 Hi, Matthew. Brandon. Hey, Sarah. Hey, Matthew. I'm just wondering if my audio wasn't working. Yeah, it's all good. By the way, so the folks from Swippy Inspire had last minute emergency. Oh, no. I was so excited about today. I know. I reviewed the document ahead of time. I was like, I'm doing my homework. Yeah. So it looks like. Do we have a date that we're pushing back that from? I just send them a message and channel. Yeah, we might. Yeah, we might kind of take. Today a little bit, a little bit of time. If we want to just shift your working session. Yeah. I put the clock custodian stuff in. Yeah. And I think. Emily was going to talk a bit about. The day zero event. In general, it might be good to talk about security. Assessment. We should make sure that's up to date. I don't know if Justin's going to be here, but. We could certainly. I think we've got. You mean a few people who can probably tell where things are at. Yeah. And I think. Yeah. And I think. There's some. Things that kind of suggestions that. I had, and I think Emily also had some ideas around. Improving security assessment process. And well, we're almost through our first five. Yeah. Because our process are our guide. Guidance is to write things down. And collectively make changes afterwards, but we can tweak things in the middle too. It's not hard and fast. All right. I'll paste the Lincoln. For silence. Meeting. You're meeting. Google Docs in the chat. Let's just wait a little bit. Hey Cameron. All right, it looks like we have quite a few people already in the call. So let's start off with. Check-ins. And thanks both and Ash for. For. Volunteering described to this meeting. So just a quick update before it gets started. I know initially this was supposed to be the sweetest bias as in meeting. Unfortunately. That was the last minute emergency. The folks didn't make it. So we're going to push that back probably to next week. Tentatively. But we'll, we'll figure out the date. And then post it in the group. All right. So let's do check-ins. Couple. Couple. Do you have any updates? We can't hear you if you're talking. All right. Let's get back later. All right. I'm the, it's updated in the meeting. Justin Kappos. Yeah. So I have a couple of quick things. So first of all. Thanks for putting together a landscape mockup draft thing. I'd love to talk with you a little bit more about that afterwards. We can find some time to do that, but. My major update this week is there's stuff starting to happen quite a bit with the notary. B2 effort. And so I've started to really dive in. We just had. The official. PEP. Which is like the standards process for the Python community on tough accepted. And so we've really shifted over and started to work with the notary folks. And people who are in this group that. You know, have spent time thinking about security issues and no operational issues with the cloud. You might also want to pay attention to some of those meetings and things because. They're struggling with. There are some people there that are struggling. I think. Or it could benefit from. Like or effort paid to threat modeling. And so. Like, there's a few of us that are stepping in and starting to try to help them to add that in. Into the process now. So. One other. Sorry, go ahead. No, there's just a question. For you. Is PEP aligned to. Pie pie tough integration. Yep. This is the, this is PEP four, five, eight. Which is the integration of tough. In the process. And so this is PEP four. PEP four in the process. This is the. To pie pie. I thought they had done that with some contractors. They put out a call for funding on it. With some sponsored dollars. Is that. Part of the. Yeah. So what has basically happened is, is that. The. The contractors before they were going to start work. They wanted the standards process to be officially approved. And it was. through a period where it seemed like people just kept coming out of the woodwork and asking weird questions at the 11th hour. But that period died down and then they said, okay, this is accepted. So that officially just happened and the work is probably going on right now. So, and we're, you know, we've been in communication. I personally haven't, but people from my group have been in communication with the Trail of Fits folks that are doing the effort. Yeah, one other thing I wanted to mention is from a security assessment standpoint, we are looking for someone who might be willing to lead the assessment for Cloud custodian. This was something that originally Justin Cormack was gonna do, but due to the TOC efforts is something that's not really viable. When he stepped down, I was thinking that I might step over and take it even though I've already done one of the assessments, just because we had a hard time getting someone. But now with the Notary B2 stuff, like kind of spinning up, I feel like I don't have the bandwidth, but would love to have someone else perhaps come in and help with that. And I'll post a link to the assessment here in a moment in the end. Yeah, we have a agenda item for that, RJ. Oh, okay, sorry about that. Cool. So by the way, just while we're on the Notary B2 stuff, I remember for the original Notary B1, there was a pretty nice treadmill thing document. I guess Justin Cormack, how was