►
C
We
will
get
started
a
few
minutes
after
the
hour.
I
put
a
link
to
the
agenda
in
the
zoom
chat
window.
If
everybody
could
Mark
your
attendance
there
and
if
you
have
any
opens
you'd
like
to
discuss,
please
add
them
in
the
open
section.
B
C
E
C
Well,
as
people
have
time
and
inclination,
thank
you
Francis.
If
you
could
pitch
in
and
take
a
note
here
or
there,
that'd
be
super
helpful,
because
there
are
a
lot
of
people
that
watch
this
call,
either
on
YouTube
or
review
the
notes
after
the
call,
as
is
tradition
in
our
working
groups,
do
we
have
any
new
friends
that
there
are
first
timers
today
that
wanted
to
introduce
themselves
and
say
hello
to
the
group.
B
Hello
to
the
group,
hello,
I'm,
Ola
Johansson
from
Sweden
I've
been
working
a
bit
with
trying
to
figure
out
the
European
cyber
resilience
act
and
how
that
applies
to
development
and
have
looked
into
open,
ssf
and
looked
at
us
a
lot
of
the
videos
with
zero
being
the
Superstar
so
I'm
here
to
listen
in
and
see
what
can
be
done.
Excellent.
Well,
welcome
glad
to
have
you.
F
Yeah
I'll
go
next:
hey
everybody,
I'm
Tracy,
Miranda,
I
work
at
chain
guard,
it's
recently
elected
to
the
open
ssf
governing
board,
so
yeah
just
thrilled
to
get
stuck
in
at
that
level
and
also
start
understanding
what
all
the
working
groups
are
doing
and
what
they
need
and
yeah
just
looking
forward
to
learning
more
about
openvx
as
well.
Today,.
G
H
G
I
C
All
righty
well,
thank
you.
Welcome
everybody.
If
anyone
has
any
opens,
they
would
like
to
discuss.
Please
add
them
in
the
opens
section
in
the
call
a
couple
business
items
if
you
may
or
may
not
be
aware,
we're
currently
going
through
a
Tac
election
and
we
would
love
to
get
everybody
that
contributes
to
the
open
ssf
to
first
off
be
registered
to
vote
so
that
you
can
express
your
opinion
for
how
we
want
to
lead
the
foundation.
So
that's
that
first
link
anyone
that
shows
up
to
a
working
group.
C
You
do
any
commits
you
participate
in
any
of
the
conversations
you
update
a
doc.
That
kind
of
thing
is
very
broad
criteria,
so
please
click
that
voter
eligibility,
self-nomination
link
takes
about
30
seconds
and
you
need
to
have
a
GitHub
ID
and
then
you're
done
you're
registered
to
vote.
C
If
you
are
interested
in
helping
lead
the
foundation,
we
are
doing
the
election
for
the
tax.
So
it's
a
self-domination
form.
You
click
that
link.
It's
a
little
bit
more
than
30
seconds.
It's
about
two
to
four
minutes
of
work.
You
need
to
have
a
little
bit
of
a
biography
and
kind
of
a
platform
of
you
know
why
you
want
to
do
help
the
open
ssf,
but
those
nominations
are
currently
open
that
will
wrap
up
I,
believe
all
the
registrations
are
done
on
the
12th
and
then.
C
Finally,
if
you
work
within
the
security
Community,
we're
looking
to
have
nominations
for
the
security
Community
individual
representative,
this
is
typically
someone
that
isn't
affiliated
with
some
of
our
governing
board
entities,
but
somebody
that
is
willing
to
represent
the
voice
of
the
community
and
maintainers
and
the
security
community
at
large.
So
that's
another
self-nomination
item.
C
So
please,
if
you
feel
you're
eligible
for
that
nominate
yourself
and
what
procedurally
there
will
be
about
a
week
that
the
voting
we
have
a
voting
board
that
will
kind
of
be
managing
this
they'll
go
through
vet,
all
the
nominations
and
then
actually
send
out
links
to
an
electronic
voting
tool.
I
believe
that's
going
to
be
like
the
week
of
the
20th
and
we
should
have
the
elections
for
both
the
TAC
and
the
individual
representative
completed
by
the
end
of
March.
So
please
express
your
opinion
and
participate.
C
Roger
dodger
in
the
interest
of
helping
us
move
forward
and
be
more
efficient
and
focused
I
am
seeking
a
someone
to
volunteer
from
the
working
group
to
be
our
backlog.
Warden.
The
kind
of
responsibilities
would
be
helping
us
keep
an
eye
on
issues
and
pull
requests,
making
sure
that
they
get
the
attention
of
the
working
group.
Helping
us
put
the
agenda
together
and
if
there's
something
that
you
know
the
group
needs
to
focus
in
on,
they
would
help
draw
our
attention
there
pretty
light
work.
C
You
know
maybe
an
hour
or
so
a
month,
but
if
anyone
is
interested
in
helping
donate
their
time
and
have
a
you
know,
an
official
job
I
would
be
much
appreciated
in
helping
us
keep
ourselves
organized
and
on
track
any
questions
about
that.
C
All
right
and
our
final
final
business
item
is,
you
may
notice
in
the
agenda.
We
have
a
couple
Sig
or
sub
projects
going
on
like
the
autofix
Sig.
We
also
have
opened
up
our
meetings
to
the
APAC
time
zone,
so
we
had
a
call.
Our
second
call
was
last
week
we
met
with
representatives
from
the
osv
project.
C
Very
excited
they've
been
long
time
participants,
but
because
of
the
time
zone
most
of
those
developers
are
in
Australia.
It
was
challenging
for
them
to
get
a
better
connection
with
the
group,
so
we'll
be
meeting
with
them
on
a
regular
Cadence,
very
excited
about
that.
Anyone
that's
interested
in
participating.
In
that
conversation,
we
always
have
the
slack
Channel
and
mailing
lists,
but
we
will
physically
be
getting
together
at
a
zoom
call
at
a
time
once
a
month.
C
Let's
talk
about
continue
our
conversation
about
open,
Vex
Dan
other
Dan
was
here
about
a
month
ago
kind
of
gave
an
overview
highlights
of
the
project
and
what's
going
on
and
now
Dan
Lawrence
is
here
today
to
continue
the
conversation
with
us
and
kind
of
see.
If
there
are
areas
of
partnership
and
collaboration,
we
can
start
to
work
together
on
this
very
interesting
project.
