 Okay, great. Well, thank you all of the cameras back there. Thank you all for participating in this virtually. Thank you to those of you who are able to be here in the room. We just wrapped up a terrific summit, the second open source software security summit taking place here in Washington DC. This was a follow up to a meeting that was held virtually in January 13, where a number of us came together along with folks at the National Security Council, OCD and other government agencies to talk about the state of security and the open source landscape and really identify some key problems. Since that time, many of us in the open SSF community and beyond work together on a plan, a plan that we debuted today here at the event, along with our stakeholder from open SSF but also with a broader set of industry partners, open source community partners, and of course with our friends in the White House and in government. This plan is now available on the website. The details of it are there in the plan. It represents a collective effort against 10 different targets that we've identified as meaningful or meaningful work could actually be applied to make a substantial improvement in the state of open source security. They are, they should be viewed as a first draft. In fact, I think we've labeled it version zero dot nine dot one, but with some specific goals and some specific approaches to addressing those key problems. We will continue to work with the stakeholders here. Now that it's public will also be looking for new participants in further development of that plan. It really I think represents a great flag in the ground as we said, I for further evolution and state of security in open source software. We had at the meeting today, I believe it was 80 different individuals from over 50 different organization organizations of all sorts, representing all sorts of different viewpoints and priorities. So much that we were able to come together around and and meaningfully, I believe come together in a consensus around the plan that we put together. We're also pleased to announce that a subset of organizations, I decided to make the first set of financial pledges towards the plan. Let me be clear the plan called for about $150 million in spending over two years across those 10 different lines of effort. That's a meaningful amount. We realize that is an amount that from some degrees as much more than anyone open source developer has or even even most open source projects. But when you compare to the cost of remediating a major vulnerability out there like we've seen in the last few years is a drop in the bucket of a very small ounce of prevention to spend to get to many, many pounds of cure. Okay, and we are able to happy to announce today that we've got the first set of pledges towards that plan. We can announce $30 million in funding from a set of partners to be allocated as time goes on across those streams as we refine the plans as we converge on specific milestones and possible achievements, but these are pledges that are incredibly meaningful. Those pledges come from Amazon, Intel, VMware, Ericsson, and Amazon, VMware, Intel, and Google and Microsoft. Thank you. We also does include $10 million of that amount is from Amazon as well. So, we're incredibly thankful. I'm so nervous that I'm forgetting my own name, let alone a member so apologies for that. And we will work with those as well as many others out there that are learning of this plan that we aim to collaborate with to refine each of those different elements of the plan and move forward on so incredibly thankful to those partners. Yeah, I'm giving you my take on the day. I'm a little biased as kind of the ringmaster of the circus, but I really wanted to also open the door to the chairwoman of our board at the OpenSSF, Jamie Thomas. Jamie, would you like to introduce yourself better than I could and then tell the world. Thank you, Brian. I'm Jamie Thomas and I represent IBM at the OpenSSF and I'm really pleased to be here. First of all, I'd like to thank Brian Bellendorf and Jim and all of the OpenSSF members and of course the government for their participation today I think it was a really a strong example of collaboration and what we can accomplish going forward. I'd really like to thank as well Deputy National Security Advisor Ann Newburger and her staff for being here all day with us and contributing in a meaningful way. I think this exhibits our intent as an industry to really create an execution plan to make a big difference here in terms of cyber security going forward. Clearly, there's a lot of execution details that we have to work out, but I think it was a great step forward and truly just really want to commend the collaboration across all the participants today. Great. Thank you, Jamie. And Sarah Navadi, Sarah represents Microsoft and sorry, you and Microsoft have been a tremendous partner for the OpenSSF. You helped with the January 13th meeting, helped in putting us together as well. Did you want to share a take on today's event? I'd be happy to. So I'm Sarah Navadi and I lead open source strategy for Microsoft, and I am very happy to see what we've done here today. It's bringing together the community excitement with the constraints of industry and the constraints of government and finding a path to development through all of those things. And then to do that together. And even just finding the common language in that 50 page document that we pulled together as a starting point. It has been a huge amount of effort and has been worth all of the time that we spent on it. And we will see, we will see rewards from this in our industry in our government and and in our collaborations going forward. We have as many companies as we do more than 30 now, right? Working on this and we would welcome any others of you. I'm also very much looking forward to taking this plan that we've started we've outlined and drafted, and getting more feedback on it and more people engaged with it to drive it across the whole industry. Last