that done? Was that from DACA or was that external? I think the one you might be talking about is tough threat modeling, but if Justin is on, he can chime in and correct me. He's on. Is that correct or I don't know, Justin? I'm not sure which one you're referring to, but probably there was... Yeah, I don't know which one you're referring to, so I'm not sure. I think it's our patient. This, if my Zoom can actually work. Yeah, I think maybe if we have extra time, we can talk about that in one of the topics stated on. Let's continue with the check-ins for now. Sarah? So I wanted to give a TOC update. Our own Justin Cormack is now our TOC liaison, yay. Yay, hello. Maybe you can turn your camera on if it's available for a second so that people can see you. Hi, Justin. Justin's walking around. Yeah. So those of you who don't know, Joe Beda has been, and Liz Rice were our TOC liaisons for the past half year or so that we've been an official SIG and Joe's time on the board passed, on the TOC has passed and we have a new round of TOC people and Liz remains on the TOC. They had like kind of every other year thing, so Liz will be continuing and Justin rounds out our TOC liaison team of two. And then I linked in the notes the, we have nominated tech leads. We had a little freeze while the TOC was having its elections, but I'm excited that Emily Fox and Brandon Lum and Justin Capos have all agreed to be nominated and continue their leadership roles in the SIGs in a more, in this SIG in a very official manner. Pending the actual vote so far. So far, the people who voted have approved, you know, we're optimistic. We'll see. Feel free to plus one non-binding on the thread or chime in if there's dissent. We're kind of making up the process as we're going. So we kind of like pulled from people who were actively involved and those of you who are new or even those of you who've been around for a bit. Definitely our spirit as we have attempted to encode in the governance is that people step up and start doing things that need doing, that either overlap their skills or are in an area where they would like to develop skills and knowledge. So welcome anybody to, we have a lot of roles to fill that are very, very important. And we will, I look forward to seeing our new adventure exactly what a tech lead of SIG Security is. All right, thank you, Tara. You're welcome. All right, Mark. Mark, I'll do it. Hey guys, nothing for me. I was trying to look up the reference. NIST had an invited presentation from a project that's starting up to do image sharing for electron microscopy building some big data APIs and it introduces some interesting security problems around containerized objects like that. So, but I don't have the slide deck yet but I'll share it with this group because it's a great family of use cases and it's intended to be public, mainly for NIH and folks like that. But we often don't get that close to reality with some of the examples we wrestle with. So it's a good one. I'll try to get that and share it with the group. Is this from part of the NIST Big Data Working Group? Yes, it was an invited presentation from the NIST leader there but I think the project probably will unfold separately because the lead folks are mainly in biomedicine. It's sort of interesting to note that I think a lot of the stuff that goes on is deep in the disciplines, right? It's not in the horizontal working area that this group has to wrestle in. So I've got. Sounds good. Yeah, I guess if you think that the presentation would be good to present here, maybe we could have that as well. Yeah, there's a better hand waving by the lead there who says, oh yeah, we're gonna do security on the containers. That's about as far as it goes. All right, all right, thank you, Mark. Sure. Okay, Amy has updates in meetings. Justin Cormac, do you want to... I think everyone's already given my updates, actually. So yeah, so yeah, I've been working on the NOSUV2 stuff and the TOC stuff. Just as I've been, if anyone, I'm around here on SF this week and next week, or if anyone happens to want to meet up. You're at what? I'm in SF for a bit. If you want to have coffee. We actually were talking about having an SF meetup because there are other people in SF that... Yeah, there's RSA. I only see it KubeCon. Yeah. Maybe we can rabble-ras on Slack. All right, I think that's it for check-ins. And we can talk about... Let's see, let's go ahead. Okay, TOC updates done. Security assessment queues, Sarah, do you want to take this? Unless Justin Capo is here, I'll project. Justin Capo says it's here, but feel free. Go ahead. Maybe you can talk about what's in the queue while I figure out how to share my video. Yeah, so what we have in terms of the queue is we have the Spiffy Spire in progress. We have Falco, Dragonfly, and Cloud Custodian that are all basically fairly early on in the process. In some cases, we're waiting on things kind of internally, like things to settle out and get it together. It looks like we're waiting for chairs to sign off in Falco, which is something that's easy to do. Like, frankly, I could just click the button now, or Sarah or Dan or somebody else could do that. And then we're waiting also in part for self-assessment documents. Well, I think Cloud Custodian actually