2025 Q3 Securing Critical Projects WG TAC update #505
Conversation
Signed-off-by: Jeff Mendoza <[email protected]>
marcelamelara
added
the
TI Update
There was a problem hiding this comment.
Thanks @jeffmendoza ! I've got a couple clarifying questions.
|
|
||
| ### Up Next | ||
|
|
||
| - Critical Open Source Software Managed Audit Program |
There was a problem hiding this comment.
What do you imagine the role of the SCP WG in this program?
There was a problem hiding this comment.
I think this is the same question, but is this a partnership with OSTIF? Or is this a potential future OpenSSF TI Managed Audit SIG inside of SCP WG?
There was a problem hiding this comment.
@jeffmendoza @Amir-Montazery Can you please update this point with a quick summary of our discussion at the 7/22 TAC meeting.
|
|
||
| ### Up Next | ||
|
|
||
| - Now that we have a good idea of critical projects, OSTIF is proposing a Managed Audit Program to go out and do the following to projects identified as critical: |
There was a problem hiding this comment.
Interesting! Where would the funding come from for this work? I know the OpenSSF TI funding has been used for security audits of OpenSSF TIs (which makes sense), but I don't think we'd use TI funding for auditing external projects (or if we did, due to the budget it wouldn't be more than a few per year)? Maybe this would be more in Alpha Omega's wheelhouse?
There was a problem hiding this comment.
In my opinion this has been an issue for a long time: where does this WG stop and where does A.O. start?
|
|
||
| ### Up Next | ||
|
|
||
| - Critical Open Source Software Managed Audit Program |
There was a problem hiding this comment.
I think this is the same question, but is this a partnership with OSTIF? Or is this a potential future OpenSSF TI Managed Audit SIG inside of SCP WG?
There was a problem hiding this comment.
@jeffmendoza — Looks great. I have the same questions as Marcela and Zach!
Quota elaboration. Signed-off-by: Jeff Mendoza <[email protected]>
No description provided.