comment, I want to just pass the mic to my boss, the executive director for the Lenox foundation. This has been a passion of yours for a few years now. Can you comment on the moment here and kind of what happened in the meeting but putting that in the context of the last 20 years. I've been working in the open source community for almost two decades and in that period of time we've had multiple cases where a vulnerability in an open source component has posed, you know, dramatic risk to a broad set of society. You know, Heartbleed in 2014. Most recently, Logforge, you know, really put us all at risk and we've all spent a lot of time remediating these things. In this period, we have systematically tried to get help to the hundreds of thousands of open source developers who are out there, and to the leaders who are responsible for critical components of the open source supply chain to help improve the baseline of security. And today is one of the first times I've seen a actionable plan with concrete goals, but most importantly, an industry will to offer that help in a meaningful way. And we're in the first five minutes of a long game. The urgency here could not be greater adversaries are getting more sophisticated supply chain attacks are happening more often and cyber conflict is escalating around the globe. But just, I couldn't be proud of the work that Brian and the team have done, but also just at every level in the organizations that have convened here a serious commitment to bring help to all of the developers globally who write the code that makes up 80 90% of all the technology and services, most of us rely upon every day. It is a serious milestone. Having the Biden administration deputy secretary new burger activity, a new burger advisor new burger, helping with this, you know, working in coordination with the public sector and this great private coalition is just incredibly gratifying for someone who's been in this world for quite some time. So we are still working on the readout document from this that'll include quotes from many of the participants were actually scrambling to collect those in real time. Between the end of that meeting at the beginning of this, we will get that to you very soon. We're just closing up the loop on many of those will get that out but also as a press release over the next few hours. So, I, we know there's some some gaps perhaps before we get that out, but I again, really, we're excited to have hosted this meeting excited to hold this committee together. I'm very thrilled by the validation that has come from the series of pledges, but but beyond that, we know that the industry and the public sector are really coming together to address this in fact it's really nice to see this compliment the hearing side of the House Committee on science and technology hosted, focusing exactly on this topic on open source software security, and to see the enthusiasm amongst the policymakers for asking what can we do to help how do we. What's the investments, whatever the investments we can to to be that ounce of prevention was really gratifying as I mentioned to the room 2009 me when I came here first to work at the White House in the Office of Science and Policy, talking about open source software as a public good that that person's brain is blown by just how far the conversation is advanced here in DC. And I'll end with, we are eager to engage beyond the United States as well. We've, we're looking forward to conversations with other other public sector actors around the world about how to align efforts how to build upon each other's work and how to really open source offer is a global phenomenon. We're really eager to work with everybody who finds residents with the plan before. So I think with that, I'm looking at my staff to see are there any other messages that I forgot anything worth getting out and I do not have a mouse to be able to see what the questions are. Is there a way. Okay, why don't we start with this. Let's start with the first one. Sean Kerner asked the question, what was the biggest surprise for you, Brian, in the hearings yesterday. Well, as I mentioned the fact that the opening statements from the committee members were show that they and their staffs have actually recognized both the role that open source companies in critical infrastructure, and the opportunity to turn some modest investments actually into outsized returns in the former produced risk. What was great is that allowed me to cut my oral testimony in half and actually fit it into the five minute window, because they said what I usually feel like I have to say, in making that case. I think there is also the funny moment when I mentioned I'd rather use open source software that bugs that were found and fixed than one that hadn't. And one of the committee members asked, I hear you right, are you really rather use soccer with more holes. And I said to say, and fixed because that represents not only software that's being used but also software that's being addressed. So that is actually valuable enough that people are fixing it and a process that is mature enough to get those fixes out there to the world. But let me turn to other members here was there reflecting on the testimony yesterday. And maybe the themes of today, if I don't know if I had a chance to see. I haven't been able to watch the testimony yet. Not not a problem. But I, but really, you know, many of the themes came up of where to invest in education and scanning of code to get the distribution points and third party audits. And what I would say today is just the unfettered participation, if you will, I think everyone felt very comfortable and stating their, their concerns or their recommendations from their point of view. And I think it was the those unique points of view will help us fine tune the execution plan and be much more effective. So I think that was very good. Very good to see. Thank you. Sorry to interrupt Brian. Let's just give a little announcement because we have some virtual viewers here