has its self-assessment. Is that correct? I didn't see that checked when I looked before. I might have missed it. I'm sorry, what was the question? There's a document there. We can go check the thing. I mean, we're still revising it, but part of this would be good to get feedback from the reviewers, but yes. So, yeah, so maybe we could get into the, I've been calling it the naive question phase, for lack of a better word, because we have to fix our template to be not so inappropriate. I thought I owned that phase. Just kidding. Anyone is eligible to take that. So I'm gonna uncheck the need self-assessment. Yeah, we do want them to feel like they have a complete document they're ready for us to look at for that, because there are templates and things. It's intended that whoever the lead security reviewer is, who we don't have at this stage, is gonna do a lot of, is gonna look at this in detail with them and we don't sort of want this to be like an initial unthought rough draft that's partially finished. We want this to be like a document they think is good and incomplete. So is that, maybe I misunderstood. I was thinking that that is what happens during the naive question phase, or are you saying that you think the document is, I haven't looked at the document yet. So I haven't seen the document either, but my sense from what was just said is that the document isn't complete and rounded out and something that the team there feels is ready. And the point is that, I mean, it's okay to ask questions. If it's like, I'm not sure exactly what to do here. Can you give me some more guidance? Like I said, we did these other things, but what we don't, like the idea is that the team would be able, would go and actually produce the, like a real viable, like first draft of the document they think is good. And then the lead security reviewer goes over it, not that they sort of jot down some notes on a napkin and then hand it over to the lead security reviewer to help them figure it out. Okay, yeah, okay. So thanks for like articulating that. So I guess, do we have somebody from Cloudcoastodian actually here? Hi, yeah, this is John Mark Walker from Capital One, and I think Kapil, the project lead is here. So maybe you can speak to like where your self-assessment is in the process and we can figure out whether it should have the needs label on, which phase we should be in. I mean, Kapil, you wanna? I think, so we've, I mean, mostly we've been cutting content versus adding more content, to be honest. I think we're at a phase where it would be nice to actually talk to someone who's reviewing to get a sense of things. Cause I mean, we, we added a lot of content. We would slowly have been like, oh, we don't need the stride scale on this classification of threat models. And like, so now we're just trying to trim it down. But I mean, we're at a point where, yes, it would be great to have to talk to somebody who's actually looked at the document and can give us feedback. Yeah, if you're at a trimming phase, that's totally fine. I think that's a, it's great for you to ask us for feedback. And I don't know if any of the reviewers wants to volunteer to take that first look. Sure, I will do that. Okay, awesome. Thank you, Robert. Who is that who spoke up? I wanna thank them. So that was Robert agreed to, cause I had chimed in while we're coordinating our reviewer, right, to ask for like somebody on the team to just start that initial process so that we give you timely feedback. And so then I'm gonna say. Thank you. Thank you. Right, and hopefully then we can get that moving a little further along and get the process really sort of to the next step, which is to have a document that you and Robert feel comfortable that we'll all be able to read and make good sense of, which sometimes just having somebody outside the community read it, he doesn't understand a lot of the context that is fantastically helpful. There's like, I don't know how to, I have a hard time explaining this to my students sometimes, but like having somebody who doesn't know what you know, read your document is often like just invaluable because you can look at it as much as you want, but you don't understand what things you think are clear that someone else won't. So once that's finished, then I think we'll be pretty ready to move on and I'll start to dive in and ask questions. Okay. So in terms of the lead security reviewer, I looked up and we had said that we wanted to have, aside from the very early bootstrapping process, we wanted to have somebody who'd reviewed a project be the lead and we have a short list of potential leads here. And so since Cameron has agreed to help and shadow someone, I'll volunteer to be lead in terms of helping to orchestrate the process with a helper cause I'm like a little crazy busy. And what I'd love to do is say, okay, we won't formally kick off the process till next week, give me a chance to meet with Cameron and kind of figure out how to streamline it a bit. And then I'd like to test to see if we can do this, we have like a three week goal of like, can we execute this in three weeks? And so I wanna not start until we feel like, okay, well, we've got a plan and then ask everybody, so is the next three weeks clear for people to dive in? Cause