►
From YouTube: OpenSSF Vulnerability Disclosures WG (October 19, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
A
All
right,
who
is
there
anyone
interested
in
helping
take
notes
today?
Scribe
is
a
very
important
role.
Jonathan
is
not
hanging
out
outside
in
front
of
a
coffee
shop.
E
A
You
all
right,
please
add,
opens
down
below
we're.
Gonna
do
a
readout
of
the
activities
of
the
OSS
cert
Sig
and
hopefully
we'll
have
a
very
special
guest
star
to
talk
about
a
question
they
have
about
Upstream
cve
remediation
timelines.
I
have
some
decisions.
I
would
like
to
talk
about
with
the
group
before
I,
make
them
issues
and
have
everybody
vote,
and
then
we
have
some
project
ideas
so.
A
Not
having
any
opens-
and
let
me
talk
about
the
activities
of
the
OSS
cert
Sig,
so
as
you
recall,
we
had
this
group
had
adopted
the
OSS
cert,
which
is
a
security
incident
response
team
as
a
Sig
for
us.
So
a
small
group
of
us
have
a
split
off
and
are
working
on
refining
the
mobilization
plan
and
we
have
three
different
sections
here.
A
We
have
a
group
focused
on
identifying
the
core
Services
of
this
group,
and
then
we
have
a
group
focused
on
the
execution
of
once
we
have
Services
kind
of
executing
on
that
plan,
hiring
support
individuals
or
helping
Implement
infrastructure
to
make
the
team
infrastructure
and
tooling
to
help
make
the
team
successful
overall
plan
revision
is
going
very
well.
We
think
that
we
will
be
able
to
repropos
the
plan
back
to
the
governing
board
and
tack
for
funding
approval,
potentially
as
early
as
like
second
week
of
November.
A
So
that's
about
a
month
ahead
of
original
plan,
but
then
things
are
going
well
and
you
can
take
a
peek
at
the
meeting
notes
there.
If
anyone
is
Curious
for
specifics,
any
questions
about
the
OSS
cert
Sig
activities.
D
A
I
see
a
rune
is
not
here
yet,
which
is
cool.
So
let
us
move
on
to
two
topics
that
I'm
going
to
make
as
issues
for
the
group
and
I'll
send
a
note
out
to
the
mailing
list
later
today.
So
we
can
start
to
get
a
vote
on
so
I'm
curious
first
off
the
number
one
are:
is
this
group
happy
with
our
twice
monthly
meeting
Cadence?
Do
we
want
to
move
that
to
monthly?
Do
we
want
to
keep
it
bi-weekly
or
do
we
want
to
go
weekly
daily?
A
B
A
Any
other
thoughts
on
the
matter
you'll
get
the
chance
to
express
yourself
once
we
get
it
up
into
an
issue,
but
just
some
initial
table
setting
for
those
folks
that
are
here.
A
All
right
and
then
number
two
I
wanted
to
provide
the
group
the
option.
If
you
are
unhappy
or
desire
changes
and
how
this
call
is
run,
we
definitely
can
have
a
change
in
how
the
meeting
is
run
change
in
the
leader
if
you
desire,
so
that
is
also
an
option.
If
the
group
wants
it,
I
just
wanna
provide
people
that
opportunity
if
they
would,
if
somebody
has
a
strong
desire
and
a
vision
for
how
this
group
should
be
run,
you
know
I,
don't
want
to
I
want
to
allows
no,
no
but
I.
A
Just
it's
not
crows
group
I'm
just
here
to
facilitate,
but
if
somebody
else
has
a
hankering
to
lead,
I
don't
want
to
stand
and
pee
that
person.
D
I
think
I
think
it's
less
about.
You
know
somebody
it's
more
about
race.
They
want
the
responsibility.
A
A
Potential
projects
to
work
on
PR,
115,
113
and
116.,
so
potentially
future
projects
for
this
group
to
work
on
together.
The
first
idea
was
PR
115,
which
is
you
know,
we've
done
a
couple
CBD
guides
already,
and
there
was
a
potential
interest
around
making
one
focused
on
open
source
consumers
explaining
how
open
source
coordinates,
vulnerabilities
places,
people
could
go
or
resources
they
could
leverage.
Consumers
could
leverage
to
get
advisories
or
just
kind
of
better
understand
the
process.
A
A
A
B
I
feel
like
I'm,
the
only
one
complaining
I'm,
not
a
big
fan
of
more
guides,
because
I
feel
like
these
are
just
words
that
we
write
once
and
nobody
reads,
but
if,
if
it's
how
we
can
have
impact
as
a
working
group
go
for
it,
I
would
like
us
to
have
something
else.
If
possible.
D
Yeah,
what
other
video
content
or
or
like
tweets
or
I,
don't
know
what
were
you
thinking
about.