I,
you
want
to
chat
a
little
more
Dan
and
I
can
open
up
the
questions
and
answers.
D
Sure
yeah
I've
got
a
little
presentation,
I'm
going
to
walk
through
kind
of
a
couple
motivating
examples
of
just
recently
on
why
Vex
is
important
and
why
we
think
openvex
is
going
to
help
out
so
I'm
going
to
start
out.
I
could
do
some
of
this
in
the
terminal,
but
I
screenshotted,
all
of
it
in
case
it
doesn't
work.
D
I'm
going
to
pull
up
screen
share
so
I'll
just
kind
of
walk
through
the
presentation
first,
and
if
we
can
probably
find
more
examples
on
the
fly
like
this
is
one
representative
example
that
I
found
like
last
weekend
in
a
couple
of
minutes,
and
oh
no,
my
zoom,
updated
and
I'm
going
to
have
to
restart
and
come
right
back
in
a
second
I
love
the
security
features
of
OS
X.
It.
D
At
the
last
at
the
worst
possible
moment,
so
I
will
be
right
back
in
the
call
in
a
minute
I'm
sorry
about
this
excellent.
C
While
we
wait
for
Dan
to
reboot,
do
we
have
any
opens
or
any
updates
from
any
of
our
current
active
little
sub
projects?
People
wanted
to
share
with
the
group.
J
E
Security
Foundation
that
is
under
review,
probably
have
any
time
at
the
end
of
the
day
or
at
the
end
of
this
meeting.
I'd
love
to
sit
down
and
like
go
through
the
open
comments
and
discuss
those.
If
we
have
time
and.
E
Other
guide
is
the
the
other
one
is
their
specification
for
a
automated
vulnerability
disclosure
process
that
is
posted
in
the
side
channel
in
the
email?
That's
come.
That's
a
an
item.
That's
coming
out
of
the.
J
C
D
All
right,
open,
Vex
I,
have
this
fancy
themed
presentation
here:
I'll
be
talking
about
openvx,
so
I'm
gonna
start
with
yvex,
because
that
comes
up
a
lot
and
I'm
going
to
be
walking
through
this
representative
example.
This
is
focusing
on
a
container
image
that
we've
built.
This
is
one
containing
node.js.
We
try
very
hard
at
changer
at
our
company
to
fix
or
triage
or
remediate,
or
do
something
with
all
the
vulnerabilities
that
the
scanners
find
in
all
of
the
images
that
we
ship.
D
So
this
example
uses
gripe
one
of
the
very
popular
open
source
scanning
tools
on
a
container
and
our
node.js
image.
So
here's
what
the
terminal
looks
like.
We
could
run
this
today
and
probably
get
something
slightly
different,
but
in
general
this
is
what
happens.
D
We
try
to
keep
our
images
at
zero,
which
means
we
triage
all
of
the
vulnerabilities
and
try
to
patch
all
of
them,
which
is
not
an
easy
feat,
but
we
do
a
pretty
good
job
of
it,
and
so,
when
something
new
comes
in,
we
look
at
it
and
this
one
started
appearing
just
a
week
or
two
ago.
D
If
you
look
at
the
output
here
and
that
finds
one
cve
in
our
node.js
image
in
an
npm
package
called
events,
the
interesting
part
is
that
if
you
scan
this
image
regularly,
you'll
know
it
wasn't
there
a
month
or
so
ago,
and
now
it
is
there,
but
it's
kind
of
weird
that
the
cve
is
from
2018..
So
how
did
a
cve
from
2018
appear?
D
Recently
lots
of
CVS
appear
all
the
time,
usually
they're
a
little
bit
more
up
to
date
or
they're,
just
invalid
and
they're
sitting
around
forever,
it's
kind
of
weird
for
one
to
go
from
not
there
to
there
when
nothing
has
changed
and
be
that
old.
It
does
happen,
though,
so
we
usually
click
around
and
go
through
the
nvd
and
figure
out
what's
going
on,
especially
for
something
critical
like
this
one,
so
it
says
it's
in
a
package
called
events.
D
This
is
probably
part
of
node.js
core,
because
that's
all
we
really
install
in
this
image
the
next
step
in
triaging.
Something
like
this
is
to
pull
up
the
CV
itself
in
the
database.
This
is
what
it
looks
like
if
you
search
for
this
exact
cve
in
the
nvd.
You
do
not
have
a
lot
of
information
here.
This
is
basically
all
you
have
to
work
with
about
the
CV
itself.
It's
one
paragraph,
a
vulnerability
classified
is
critical,
was
found
in
events.
Extension
then
there's
a
long
path,
but
it
kind
of
ends.
D
The
strange
part
here,
if
you
read
this
whole
thing
closely,
it
ends
in
a
events.php,
is
the
actual
file,
so
a
little
bit
skeptical
at
this
point.
When
reading
this
it
looks
like
this
is
some
PHP
code.
It's
not
unheard
of
that.
Multiple
languages
are
installed
somewhere
and
you
do
have
to
triage
a
lot
of
this,
but
it
says
it's
SQL
injection,
and
so
this
seems
a
little
strange,
there's
a
patch
there
with
that
commit
and
then
another
vulnerability
identifier,
but
9.8
critical,
that's
about
as
bad
as
it
gets.
D
D
So
it's
a
little
weird
that
it's
in
PHP
when
we're
looking
at
node,
the
node.js
team
does
a
very
good
job
at
security
response
too.
So
something
seems
a
little
bit
off
if
you
click
on
that
patch.
The
next
thing
you
find
is
this:
this
is
the
actual
GitHub
repository
that
cvu
is
reported
in
Tim
Buckingham,
big
tree
hyphen
events.
D
D
This
gets
a
little
bit
semantic
now,
if
you
spend
much
time
looking
at
the
nvd
there's
some
rules
about
when
the
identifiers
get
issued
and
the
identifier
gets
issued
when
a
vulnerability
was
actually
first
disclosed,
not
when
it
was
entered
into
the
nvd.
So
even
though
somebody
filed
this
one
recently
only
a
couple
weeks
ago,
which
you
can
see
in
the
timestamp,
the
identifier
still
goes
back
to
when
it
was
first
disclosed
in
2018.
In
this
repository
it
looks
like
somebody
patched
a
vulnerability
here
with
just
a
commit.
D
They
didn't
do
much
else
beyond
that.
They
didn't
file
for
a
CV
back
then
because
it
was
only
granted
a
couple
weeks
ago,
so
someone
else
filed
for
a
CV
on
behalf
of
this
project.