today. Great. So we've got, first of all, thank you everyone for joining us here today. We've got some journalists and members of the press attending virtually and some people here in person, and we'd love to feel all your questions. So first of all, to the people attending virtually over zoom, please submit your questions through the live q amp a function. We're going to go through them, we're going to promote you to a panelist and give you an opportunity to ask them. We're going to give you some time to submit those questions. And we'd like to start by fielding questions from people in the room. Would anybody here like to ask a question to the panelists. You feel like you've come away, you know, just a broad document, lots in it. Is there one thing that is the most important strategy for changing or making, you know, open source more secure. I mean, what is the news I guess what do you consider the newsiest aspect. Well it was interesting to me how often in our conversation today, as we were talking about one stream that it came up well this actually would benefit from a resonator depend upon even success with the other stream. This is really a portfolio approach. Yeah, in some ways you're asking me to pick which of my children are my favorites. So, I apologize for that but I, it really is, it requires a cohesive effort because there's not one root cause or one root I'm trying to address them all and it's industry recognize is that I think the public sector partners recognize that as well. It was nice on the one year anniversary of the White House Executive Order 14 to wait to have a fair bit of our conversation be about software bill of materials and making that meaningfully adopted. What does it take to actually not just come up with a good spec, but get it used by the open source community. I think that's been a large part of our work together. And it was great to see even just the interest in that and reflection of that. Yeah, I mean I think the big news is similar like a year after the executive order on cybersecurity, we're here now with an actionable plan, and what I find most compelling is just the industry will bow. You know, folks from Google saying, we have people that we're going to put on this to go and fix vulnerabilities, you know, folks like Amazon committing financial resources against this plan. Many of the folks in this room also committing, you know, both the expertise which in many cases around cybersecurity matters only rely resides in industry, but also financial commitments as well. We've never seen that amount of unified will to significantly raise the security baseline for us collectively and I think that's just an incredible accomplishment. You know, only six months after, you know, we all suffered from a major open source vulnerability, the White House, and, you know, Ann Newburger brought us here. And now we really have a plan that is already being taken into action, but now has significant additional resources to carry it forward in a meaningful way that that's a big milestone. That's something if you'll give me a chance, Jamie. I think that the big news for us is that we are looking at this from multiple different perspectives and while we have 10 streams we don't have to pick a favorite child because industry needs some things done government needs others, and we're going to work on funding all of it in some balance. Yeah, the only thing I would add is I think this really ensures that we all understand the importance of open source, how productive it's allowed us to be. And our obligations obligation to consider the implications of using it right so I think that was a fundamental understanding out of the first two meetings is that open source has allowed us to all be productive, but we have an important understanding in making sure it is secure, and that all of our downstream clients get the benefits of that security. So, can't agree more with the comments from Brian and others that these things kind of all come together to ensure this open source community can be effective going forward and that it can be secure at the same time. Great, thank you. Any other questions from people in the room. Great well we'll move on to our virtual participants. There's a question from Eric Geller on the on the screen of the right. So Eric Geller we're going to promote you to panelists that you can ask your question. Yeah, if that's possible or I could just read this question. Hey everyone. Thanks. Appreciate you taking my question. What is the timeline for allocating this initial 30 million has any of it been earmarked for any specific purpose or is it all up for grabs and did any of the other companies say that they might be able to make additional pledges in the near term. Um, the best way to think of it I think is as a venture capital fund, right, where here's a set of 10 investment worthy targets streams. Each one of them has a business plan. Each one of them will have to justify the investment that 30 million and pledges represents a fund that will spool out we expect over the course of a couple of years, but it's the beginnings really what hopefully will be a larger fund to cover the $150 million that we identified. Now, you know, as the plans evolve as we find ways to save money as we adjust the targets to be available funding will right size it to the opportunity. But this is by no means a final funding this is the first down payment think of it that way or down first tranche of investments into the fund. So it's really going to though be up to the funders as we work through the plans to say this stream is good. This one is now ready. Let's come in into this and push it forward and some of these activities are already begun. Yeah, I think it's also important to understand where money helps and we're also time and expertise helps from the organizations that are represented in the room today. You know, for example, just doing an audit, a third party audit of critical open source code bases is something where you need financial resources to pay an audit