A
That
that
is
something
we
also.
We
don't
have
that
currently
documented
here,
but
that
if
we
wanted
to
expand
like
to
get
better
usage
of
what
we
have,
we
definitely
could
do
tweets
through
social
media.
We
could
arrange
conference
talks,
we
have
a
whole
education
Sig
that
will
be
looking
to
generate
content,
so
we
have
the
opportunity
to
potentially
donate
podcast,
webinar
blog
type
material.
A
D
E
Yeah,
that's
not
a
bad
idea.
I've
I've
had
some
people
from
the
cve
program
reach
out
to
me
about
a
podcast
related
to
the
guide
that
we
just
released,
also
because
I
might
have
voluntarily
told
them.
I
would
do
that
a
couple
months
ago,
I
had
more
free
time,
so
I've
also
been
looking
for,
like
other
avenues,
even
outside
of
openss
stuff,
to
share
the
same
same
sorts
of
things.
E
I've
also
been
working
with
the
erlang
foundation
in
their
security
working
group
doesn't
currently
have
any
vulnerability
disclosure
guidance
or
reporting
in
the
slightest,
so
I
actually
refer
them
to
our
maintainer
guide
and
they're,
considering
making
that
their
official
statement
for
the
whole
ecosystem.
So
that's
pretty
neat
for
me.
Oh
so,
we'll
see
where
that
goes,
I'm
still
working
with
them,
but
so
I've
just
personally
been
looking
for
Avenues
even
outside
of
open
SF
ssf,
to
keep
reiterating
the
same
message.
C
C
A
You
and
consumer
could
be
other
open
source
projects,
potentially
ingesting
things
as
dependencies
could
be
Enterprises
and
you,
you
know,
and
developers,
there's
a
lot
of
different
consumers.
D
Is
like
you
know,
I'm
I'm,
just
my
brain
is
continuing
to
spiral
on
the
idea
of
content
sort
of
like
you
know
and
like
working
with
Eddie
or
some
other
YouTube
content
creator.
Is
there
a
budget
for
like
collaborating
with
me
with
somebody
who
does
content
to
like
sponsor
their
work,
sponsor
the
sponsor
video
or
something
like
that
stuff
like?
If
that's
something
that
we
would
be
able
to
leverage
that
forward.
A
A
Secondly,
there's
again
the
whole
education
Sig
that
will
be
focused
in
on
providing
more
classes,
webinars
boot
camps,
working
with
underserved
communities,
getting
them
access
to
security
content
and
I
can
tell
you
they
already
have
a.
They
will
be
coming
to
this
group.
At
some
point,
the
cert
seg
will
be
coming
to
that
group
to
help
make
content
for
CBD
training,
and
then
this
group
will
probably
be
asked
to
help,
coordinate
and
help
collaborate
on
that
and
the
whole
education
Sig
has
a
funding
allocated
for
generically,
podcasts
and
webinars.
A
So
that's
another
route.
We
could
go
that
has
a
little
bit
longer
of
a
tale
because
again,
there's
no
funding
allocated
yet
and
that'll.
That
should
happen.
Ideally
November.
A
It
I
am
hungry
all
right.
The
next
idea
we
have
the
proposal
is
PR
113,
some
type
of
guide
for
maintainers
on
handling
incidents.
So
we
have
the
generic
guide.
That
speaks
to
generally
steps
you
should
take
before
an
incident
occurs,
having
like
a
policy
set
up
and
having
an
email
contact
list,
but
we
don't
have
any
prescriptive
instructions
on
when
you're
in
the
middle
of
the
fire,
how
you
can
put
yourself
out,
for
example,
so
that's
another
suggested
work
effort.
We
could
work
on
yogesh.
C
So
recently
we
made
an
incident
response
plan
public,
so
in
in
Red
Hat
we
have
incident
response
plan
which
we
have
been
operating
with
for
years.
It
does
have
how
to
deal
with
critical
incidents.
It
does
have
playbooks.
So
what
I'll
do
is
I'll
put
a
link
to
that
public
Source
in
this
document
in
under
yeah,
so
so
that
it's
you
know
it's
shared
with
everybody.
Maybe
that
could
be
a
good
starting
point
for
us.
C
It
has
lots
of
contents,
and
that
is
how
redact
operates
whenever
we
get
a
vulnerability
reported
till
the
release.
A
Any
additional
thoughts
or
comments
on
you
know
yogesh's
proposal
to
review
the
red
hat
guide
or
just
the
idea
of
kind
of
more
specific
instructions
to
help
projects
and
maintainers.
D
I'm
just
going
to
think
a
little
bit
of
a
bigger
description
of
what
you
know.
Hair
on
fire
looks
like
because
I
can
imagine
here
on.
Fire
looks
like
a
lot
of
different
things,
and
so
I
just
you
know,
I
just
want
a
little
bit
of
a
more
deeper
understanding.