Pigtree
hyphen
events,
but
yes,
it
is
in
PHP.
This
has
nothing
to
do
with
node.js.
There
is
no
node.js
package
involved
here.
There's
nothing
in
npm,
there's
nothing
in
node.
In
fact,
looking
at
this,
this
looks
like
a
personal
GitHub
project.
It
has
one
star.
One
person
is
watching
it
there's
one
issue
open.
D
D
So
then,
why
do
scanners
find
this
shouldn't
scanners?
Do
a
better
job?
Isn't
this
about
on
behalf
of
the
scanners?
D
Well,
not
really,
if
you
zoom
down
to
the
bottom
of
that
nvd
entry
for
this
cve,
you
see
the
CPE,
which
is
the
schema
for
how
they
declare
which
software
packages
are
affected
by
this.
The
scheme
itself
is
on
Wikipedia.
You
can
read
this.
The
first
part
here,
CPE
colon,
2.3,
colon,
a
I.
Don't
ever
remember
what
that
part
means
everything
has
that,
but
events
project
that
part
is
supposed
to
be
the
vendor
for
a
random
personal
project
like
this
on
GitHub.
What
even
is
the
vendor?
D
There
could
be
a
bunch
of
different
things
there
for
an
npm
package,
the
one
that
we're
actually
talking
about
the
events
npm
package,
which
should
be
the
vendor
there
either.
A
lot
of
this
stuff
is
kind
of
up
to
interpretation,
and
so
what
the
scanners
do,
which
is
probably
the
correct
behavior,
is
that
they
fail
open
and
they
fail
safe,
which
means
that
if
they
don't
know
the
actual
correct,
canonical
vendor
ID
for
something,
then
they
put
a
wild
card
there.
D
Basically,
because
it
could
be
anything
they'd,
much
rather
show
you
extra
stuff
than
miss
a
really
important
CV.
The
same
kind
of
thing
comes
up
all
the
time
with
other
packages
like
openssl
or
node.js
itself,
where
there
isn't
a
commercial
vendor,
it's
kind
of
unclear
what
to
put
there,
whether
something's
part
of
a
foundation
or
just
a
personal
GitHub
repository,
then
there's
a
bunch
of
stars,
because
those
are
typically
supposed
to
be
the
versions
minor
versions.
D
All
of
that
it
looks
like
this
component
wasn't
ever
released
so
yeah
Stars
everywhere,
and
so
when
you're,
a
scanner
vendor,
you
find
you
parse
that
Docker
image
you
see
that
there's
a
package
called
events
and
then
you've
queried
in
the
nvd
with
a
bunch
of
wild
cards
around
everything,
and
so
they
have
no
real
way
to
tell
if
this
doesn't
affect
the
nnpm
package
based
on
the
data
we
have
available
here,
and
so
it
shows
up
as
a
false
positive.
D
D
Here's
the
actual
CPE
schema
yeah,
so
version
part
and
vendor
product
version,
update
Edition
language,
software,
Edition,
blah
blah
blah
yeah.
Some
some
CPUs
get
set
a
lot
more
fine-grained
and
have
real
data
in
it.
This
one
it's
about
as
good
as
you're
going
to
get
for
a
CV
and
a
random
personal
project
like
this
one.
D
So
this
is
on
the
main
use
case.
I
mean
there's
a
lot
of
use
cases
for
vex,
but
this
is
the
main
one
that
we
deal
with
personally
when
we
triage
all
of
these
results,
there's
a
lot
of
borderline
ones
right.
There
are
a
lot
of
vulnerabilities
that
might
not
actually
be
exploitable
in
a
certain
configuration
or
might
require
an
attacker
to
have
privileges
or
all
of
this
stuff.
D
So
here's
kind
of
that
first
use
case
for
vex
here
is
what
an
openvex
schema
looks
like
there's
some
boilerplate
at
the
top,
explaining
what
it
is.
The
person
that
crafted
the
document,
the
Vex
document-
so
in
this
case
we'd
be
crafting
one
of
these,
because
we
just
did
that
triage
ourselves.
We
even
did
it
here
as
the
group
checking
each
other's
work.
We
could
write
one
together
when
we
did
this.
D
You
can
change
these
Vex
documents
over
time
and
then
here's
the
important
part
in
the
statements
so
with
an
open
device
document.
You
couple
that
vulnerability,
ID,
that
we
just
looked
at
to
the
products
that
we
looked
at
it
in
and
that's
a
slightly
important
distinction,
so
that
big
tree
CMS
thing
could
be
a
real
vulnerability
in
someone
else's
product.
It's
just
not
a
real
vulnerability
in
these
specific
products
that
we
looked
at
and
then
there's
a
whole
bunch
of
different
status
codes.
D
You
could
say
it
was
fixed,
but
in
this
case
here's
what
it
would
look
like
for
the
cve
I
kind
of
popped,
one
out
in
the
editor,
but
after
that
cve
hyphen,
2018
hyphen,
two
five,
zero,
six,
seven
six
and
declared
that
it
is
not
in
the
specific
image
that
we
looked
at
it
in.
In
this
case,
it's
a
node.js
image
and
I
think
there's
a
typo
there.
D
I
should
have
a
colon
in
between
node
and
sha,
but
you
can
imagine
what
this
would
look
like,
that
specific
product
is
that
built
final
package
that
we've
compiled
from
all
of
these
different
sources
and
the
justification
here
is
component
not
present.
That's
one
of
the
five
or
six
status
fields
that
you're
allowed
to
use.
You
get
to
write
a
little
statement
explaining
why
yeah
that
vulnerable
code
is
definitely
not
present
and
so
false
positive
match.
Our
code
is
a
node
that
code
is
in
PHP
just
completely
not
even
related
to
this.
D
These
come
up
all
the
time
with
different
packages.
There's
a
bunch
of
other
examples
in
a
Ruby
image
and
Ruby
that
you
can
look
up.
There
are
a
lot
of
ruby
gems
there's
a
core
ruby.
Gem
named
lager,
that's
baked
into
the
Ruby
distribution,
so
you
can
imagine
how
the
wild
cards
on
something
named.
Logger
explode,
combinatorically,
because
there's
probably
a
package
for
that
in
every
single
programming,
language
and
tons
of
proprietary
ones
too
so
tons
of
CVS
around
lager.