firm to do that. Once you find problems you also need assistance from expertise and developers who are very sophisticated to go actually fix those problems. In some cases that will come from organizations who have that expertise in house that are allowing their employees to spend time remediating these vulnerabilities that are found in the audience. So what you'll see is a blend of both financial resources but then hands on assistance from subject matter experts, and it's the combination of those two things that makes for the highest impact in the shortest period of time. Yeah, I can agree more Jim I mean we I like this VC analogy I think it's a great ongoing VC fund, but it is an obligation of all of us who have these skills to make sure that we're contributing individuals and their expertise to the open source community open source projects and Sarah had a great comment in the meeting that I'll just give her credit for is that we all have to recognize those individuals in our enterprises for their contributions to open source. And so I do think that's an obligation that we have to take on, because that's how we encourage them to do this and not just quote volunteer their evenings for this, but make it a part of their day job. And I'll add before we move on to the next question we internally pulled our membership at open SSF, the leaders in the community and asked how much money are you spending today on securing open source software I don't mean by giving away your product free I mean I actually sitting down and doing some of the kinds of hard work we talked about here, being a part of existing open SSF efforts or efforts across other parts of the open source landscape. And even just with a few responses to that we quickly came up above $100 million in direct spend and almost 100 full time engineers. And so this is an industry that's taking this quite seriously already this funding and the resources that might come from it are additive to that effort. And then also we're very eager to open the door beyond open SSF participants and and look for other sources of funding to help complement this this initial trench. I think we're ready for the next question. Thank you. Sean has asked us to read his question out. Okay. How are the targets and the new plan different from some of the problems the Linux foundations core infrastructure initiative CII tried to solve years ago after Heartbleed. I mean I can. So I started the core infrastructure initiative after Heartbleed, essentially to get direct financial support to the maintainers of open SSL who at the time, really, you know, we're doing this as a very, very small group of developers in a very highly specialized area of photography. And that was a case where just supporting a small set of individuals to do some work on critical projects that they really had a unique understanding of was helpful in the short run. It became very clear to us and what this work builds upon is that that alone is just not sufficient that you have to provide a set of resources that that include training of developers about how to write secure code in the first place tools that allow them to do better testing, you know, a better DevSec ops, you know, set of tools so that they can release code securely. And then the complexity of the overall software supply chain was not as difficult as it is to manage today. The explosion between 2014 and 2022 of small reusable components that have become the building block of modern software and that are distributed through different package management systems has created a level of complexity that's extremely difficult. This plan is very comprehensive direct support for developers, seconding engineers to solve problems, providing audit of code bases so that we can find voter abilities from a third set of eyes, going to the, you know, sort of friction points in the supply chain where package to use additional security, both tools, time and resources to improve just the ability to do package signing on distribution of software components, etc, etc. It is what is very different here this is far more comprehensive. And the final thing I would say which I said originally is, it's bought into at a far more senior level from government and from industry, and anytime in the history of open source this threat is immediate. It is complex. And, and people here are taking it very, very seriously. Thank you. A next question is from James Rundle at Wall Street Journal. James you want to meet yourself. Yeah, hey good afternoon everyone thank you for doing this really appreciate it. So just noting that there's been a pretty significant commitment from the private sector, and also taking on board what Jamie said earlier about our new burger spending a lot of time with you guys today and her team. What support will the US government provide for implementing this plan moving forward have you any commitments from them in terms of skills and expertise in terms of maybe leveraging their procurement power I know there's been talked about that in the past. Good yeah. So, yeah, so there is no part of that fundraising dollar amount that comes from the US government or any others and I just want to be clear we were not here to fundraise from the government. We are aware of interesting wins on Capitol Hill about around investment in this space we're hoping that they and the administration can understand what we're doing. The types of targets that we've chosen and what we think is required to hit those and that may serve to inspire certain actions or the like. We do hope to make sure that what we do is additive to existing efforts. We've done an entire agency effort inside the White House, across on CD OMB and missed and others around complimentary efforts focused on S bonds and other parts of the supply chain. Part of that was a conversation today about ways that we can be supportive of each other's work. We do not, you know, did not in this in this plan anticipate needing to go directly to government get funding for any of it to be