What
that,
but
that,
like
what
scenarios
are
described
for
here,
how
to
deal
with
excellent
scenarios.
A
Pulling
up
the
pr
there
is
not
anything
listed,
so
it's
a
blank
slate,
so
we
could
describe
any
scenarios.
The
group
is
interested
in
contributing
towards.
F
E
G
H
E
E
C
To
clarify
it,
has
it
doesn't
have
red
hat,
so
it's
it's
an
open
source.
We
did
not
reference
to
Red
Hat's
way
of
working
gray,
dots
redacts.
You
know
the
organization,
it's
a
sanitized
version
of
Red
Hats
incident
response
plan
so
to
be
consumed
by
open
source
Community.
Obviously,.
A
And
potentially
this
this
is
definitely
something
the
open
source.
Cert
Sig
is
going
to
need
we're
going
to
need
playbooks,
as
we
assemble
that
group
of
Avengers
to
help
solve
problems,
so
that
might
even
be
something
that
becomes
a
work
output
of
that
group
or
something
we
again.
We
not
everyone
here
participates
in
that
say,
but
something
maybe
we
jointly
officially
work
on
to
help
develop
some
of
these
playbooks
and
that
ultimately
becomes
a
larger
resource
that
we
could
share
out.
A
D
F
I
think
that
it
would
also
be
good
for
stream
one
in
our
search
where
we're
Gathering,
like
information
from
stuff
like.
A
Any
further
comments
on
PR
113
foreign.
C
A
And
then
the
last,
the
last
item
today
we
have
documented
is
a
formal
potential
project
is
creating
plugins
or
tooling
to
enable
those
guides.
So
this
is
something
that
could
be
very
useful
to
automate
or
kind
of
accelerate
some
of
these
guide
practices.
So
what
that's?
Pr
116.
C
So
is
it
about
just
updating
and
maintaining
the
CBD
guides
or
helping
automate,
TV
operation
side
of
the
maintenance?
It.
A
Would
be
ideally
for
that
presenting
tooling
that
can
help
execute
on
a
specific
task.
Francis
yeah.
B
Yeah,
just
like
just
like
Crow,
was
saying,
I
think
the
idea
who
here
was
develop
some
tools
of
sorts
that
could
help
maintainers,
raise
their
security
bar
and
also
use
and
adopt
some
of
the
sections
to
the
CBD
guys
that
we've
been
promoting.
So
there
could
be
like
automated
mailing
list,
Creations
or
whatever.
That
is
like.
We
don't
actually
have
concrete
ideas
of
what
these
would
be.
A
A
Just
trying
to
gauge
a
level
of
Interest
I
will
put
out
a
note
to
our
mailing
list
and
request
people
to
express
interest
in
the
PRS
to
see
if
we
have
any
kind
of
level
of
synergy
around
the
ideas
and
then
we
will
report
back
next
time.
If
we
have
some
consensus
on
something
we'd
like
to
work
on
formally
together.
A
Not
officially
now,
first
members
are
like
Intel
is,
and
red
hat
is
but
the
first
organization,
the
piece
Sig
is
not
officially
remembered
of
this
Foundation
they're
welcome
to
contribute
just
asking.
A
A
A
So
those
of
you
that
aren't
aware
first
is
the
form
of
incident
response
and
security
teams.
That's
essentially
all
of
the
vendor
security
teams
around
the
globe.
Not
this
is
not
necessarily
focused
on
open
source,
but
they,
potentially
almost
all
these
vendors,
have
components
of
Open
Source
within
their
products.
They're
selling
and
I
know.
Historically,
they
are
very
interested
in
how
the
open
source
works.
B
B
G
Thanks
I'm
just
wondering
if
this
is
more
zero
into
the
education
working
group,
but
indeed
what
about
developing
some
kind
of
Hands-On
lab
slash
content
right
that
people
can
exercise
the
CBD
guide
that
we
put
together.
A
That's
interesting:
we
do
have
a
facility
within
the
best
practices,
working
group
called
SKF,
the
security
knowledge
framework,
and
that
is
essentially
Hands-On.
Labs
focused
on
secure
development
activities,
but
training
around
aspects
of
the
CBD
guide
is
something
we
probably
could
set
up
in
that
environment.
But
what
do
you?
What
are
your
thoughts
about?
Something
like
that
Randall?
Is
that
something
you
think
SKF
could
do.
F
F
In
fact,
if
you
go
into
SKF
and
you
just
type
in
hack
OS,
you
will
get
a
container
with
like
a
bunch
of
hacking
tools
that
is
running
on
the
SKF
platform.
You
could
do
anything,
you
could
even
watch
videos
without
audio
but
yeah
and
you
could
run
a
bunch
of
stuff
there
too.