D
So
if
we
can
do
that,
triage
which
we
are
doing
and
a
lot
of
other
organizations
are
doing
and
then
put
that
metadata
in
a
structured
format
that
other
people
can
use,
and
hopefully
we
can
get
scanners
to
actually
ingest
these
vexed
statements,
as
well
as
the
nvd,
to
help
provide
better
results
to
end
users.
D
Real
quick
aside
here,
why
did
a
CV
just
get?
This
is
a
lot
of
other
systemic
problems,
I
think
with
the
vulnerability
management
ecosystem.
Why
did
a
CV
just
get
reported
a
few
weeks
ago
for
a
personal
project
that
hasn't
been
updated
in
five
years
with
one
star?
It's
not
even
clear.
Anyone
is
using
this
to
get
to
that
part
a
little
bit
of
aside
from
Vex,
but
I
think
it's
worth
calling
out.
If
you
click
on
the
identifiers
in
that
nvd
entry,
you
take
it
to
another
website,
called
zoldb
vuldb.com.
D
They
are
what's
referred
to
in
the
parlance
as
a
CNA,
so
they
are
allowed
to
issue
cves
a
lot
of
organizations
get
that
status.
But
this
is
what
you
get
when
you
click
on
their
website.
It's
login
required
and
it
is
basically
a
website
for
sharing
and
paying
for
bounties
for
exploits
against
specific
cves.
D
D
My
best
guess
for
why
these
things
keep
clogging
up
scan
results
is
that
there's
some
people
or
group
of
people
out
there
that
are
just
grabbing
GitHub
for
commit
messages
that
say
things
like
fixed
SQL
injection
or
you
know,
switched
algorithm
in
jwts
or
something
like
that.
Some
string
match
that
is
a
common
source
of
vulnerabilities
and
then
filing
cve
entries
against
them.
D
If
their
vulnerabilities
not
directly
related
device,
but
it
does
kind
of
come
back
to
the
main
theme
of
the
noise-
isn't
going
to
go
away,
the
incentives
in
the
system
are
going
to
keep
leading
to
more
and
more
of
these
bad
vulnerabilities
getting
filed
unless
something
huge
changes,
foreign.
D
So
what's
next
here
for
for
vex
in
general,
how
does
open
Vex
fit
in
to
really
solve
that
core
use
case
of
stopping
that
crappy
data
from
flowing
Downstream
to
end
users?
We
need
a
whole
bunch
of
different
parties
to
start
implementing
and
trusting
and
interchanging
and
working
with
these
Vex
documents.
There's
also
all
sorts
of
weird
trust
things
to
worry
about.
When
you
start
talking
about
that,
we
did
that
triage
here.
As
a
group,
let's
say
somebody
trusted
the
open
ssf
to
be
doing
that
analysis
as
one
example.
D
They
might
not
trust
some
other
random
person
on
the
internet.
Trusting
random
people
on
the
internet
to
add
vulnerability,
vulnerability
data
is
how
we
got
into
this
mess
in
the
first
place,
so
that
trust
model
requires
some
kind
of
signature.
Digital
signature
at
a
station
framework,
so
you're
not
just
trusting
any
Vex
document
you
find
sitting
around
on
the
ground.
You
might
want
to
configure
that
to
only
trust,
facts
documents
that
come
from
someone
else.
D
D
I
might
trust
a
third
party
vendor
I
might
hire
someone
to
do
that
triage
on
behalf
of
me
and
tell
me
which
CVS
I
really
need
to
worry
about
that's
kind
of
a
personal
choice,
so
the
Vex
documents,
the
Vex
scheme
of
the
Vex
working
group,
so
kind
of
handle
that
interchange
format,
but
they
don't
really
solve
the
whole
end-to-end
use
case
around.
D
How
do
standards
know
which
effects
documents
to
trust
on
behalf
of
you,
so
that's
kind
of
where
some
of
the
extra
stuff
in
openvx
comes
in
it's
designed
to
fit
into
a
lot
of
the
other
signing
and
attestation
formats
that
are
used
throughout
the
open
source
ecosystem
like
in
Toto
and
Sig
store.
So
we
can
start
to
work
with
scanners
and
figure
out
how
they
can
be
configured
on
behalf
of
companies
and
issue.
These
on
behalf
of
companies
and
signing
them
Vex
as
a
whole
is
very
new.
D
The
people
that
we
deal
with
tend
to
use
sneak
gripe
trivia,
twist,
lock
a
bunch
of
these
common
ones,
but
there's
hundreds
and
hundreds
of
other
scanners
out
there
in
the
audit
we've
done,
and
we
could
be
missing
things
because
there's
so
many
none
of
them
really
seem
to
support
any
vac
streamers
today,
even
though
there
are
a
few
other
formats
for
this,
the
main
ones,
the
main
elephants
in
the
room
that
have
been
doing
decks
before
this
are
csaf.
D
It's
a
very
large
schema
that
does
accent
a
whole
bunch
of
other
things
as
well
for
security
reporting
and
data
interchange,
and
all
of
that
there
aren't
great
libraries
for
it.
It's
just
a
massive
specification
in
general.
So
if
we're
trying
to
get
scanners
to
add
something
new,
something
simple
and
focus
to
the
Vex
case
seems
to
be
a
little
bit
easier.
D
Also,
just
personally,
we
like
standards
that
do
one
thing
do
one
thing
well,
rather
than
kind
of
large
overall
envelope
formats,
Cyclone
DX
also
has
a
Vex
profile,
but
Cyclone
DX
is
a
full
s-bomb
format.
You
can
issue
Vex
documents
in
it
without
the
whole
s-bomb
stuff,
but
it's
kind
of
off-putting
a
whole
different
tool
set
to
people
that
are
using
some
of
the
other
S9
formats
like
things
like
spdx
I.
D
Did
this
whole
Vex
demo
without
even
mentioning
s-bomb
and
talking
about
it,
because
you
don't
need
to
it's
related
to
s-bomb
and
s-bomb
is
going
to
kind
of
blow
up
that
noise
problem,
but
you
don't
need
as
bombs
for
vex
to
be
useful,
so
something
decoupled
from
any
of
the
major
s-bomb
formats
seems
to
have
a
better
chance
of
getting
a
widespread
adoption
in
our
opinion
and
then.
Finally,
this
as
a
whole
is
incredibly
new
I.
Think
if
we
start
fresh
start
with
the
very
minimum
fields
that
we
need.
