm
trying
to
look
through
the
other
questions
here.
A
I,
I
and
I
want
to
add
one
from
there's
a
couple
of
clarifications
just
for
where
folks
can
go
to
contribute
where
some
of
the
conversations
are
happening
and
again,
the
the
list
of
links
that
are
in
this
deck
will
be
kind
of
your
guide
to
where
to
get
started
on
this
I
think
this
is
actually
since
we're
in
the
last
minute,
a
good
time
to
wrap
up
I
want
to
thank
my
panelists
for
the
presentations
and
for
the
participating.
A
The
participation
in
the
conversation
I
want
to
thank
all
of
you,
who've,
given
us
an
hour
of
your
day,
to
learn
more
about
the
open
ssf
and
where
we're
headed
and
I
hope
we've.
Given
you
a
taste
of
what's
going
on,
certainly
it's
not
everything
that
would
take
about
six
or
eight
hours
of
a
webinar
to
go
through.
There's
a
lot
more
here,
Beyond,
even
those
things
that
we've
been
barely
been
able
to
touch
on
so
I.
A
Really,
if
you're
interested
in
this
topic
at
all,
come
and
visit
us
on
slack,
get
to
know
us
in
the
different
working
groups,
and
we
will
find
a
way
to
put
you
to
work
if
you've
got
at
the
time
and
the
talent
I
again
just
want
to
thank
everybody
involved
in
putting
this
together,
and
we
will
see
you
at
the
next
town
hall,
if
not
sooner
thanks.
Everyone.