So
it's
time
they
should
it's
time
to
be
possible.
D
H
Thanks
so
I'm
not
sure
if
it
it's
directly
related
to
this
to
the
group,
but
I'll
suggest
it
anyway.
So
I
was
thinking,
maybe
something
with
promoting
some
kind
of
Standards
with
regards
to
vulnerabilities
in
Cloud
environments,
because,
historically
and
from
personal
experience
or
trying
to
to
just
now,
we
found
a
couple
of
vulnerabilities
and
Report
like
the
disclosure
process
with
one
of
the
cloud
vendors-
it's
it's
not
pleasurable,
and
sometimes
they
don't
even
issue
like
CVS.
H
They
just
fix
it
under
the
hood
and
there's
no
documentation
to
what
was
wrong
for
how
long
what
services
were
affected
at
times.
Users
have
to
take
like
active
action
in
order
to
actually
not
be
susceptible
to
the
vulnerability
and
all
they
do
is
basically
send
out
an
email,
so
some
people
disregard
it
and
remain
vulnerable.
H
A
What
are
the
group's
thoughts
on
that?
That's
something
we
Falls
within
our
our
mission
and
vision
to
something
we
would
be
interested
in
kind
of
collaborating
on
trying
to
help
influence
that
behavior.
G
So
my
thoughts
around
that
was
that
when
I
heard
francis's
thoughts
about
about
the
tooling
and
was
thinking
to
myself,
how
can
we
avoid
making
those
like
platform
specifics
for
Tool
specific
that
maybe
first
indeed,
what
we
should
think
about
is
how
to
standardize
those
and
how
to
create
like
an
interface
for
that
before
we
actually
make
a
tool
for
a
specific
platformer,
so
I
think
maybe
that's
kind
of
related
in
a
way.
F
A
Well,
I
can
state
with
Authority
that
several
of
the
hyperscalers
are
members
of
the
foundation
and
that
there's
potential
ability
to
engage
with
them.
If
we
had.
A
A
Any
additional
alternate
suggestions
of
things
you
might
like
to
think
about
working
on
and
again
I
will
get
this
set
up
in
an
email
where
we
can
point
people
to
the
PRS
to
review
them
put
in
comments
and
their
thoughts,
and
then
I'll
also
will
be
sending
out
a
note
about
the
vote
on
meeting
Cadence
and
potential
changes
to
how
the
call
is
run.
A
A
All
right,
folks,
I,
thank
you
for
your
time
and
attention
and
your
suggestions
today
look
forward
to
some
emails
from
me
and
please
comment
in
our
git
repo
in
the
issues
in
PR,
so
we
can
kind
of
gauge
the
direction
we
want
to
head
thanks.
Everybody
I
hope
the
carbonara
was
delicious.
It
was
very.
A
All
right-
and
we
also
I,
would
also
suggest
it's
coming
up
on
we're
in
the
middle
of
conference
proposal
season.
So
if
this
group
was
interested
in
going
out
and
evangelizing
our
work,
this
is
a
good
time
to
start
to
put
together
some
cfps.
We
might
want
to
co-present
or
individuals
go
out
and
present.
A
So
if,
for
example,
Jeff
wanted
to
go
present
about
the
CBD
guy,
but
he
he
was
unsure
and
you
know
and
insecure
about
his
ability,
he
might
want
some
people
to
help
help
him
with
his
speech
potentially
or
help
him
with
his
proposal,
so
think
about
opportunities
like
that
as
well,
for
people
that
are
able
to
write
those
types
of
things
and
present
them
or
just
are
generally
willing
to
help
provide
feedback.
D
Ccc
chaos,
computer
club,
they're
open
currently.
D
A
I
would
like
to
try
to
get
some
non-standard
conference,
like
the
foundation
is
going
to
RSA
and
black
hat
that
type
of
nonsense,
but
I
would
like
to
try
to
get
to
conferences
where
maintainers
and
developers
and
actual
users
of
our
materials
will
be.
So
please,
please,
please
think
up.
Those
kind
of
non-standard
places
would
be
great.
E
Yeah
I
can
keep
an
eye
out
for
that
because
at
the
security
Lab
at
GitHub,
we
just
like
there's
a
whole
arm
of
us.
That
specifically
goes
out
to
conferences
and
does
this
sort
of
evangelizing,
specifically
a
developer,
focused
conferences
so
like
we
have
a
long
list
of
ones
to
keep
an
eye
out
for
so,
thankfully,
I
have
a
lot
of
that
information
that
I
don't
have
to
maintain
myself.
E
D
D
A
All
right
well,
thank
you.
Everyone
I
appreciate
your
time
today,
look
forward
to
some
emails
from
me
and
please
express
your
thoughts
in
our
repository
that
PR's
and
issues
that
are
created.
So
thanks
all
we'll
talk
to
you
soon.