D
D
There's
a
lot
of
talk
about
fragmentation
again
that
doesn't
really.
That
argument
doesn't
really
resonate
with
me
personally,
there's
not
much
of
anything
to
fragment.
We
haven't
been
able
to
find
any
Vex
documents
out
there.
Yet
just
the
working
group
there's
of
course,
going
to
be
multiple
formats,
as
PDX
also
has
a
Vex
profile
going
on
inside
of
that
format.
This
is
a
working
group
kind
of
published
this
common
lowest
common
denominator,
definition
of
what
Vex
actually
is
and
what
it
means
to
be
vex,
semantically.
D
So
any
format
that
does
that
in
my
co-worker
Adolfo
just
did
some
demos
last
week.
Anybody
that
actually
has
that
metadata
in
different
formats
should
be
able
to
Interchange
just
fine.
They
semantically
explain
here's
what
a
product
is,
here's,
what
a
vulnerability
identifier
is
and
the
formats
can
choose
to
represent
in
different
ways
whether
it's
XML,
please
no,
but
something
like
that
or
even
custom
schemas,
there's
gonna
be
a
bunch
of
different
ways
of
representing
those
same
four
or
five
key
Fields,
whether
you
embed
it
somewhere
else
or
not.
D
A
E
D
Switching
computers,
can
you
hear
me?
Yes,
you
got
out
of
the
car
nice
last
I
saw
you.
E
Were
driving
now
back
on
my
desk
yeah
dental
appointment
overlap
anywho,
so
one
of
the
things
that
I
have
seen
that
a
lot
of
these
dependency
scanners
try
to
handle
well
right,
is
the
like
flagging
the
this
is
vulnerable.
One.
E
Seen
a
lot
of
products
try
to
solve
is
the
this
project
is
or
this
dependency
is
vendored
in
some
other
project
and
add
the
cpes
for
the
or
whatever,
like
the
the
the
pearls,
the
cpes.
You
know
for
the
vendor
down
the
project
Downstream
that
vendors,
that
project
and
is
thus
still
vulnerable
to
that
upstream
cve,
and
try
to
capture
that
information
as.
I
E
Know
cve
listings
like
from
like
links
to
Red
Hats
disclosure
pages
and
the
Ada
in
the
you
know,
Apache
soccer
foundations
disclosures,
but
but
those
don't
end
up
getting
attached.
Usually
in
these
larger
scanner
tools.
D
I
know
Brandon
introduced
himself
at
the
start
of
this
call
Brandon
just
published
an
awesome
blog
post
on
yesterday,
like
literally
yesterday
on
ways
to
do
like
partial
recombination
of
X
documents,
as
software
gets
rendered.
I
don't
want
to
call
anyone
on
the
spot
Brandon,
but
I
think
what
Jonathan
just
described
is
what
your
blog
post
yesterday
was
about.
Is
that
correct.
A
L
I
think
I
think
he
disconnected
a
few
minutes
ago.
You
have
to
catch.
D
Another
meeting
I
can
I
think
it
was
on
the
osv
blog.
If
somebody
wants
to
look
it
up
and
grab
the
link.
I
know
Park
was
here,
he
read
it.
If
somebody
wants
to
drop
the
link
in
here,
but
I
think
that's
correct
was
that
Tracy.
D
Awesome,
thank
you.
Yeah.
Take
a
look
at
that
Jonathan.
Let
me
know
if
that
answers
your
question,
but
in
general
that
is
a
very
broad
topic
and
you're
completely
correct
one
common
example:
there
is
node.js
vendors,
its
own
version
of
openssl
inside
of
it.
D
They
have
a
bunch
of
good
reasons
for
doing
that,
but
it
means
that
scanners
don't
know
about
that
version
of
openssl
and
unless
they're
very,
very
smart,
and
some
of
them
might
know
that,
but
most
of
the
common
scanners
last
I
checked
when
that
last
round
of
open,
SSL
vulnerabilities
came
out
a
few
months
back
did
not
know
that
node.js
had
its
own
version
of
openssl
inside
of
that,
and
so,
if
you
had
a
safe
version
of
openssl
installed
on
the
system,
and
then
you
had
a
version
of
node.js
installed
on
that
system
with
the
dangerous
version,
dangerous
version
of
openssl.
L
Also
also
in
that
case,
when
they
are
not
like
they
did
Issue
an
advisory
saying.
No
JS
17
and
18
contain
openssl
in
their
vulnerable
version,
but
they
didn't
say
no
16
also
contain
the
same
openness
sub
because
it
was
end
of
life.
So
and
they
said
we
don't
support
end
of
life,
so
they
didn't
mention
it
so
I
reached
out
to
them
and
then
they
edited
but
yeah.
Unless
you
you
know,
then
you
don't
know.
D
D
Ideally,
an
end
user
would
have
enough
data
to
just
know
that
node
has
this
version
of
openssl
and
therefore
also
query
for
all
open
SSL
vulnerabilities,
instead
of
just
the
node
ones,
but
again
that'll
lead
to
a
whole
bunch
of
noise
that
you
need
a
way
to
quiet.
I,
think
art
looks
like
he's
here.
I
still
remember
this
talk,
art
gave
at
the
first
supply
chain,
security,
con
called
the
supply
chain
of
vulnerabilities
itself
and
I
think
it
might
be
completely
misrepresenting.
It
I
think
he
said.
D
K
Yeah
and
just
to
be
clear,
I
I,
think
I
think
I
was
citing
Chris
twiceople
of
varicode
and
but
just
important
nuance.
You
know
that
that
figure
was
for
the
software
that
they
were
looking
at.
So
I
don't
deny
that
that
number,
but
I
think
it
might
vary
depending
on
the
you
know.
The
ecosystem
you're
working
in
but
I
think
the
takeaway
is.
You
should
not
assume
Downstream
inheritance
of
vulnerability
or
non-vulnerability.
D
Yeah,
so
if
you
only
solve
that
first
half
of
the
problem
of
clearly
stating
which
software
is
bundled,
then
you're
just
going
to
blow
up
the
noise
problem
unless
you
also
solve
a
way
to
carry
on
a
trans
transmit
that
exploitability
information
to
alongside
of
that,
so
I
think
Brandon's
blog
post
from
yesterday
addresses
it
pretty.
Well
any
other
questions
on
that.
One.
D
All
right,
one
final
Point,
everyone's
favorite
topic.