successful, nor is it a part of the $30 million number. But we're all very hopeful this is a plan that benefits everybody, you know, and government is a major user of open source software, and it's starting to create open source software and distribute that as well. Yeah, so we're, we're, we think we have a lot of alignment in terms of interest and we're going to see the public sector get involved in elements of the plan. Yeah, I would agree with that I think one of the highest value things that, you know, get new burgers brought to the table is the convening function and leadership that's required. So I think, in the meeting we talked about, you know, you can't go fire hundreds of thousands of developers if they're not right to secure code it requires leadership, it requires someone to convene and to help us create a culture of security in the open source software supply chain, and in the source and the White House is definitely, you know, demonstrate that kind of leadership. The other thing that's important is there are already things going on in the government around cybersecurity that we want to make sure we align with in order to one get faster time to benefit and to reduce duplicative effort. And then finally, I'll just repeat again. A lot of the expertise around cybersecurity for this particular aspect of it resides in private sector, and private sector is stepping up in partnership with government to provide that expertise in a meaningful way. So just that that public private partnership and coordination is critical to getting the quickest time to impact from this particular effort. Okay, thanks. Thanks, James. The next question is to Kyle all back from protocol. Yes, hello, thank you. Just wondering if you could say a little more on S bombs. You know, how does this advance S bombs what what new things does this do for that effort. Thank you. All right, well, you know it is, as I mentioned the one year anniversary of executive order 1408 which really identified software bill materials as a key enabling technology to provide greater traceability to software open source or not in supply chains and in hosted software and that sort of thing. So coming up with a spec specification coming up with a file format isn't enough. You need to get this technology adopted, and you can create demand for it through things like curament which is what the executive order called for. But if it's at the tail end of the supply chain, then certain folks are going to hold it and make that a competitive advantage. What I believe needs to happen in the open source space is to have those that all that S bomb activity the traceability the generation of these bills of material as they flow through to move as far upstream as they can right to get open source developers who operate at the library level component level, you know way at the beginning of that chain to understand the value of it to be interested enough to to lift a finger to integrate it into their built systems. They'll only do that if it's easy. They'll only do that if there's if it's a part of the tooling that they use right if it helps them get their code to more people right so the plan that we put forward calls for investment into libraries and the technology that make adoption easier that go to key open source projects and embedded into their built systems that builds a reusable library focused on a certain approach but one that we believe is compatible with the major different structures out there, and builds bridges between some many of the different distribution systems that are out there today and artifact inventory kinds of systems so that's the key part of this stream it's very nerdy. It made some hard technical choices. There are all these dreams are very nerdy I apologize for that but I made some hard choices that are about making sure for the money we can spend. And it really in the best of open source is about building these components that then we hope gets get reused and and and enable a lot of other change across the entirety of the software supply chain. Can I add one thing. So one of the other things that is critical in this as bomb work. What I'm going to make that the case is this is a request from industry and enterprises for this to meet a government specification. A lot of our open source developers are accidentally famous. So we really need to make this as bomb generation super simple so that it is not putting toil upon the open source developers that we already depend on so much, and get much leverage for the amount that we spend contributing to open source as as as enterprises so we very much need to make sure that this is not putting additional toil on those open source developers and that we are bringing our industry weight to help and make it simple by using those choke choke points wrong wrong work but those those aggregation points key points of leverage. So one thing as well about not creating more of a source developers keep part of the plan across the different streams. Yeah, the easiest way to think about it is to understand how software flows. It comes from a developer's mind to a version control system to a package manager to a build system to a consumer. That's the simplified view of the world there's certainly a much more complex way to think about it. Another thing is to build software at every one of those points that automates the liquidity, a software bill of material metadata, so that it seamlessly flows. The outcome here if we can build this software will be a high degree of software bill of materials liquidity in data across the entire supply chain, that is the end goal we're looking for. I just add in and I think Jim you make a really important point. Number one action on the list today was education, but in fact we'll probably never educate everyone fully on the topic of security because it evolves every day. So automation and the instantiation of automation through things like this, so I'm actually critical and codifying the education for the open source communities and those that consume