We
do
hope
eventually
to
propose
open
Vex
as
an
international
standard,
and
it
turns
out
that
doing
that
is
tricky
legally
and
it's
important
to
get
a
lot
of
this
stuff
right
from
the
beginning.
D
You
probably
saw
this
in
the
salsa
specification
working
group
in
the
open
ssf.
A
lot
of
other
standards
go
through
this
I'm,
not
a
lawyer,
but
my
understanding
is
that
standards
and
specifications
are
treated
much
much
differently
from
a
licensing
and
patent
perspective
than
just
code
and
the
great
Folks
at
the
open,
ssf
and
the
Linux
Foundation
put
together.
This
process
called
the
community
specification
process.
Or
if
you
follow
that,
then
you
get
a
lot
more
protections
than
just
throwing.
D
Like
A,
Creative,
Commons
or
Apache
MIT
license
in
a
repository
and
calling
something
a
specification,
and
if
you
don't
do
that
from
the
start,
it
becomes
very
hard
to
propose
these
things
as
International
standards.
Jewelry
and
the
specification
group
of
the
learnings
foundation.
Explain
this
so
many
times
and
I,
don't
quite
understand
it
because
I'm
not
older,
but
I
trust
them,
and
so
we
set
up
open
fashion.
I'm
going
to
start
with
this
process
to
make
sure
we
are
protected
in
that
event
of
proposing
it
to
an
international
standards
group.
D
So
if
we
do
all
this
correctly,
then
I
do
hope.
We
can
get
some
ISO
specification,
I.E
tfrfc,
something
like
that.
I,
don't
know
that
we
have
any
plans
of
exactly
which
direction
to
go,
but
for
vex
itself
to
reach
that
goal
of
scanner
or
distributor
consumer
widespread
adoption.
That's
important
to
get
this
into
an
international
standards
group.
D
D
Now
we're
kind
of
at
that
stage
of
working
with
projects
to
produce
X
documents
as
software
producers
ourselves
and
we're
able
to
do
that
for
our
software
just
to
try
it
out
see,
what's
missing
see
what
extra
features
we
need
and
as
open
source
maintainers,
we
can
work
with
those
projects
too,
because
open
source
projects
get
plugged
constantly
about
these
noisy
cves
and
giving
them
a
tool
to
quiet
that
or
stop
people
from
bothering
them
resonates
a
lot
with
a
lot
of
different
maintainers
get
it
working
end
to
end.
D
So
we've
got
to
work
with
a
few
scanners,
we're
hoping
to
work
with
the
gripe
folks
to
start
out
with
template,
that's
back
and
then
flesh
out
the
other
parts
beyond
the
spec.
The
stuff
I
talked
about
before.
How
do
I
trust
this
Vex
document?
How
do
I
configure,
which
sources
I
trust
for
which
pieces
of
software
there's
a
lot
of
different
status
codes
in
there
that
one
around
that
code
just
is
not
even
present,
is
the
simplest
there's
a
lot
of
other
more
nuanced
ones
around.
D
It's
not
exploitable
in
the
default
configuration
but
might
be
in
other
configurations,
so
use
an
end
user
based
on
your
risk.
Tolerance
might
want
to
trust
only
stuff
for
the
reasons
of
the
code
not
being
there,
but
you
might
still
want
to
take
another
look
yourself
for
other
statuses,
so
there's
a
lot
of
ux
here
to
figure
out
to
really
quiet
the
noise
problem,
while
still
keeping
transparency
throughout
the
entire
supply
chain.
D
If
that
goes
well
just
rinse
and
repeat
and
see
if
we
get
more
widespread
adoption
and
then,
of
course,
Tracy
threw
this
one
in
here,
one
of
my
favorite
memes
about
Vex
I
did
this
during
the
the
World
Cup,
but
yeah
as
s-bombs
ADD
transparency.
We
need
tools
to
combat
the
noise
that
comes
with
transparency.
D
Getting
rid
of
s-bombs
to
solve
the
noise
problem
is
one
approach,
but
it
also
loses
out
on
a
bunch
of
the
benefits
of
s-spons,
so
as
bombs
and
vexed
together,
we
can
improve
transparency,
security
and
the
noise
problem
at
the
same
time
is
our
hope
here.
B
D
C
B
D
D
Yeah
might
take
vdr
is
vulnerability.
Disclosure
report,
I
think,
is
that
what
it's
called
Parker
am
I,
getting
this
right
now
I'm
blanking
on
what
it's
actually
called
I.
As
long
as
it's
correct
and
I
know
my
take
yeah
vulnerability
disclosure
report
that
is
kind
of
I,
look
at
it
as
almost
the
opposite
of
Vex
in
some
ways
a
vdr
document.
My
understanding
anyway,
is
supposed
to
contain
a
list
of
the
vulnerabilities
that
are
exploitable
in
a
piece
of
software.
D
D
The
big
Nuance,
in
my
opinion,
is
that
it's
it's
there's
not
always
an
answer
of.
Is
it
exploitable
or
is
it
not
especially
for
late
breaking
new
vulnerabilities?
There's
a
third
intermediate
State
there,
which
is
we
don't
know
yet
or
we
haven't,
looked
yet
or
something
like
that,
and
so,
if
you're,
using
that
vdr
style
model
of
I
assume.
My
vendors
will
tell
me
if
something
is
exploitable
and
I
have
this
API
to
hit
and
I'll
check
the
morning.
D
Log
for
Shell
happens
or
the
next
log
for
Shell
happens
and
you
hit
all
these
apis
and
it
doesn't
show
up
in
that
report.
You're
left
wondering.
Did
they
do
that
triage
and
affirmatively
state
that
it's
not
there,
because
it's
not
in
this
document
or
have
they
just
not
done
that
triage
yet
or
with
Vex?
D
You
know
that
if
it's
not
there
say
it's
not
exploitable,
then
you
get
to
assume
that
it
is
exploitable
until
you're
told
otherwise,
so
that
slight
default
switches,
different
kind
of
like
a
fail
open
to
fail,
closed
model,
I.
Guess
in
my
opinion,
which
lets
you
decide
what
to
do
in
those
situations.
B
D
D
Yeah
that
that's
my
high
level
I
think
there's
a
couple
memes
or
two
somewhere,
but
yeah
I.
Think,
coupled
with
s
moms
I
mean
it
to
some
extent,
I
think
the
vdr
concept
is
great
like
if
you
can
trust
your
vendors
to
tell
you
that
information.
It
saves
you
a
lot
of
time,
but
it
requires
you
to
be
able
to
trust
your
vendors
and,
in
my
opinion,
one
of
the
main
goals
of
s-bombs
is
to
give
you
transparency
in
that
code.
So
you
don't
have
to
just
blindly
trust
your
vendors.
D
You
can
see
what's
in
there
and
do
a
lot
of
that
querying
yourself.
So
Vex,
plus
s
bombs,
is
kind
of
solves
that
same
use
case
as
vdr
in
the
end
which,
if
you
want
that
transparency,
if
you
want
to
be
able
to
that
feel
safer
having
the
s-bomb
data,
doing
the
queries
yourself
and
then
checking
for
vex
entries,
it
is
more
work
to
be
clear
than
just
asking
a
vendor
whether
or
not
there's
anything
you
need
to
worry
about.
B
K
Art
yeah,
sorry,
just
one
day
a
couple
months
ago
that
the
acronym
video
are
surprised.
The
heck
out
of
me
and
I
went
to
dig
it
up.
It's
not
crystal
clear
to
me
that
vdr
is
well
specified
anywhere,
I,
think
nist
brought
it
put
it
up
in
an
SP
and
the
Cyclone
DX
folks,
you
know
have
perfectly
fine.
You
know
chosen
that
they're
going
to
implement
it
or
just
talk
about
it
more,
but
one
you
know
analog
to
Vex
right,
even
there's
no
such
thing
as
open
vdr.
K
Currently,
that
has
an
actual
right,
schema
or
format
or
anything
so
I
would.
My
opinion
is
that
vdr
is
pretty
weakly
specified
not
to
get
too
fired
up
about
it
at
this
point,
no
one
is
actually
requiring
them
or
has
a
special
format.
You
have
to
do
them
in
just
yet
that
I
know
that
I
know
of
at
least
thanks.
D
H
C
So
as
we
open
this
up
to
the
floor
for
questions,
I
want
to
thank
Dan
for
putting
this
little
presentation
together
very
helpful,
very
interesting
problem.
M
Just
I
know
that
you've
done
some
Outreach
to
some
of
the
standards
groups
that
have
been
working
on
this.
What
does
the
philosophy
in
terms
of
you
know,
trying
to
collaborate
with
other
standards,
groups
that
have
been
participating
versus
trying
to
sort
of
Advance
this?
Is
it
a
little
early
in
the
game
yet
or
any
other
thoughts?
You
have
on
that,
because,
obviously,
in
the
past,
standards
have
driven
a
lot
of
this.
M
Currently,
you
know
the
pengulum
swung
to
the
point
where
code
drives
a
lot
of
this,
but
does
this
risk
getting
the
industry
even
a
bit
more
confused
by
pushing
this
aggressively
at
this
stage
right,
because
one
of
the
things
that
we
put
out
as
a
position
on
this
is
that
clients,
customers
developers,
the
industry
at
large,
is
just
getting
overwhelmed
with
every
you
know:
a
new
shiny
object
showing
up
in
the
toy
box
every
you
know
four
weeks
and
I
I,
don't
I'm,
saying
that
and
I'm
not
trying
to
throw
any
shade
on
the
open,
Vex
project
per
se,
but
I'm
just
wondering
if
this
is
something
that
adds
yet
another
thing
on
the
open,
ssf
Agenda
that
when
we
aren't
quite
fully
executing
on
other
things
and
or
maybe
it's
early
enough,
we
should
still
be
trying
to
work
in
some
of
these
other
standards
organizations
to
influence
them
and
get
everyone
more
on
the
same
page
before
we
sort
of
try
and
dramatically
plant
a
flag.
M
M
Of
thing
that
you
just
kind
of
you
know
clicked
off,
but
certainly
the
the
folks
that
have
been
working
around
esperan.
They
even
presented
on
Vex
a
bit
at
the
conference
in
Europe
towards
the
end
of
last
year.
So.
D
M
D
Yeah
I
think
that's
Justin,
Murphy,
yeah
or
Alan
Friedman
are.
D
You
yeah,
Alan,
Alan
and
Justin
are
great.
They
were
part
of
the
Cisco
working
group
that
formalizes
the
definition
of
vex
I
I,
don't
see
either
of
them
here
in
the
call
and
I
don't
want
to
put
words
in
their
mouth
and
I
know.
Art
was
in
that
as
well,
but
my
understanding
is
that
the
goal
of
that
working
group
was
to
Define
what
Vex
is
not
to
define
a
particular
format.
D
D
We
can
get
that
process
started
whenever
there's
Comfort
I,
guess
that
this
works.
The
ietfs,
Motto,
I,
guess
philosophically,
is
what
aligns
with
me
of
working
code
and
rough
consensus,
so
showing
some
amount
of
working
code
end
to
end
I.
Think
we'd
like
to
do
first,
showing
is
Flowing
all
the
way
from
a
software
distributor
through
a
scanner
down
to
a
customer
when
we've
proven
that
works
all
the
way,
then
I
think
I'd
be
happy
to
push
this
through.
A
standardization
process
did
I
didn't,
say
any
of
that
correctly.
Art
and.
K
I
was
going
to
just
quickly
back
that
up.
This
is
a
dock
which
should
be
published
any
any
any
any
day.
Now,
waiting
for
a
legal
review,
I
think
is
sort
of
a
requirements,
level
minimum
requirements.
It
is
supposed
to
supposedly
carefully
abstract
it
away
from
an
actual
implementation.
There
can
be
many
implementations.
You
can
call
the
fields
what
you
want.
You
can
get
into
details
about
how
you
want
to
do
things
as
long
as
in
theory
you
meet,
you
know,
you've
got
these
informational
elements
and
they
relate
in
a
reasonable
way.
K
We
tried
very
hard
to
sort
of
meet
this
weird
Middle.
Ground
of
you
know,
there's
a
couple
implementations
already
out
there.
Openvx
came
along
at
a
great
time
in
that
process.
This
will
show
another
implementation:
a
much
cleaner,
simpler,
smaller
one
and
yeah.
The
system
work
is
intended
to
be
a
requirements,
level,
high
level
requirements,
level,
minimum
requirements,
level
a
layer
away,
at
least
on
the
implementation.
So
right
on
down
here,
thanks.
D
Did
that
answer
your
question
Jeffrey
anything
else.
There.
M
Yeah
I
understand
you
know
it's
logical,
but
it
it
still
doesn't
sort
of
help.