open source. I have a question from John Greg at the record. Are there any log for JS issues on the horizon. What projects are key to software that are of concern. Well, we published a report with Harvard called the Harvard census to which took a look at basically systematically across all open source software and try to identify pieces that are most critical pieces that the most other pieces of software depend upon and play perhaps a hidden role that maybe don't get the light of day that that they should in terms of attention to their their software quality or to the other kinds of processes that could lend themselves to to greater security. So I draw his attention to that as a way to kind of try to understand where where the potential risks are and we certainly believe that's been useful to certain organizations to help bolster the defenses by trying to identify these packages. The second thing to say is, you know, none of us have omniscience and can tell you where the next log for Jay will come from, except that, you know, there are there are vulnerabilities found every day. And even just in the Linux kernel, I think every week there's a release that addresses a couple of things and an important point here is software will never be perfect. You know, the only software that doesn't have any bugs in it is the software with no users. And so what's important is, how do you find them before the bad actors, how do you get them fixed as quickly as possible. And then how do you get that fix permeated out there into the rest of the world. And I think systematically you do that you can build resiliency and a response capacity for whenever the next major vulnerability hits. And I think that's an interesting point in that earlier in the day where you said, you were surprised by so many different pieces of software that said they weren't vulnerable to the log for Jay issue, because they had not even upgraded to the up to the version that was that was at risk for clarity. Yeah, the log for Jay two dot X was the one that had the vulnerability log for Jay one dot X, which had been out of support for five years and had lots of unknown vulnerabilities and many organizations said we're not we're an open source projects by the way. Not to get anybody off the hook here. And what it brought out was, we simply are not good even within the open source community about updating our dependencies clearing out technical debt. And this is something that we believe any of these streams will help help address. This is exactly the proliferation of the fix is the is another whole problem. Yeah, exactly. Thank you. We have a question from David Jones at cybersecurity dive. David, would you like to ask your question. Okay, we'll read your question David. What is being done to make sure the open source community is properly compensated over the long term beyond these initial investments. I guess that the, you know, for a lot of large scale open source projects such as Linux kernel projects like Kubernetes and others. You have a pretty robust economy of, in many cases, professional developers who work on those projects because so many organizations use them for their fundamental products and services so those companies. And the upstream of the source project and you have sort of a virtuous cycle of investment in those larger scale well supported of the source projects where things break down is the intersection of critical to society, and often ignored and underfunded. In those cases, unlike the consistent pattern of a sort of a virtual cycle of goodness and the big projects. Those individual projects tend to be very told story ask they are each sort of uniquely unhappy in their own ways it could be that there are people looking at it, but they just are missing certain security variables. It could be that there's a key maintainer that just suddenly becomes famous because that code is so popular and everyone's asking them for feature improvements and bug fixes. And, you know, this isn't even their day job and they need to be compensated. There are ways to fix better aligning incentives with open source developers. One, some research that we've done shows that individuals would love to get more time from their employers to work on those critical open source projects. Understanding what those projects are in terms of criticality and then working with employers to give them more time to do that work as a maintainer, certainly is something that we can do. This is where it's just direct funding to developers who need that help in order to continue to maintain these critical projects. Those are things that we should look at to point is, there's no single solution. Much of the research that we've done also shows that many of the developers that are working on these projects do it for recognition for being a part of something bigger than themselves. And again, that's where an employer who is working with those individuals should recognize them to Sarah's point and provide them time in their regular day job to go work on those things. So it's a complex set of financial decisions to make sure that we align incentives correctly. Money is one of them, but it's certainly by no means the only thing. Yeah, I think we also learn from log for Jay, which has been out there for about 21 years is that often our developers gravitate towards the viewer most glamorous open source projects, but we still have an obligation to serve those most used projects or which will be more like that log for Jay's. So one of the things I know that we're all assessing are our most used projects we've certainly done that. In the case of IBM and committed more resources to those most used projects, which means we have to recognize those developers as Jim has stated. Thank you everybody for asking your questions so far we've exhausted all the questions from our virtual reporters are there any last questions in the room before we close off. No. All right, well, I'll leave it to the panel. Thank you everybody. Thank you. Thank you. Thanks everybody.