The
problem
yeah
customers
are
all
struggling
with.
You
know
what
do
I
do
about
my
basic
s-bomb,
much
less
Vex
and
oh,
my
God
I'm
just
going
to
run
in
the
opposite
direction,
because
I
can't
keep
up
with
the
volume
of
churn
that
seems
to
be
happening
out
in
these
communities.
D
If
we
do,
it
correctly,
I
think
it's
a
it's
a
concern
for
software
Distributors
to
deal
with
and
a
concern
for
scanner
vendors
to
deal
with,
but
those
same
soccer,
Distributors
we've
heard
in
all
of
yes
Mom
working
groups
that
they're
one
of
their
main
fears
of
s-bomb
is
that
added
transparency
will
lead
to
their
customers
blowing
up
their
phone
lines
of
all
the
noise
from
the
scanners,
and
so
Vex
is
solving
a
real
pain
point
for
them.
So
I
think
that
there
is
going
to
be
motivation
to
do
something
there.
D
You
have
to
do
s-bombs
and
those
support,
calls
and
emails,
and
all
that
really
are
gonna
I
completely
buy
into
that
argument,
and
they
really
are
going
to
lead
to
a
lot
of
cost
and
noise
and
confusion
for
those
end
users.
So
something
has
to
be
done
here.
D
D
B
In
regards
to
the
itaf
there's
a
skit
to
working
group-
I,
don't
know
if
you've
been
there
done,
but.
D
Yeah,
my
understanding
of
that
group
they're
working
on
ledgers
and
Technologies
for
kind
of
Distributing
information
like
this
I
follow
the
list
like
repositories
for
storing
and
interchanging
s-bombs
and
Vex
documents,
and
all
of
that
that
kind
of
sits
in
that
section,
I
guess
below
the
now.
We
have
the
documents.
How
do
we
get
them
around
to
people?
How
do
they
find
them?
How
do
they
know
which
ones
they
can
trust
I,
think
that
it
would
align
that
way,
pretty
well.
D
I
know
that
I
I
don't
know
much
about
those
sanders
groups
at
all.
I
know.
Spdx
is
an
ISO
standard
that
seems
to
have
worked
well,
I,
don't
know
why
anyone
like
to
be
honest,
I
just
don't
know
why
you'd
pick
one
over
the
other,
so
I
don't
have
an
opinion
there.
K
I
Not
a
question
just
more
like
a
comment,
you
know,
I
think,
first
of
all,
a
great
presentation:
I
had
a
chance
to
see
Adolf
will
do
it
at
the
sisa
effects
working
group
meeting
on
Monday
and
he
had
a
different
Spin
and
it
was
actually
a
live
demo
and
all
that
kind
of
stuff
which
was
really
cool
too.
So
third
time
going
through
something
like
this
a
lot
of
great
stuff
going
on.
I
If
the
desire
is
towards
ISO
specification,
I
guess,
there's
no
better
place
to
begin
than
than
right
here,
because
openness
and
stuff
and
what
you're
describing
is
the
past
submitter
process,
and
you
know
working
on
it
here
in
the
openness
and
stuff,
and
it's
of
course,
going
to
a
jury
over
there
in
the
jdf,
there's
actually
a
step-by-step
process
that
they're
actually.
Currently,
it's
not
written.
It's
not
written
down
on
paper
yet,
but
it
is
currently
being
written
down
on
paper.
I
But
part
of
that
process
is
collab,
is
a
collaboration
and
and
contribution
here
and
then
working
on
it
here.
Doing
that
and
then
adoption
and
everything
else
as
a
whole
explanatory
report
process,
I'm
not
going
to
do
all
that
here
but
saying
this
is
a
great
place
to
start.
I
D
It
awesome
yeah,
that's
exactly
what
we'd
like
to
do
and
Jory
jumped
in
the
first
day
and
told
us
exactly
what
we
had
to
do
for
Community
specifications,
so
we
should
be
set
up
there.
The
jdf
stuff,
I
think
Tracy
just
dropped
some
notes
in
so
yeah.
That's
what
we'd
like
to
do.
C
And
that's
that
would
be.
My
next
question
is:
what
would
you
like
for
us
to
assist
with
what
feedback
can
we
give
you?
How
can
we,
what
were
you
seeking
and
kind
of
talking
with
us
about
this?
How
can
this
working
group
sure.
D
Yeah
I
think
we're
only
five
minutes
left,
so
we
probably
won't
get
through
the
whole
thing,
but
yeah
we'd
like
to
move
the
open
Vex
project
to
part
of
this
working
group
and
I
know
we're
just
an
attack.
Call
yesterday
going
through
details
of
exactly
how
that
happens
in
general,
in
the
open,
ssf
Chrome,
but
yeah
we'd
like
to
follow
that
process
and
be
adopted
by
this
working
group
and
then
eventually
go
through
the
full
jdf
stuff
and
become
a
real
International
standard.
D
So
whatever
other
stuff
people
would
like
to
see
whatever
yeah
I
guess
to
get
that
process
started
all.
C
Right
and
what
we'll
do
is
we
will
start
that
process
off
with
a
issue
in
our
repository
in
a
node
after
our
working
group
soliciting
our
collaborators
and
contributors
to
vote
on,
you
know:
do
they
think
this
is
something
that
aligns
with
our
working
group
goals
and
Mission,
and
as
we
get
that
feedback,
we
will
take
the
steps
following
the
exciting
new
process
that
has
some
better
documentation,
I
heard
late
yesterday,
but
we
can
follow
that
through.
If
the
group
feels
that
there
is
Merit
in
this
collaboration,
hey.
D
C
And
we'll
also
I'll
collect
some
links
to
your
GitHub
repo,
your
project,
if
anyone's
interested
in
you
know
directly
engaging
right
now,
I'm
sure
patches
are
always
welcome.
Yes,.
C
Right
so
any
additional
questions,
feedback
comments.
C
All
right,
but
I
want
to
thank
the
Dans
for
coming
and
sharing
this
with
us.
I
think
it's
a
very
interesting
idea,
I
think
it's
something
that
can
be
very
useful
to
the
ecosystem
and
I'll
get
that
issue
set
up
and
sent
out
to
everybody
to
express
your
opinion
on
to
see
if
this
is
something
we
want
to
formally
adopt
and
start
official
collaboration
on-
and
you
know
thank
you
again
for
your
time
and
your
dedication
to
this.
Helping
make
the
world
a
little
bit
better.