I think that the more that we can get these to be a chunk of focused work after the initial self-assessment and then getting the team together, I think that'll help us just kind of, it'll be good for the projects, it'll be good for us. And I'd like having that goal, but we have to measure the time and actually be like, is it working? We're still tweaking the process a little bit to make it efficient as you've witnessed. So just a question about the review process, like once a lead reviewer is engaged and we're moving forward, how does that actually work in practice? Do you review the self-assessment? Do you have a meeting? Do you just check in online? Like, yes, we approve. Like, how does that actually work out? Well, I can just speak to that. Okay, go ahead, Justin. Sorry, what is basically happening is the lead reviewer is doing like an initial kind of pass to see if they think the rest of us or reviewers are gonna be able to read this and understand what's going on so that you're not kind of flooded with like weird clarifying questions from everywhere. And the point is that when the rest of us try to do it, then we hopefully will be able to understand everything we need to know about the system and we'll be able to ask more technical questions. But this is a chance to sort of make you have to define like what is a widget? If you talk about widgets throughout your document, like what the heck is a widget? Who uses it and how's it defined? And when you say the word crypto, what do you actually mean by crypto? Is this AES? Are you, you know, like what are you? It's just sort of the state of getting the document into a state where the rest of us can actually do meaningful like security diligence. Okay. So yeah, we actually didn't update. We should, I don't know, Justin, the naive question process is, didn't get inserted in our process guide here. Okay. So the naive questions, guys, that should happen in the Slack and the Google documents, is it correct? Yeah, it's, we've done a mix of that at different times, but I think there's like we're open to whatever or at least I don't want to speak for Sarah because she'll be doing it, but I'm sure she and you can figure out whatever works well. Yeah. And to basically what we did in the, what I did within Toto is I just, and to some degree with OPA, because that's when we sort of were like, oh, wait a second, we really need this naive question phase. Because I knew OPA, so I was able to ask a bunch of questions that were like, oh, nobody should read this yet because it doesn't have this information that they thought was assumed. So basically, when we've done this before, like Slack and the Google doc were more than sufficient and people are responsive and we went back and forth, but part of that was Santiago was like in our weekly meetings a lot and like the OPA people had been very involved in SIG security. So it could be that with a new group will be like, oh, this is like really confusing. Let's just get on a hangout and talk about it because I don't know what you're talking about, right? I mean, I actually know Cloud custodian or know of it, I should say before this. So I think I have a grasp of what it's supposed to do, but that's where I think we do the, other than the official, this sort of presentation, everything's like live meetings are ad hoc. And so far, I mean, I think that Robert, you did a meeting, a kickoff meeting with Falco. Yeah, we used this Zoom for the kickoff hall for Falco. So I guess it's technically recorded somewhere. So yeah, so it might be that when I sync up with Cameron that will be like, well, it would really help to have a kickoff meeting because we're gonna try to coordinate better or maybe we'll just do it by Slack. Yeah, for Spiffy and Spire, we mostly did it by Slack and on the Google Doc. And then we, I think like a week into it, we kind of just had a short like 45 minutes call to clarify and I talk about the more complex items. Yeah, and I also found that in the final assessment, there were some things that we like, I ended up having a meeting with Santiago to be like, well, I kind of think you should be doing this, but what do you mean by that? And to sort of finalize our recommendations in a way that we I think aspire to have those be things that the project embraces and things are great things while we reserve the right to make recommendations that are independent. We certainly want to give the project the chance to be like, wait, we already do that or whatever or like, no, that's a bad idea. So that last phase ended up having a meeting too when we did it, when I did it in Togo. All right, so okay, that gives me a good idea. For the self assessment, we kind of got to the point where going back and forth on a few things and so it would just be helpful to have some initial feedback on direction, especially when it comes to like the threat modeling and stuff like that. So anyway, we'll be looking for guidance there. So Robert's agreed to dive in right now. I'll coordinate with Cameron and then we'll come up with a, we'll let you know when we are ready to kick off. Okay, thank you. Okay, thanks, so. Hey Sarah, a quick question. Maybe we covered, I just did a quick skim of the notes and I didn't see this. One of the things we struggle with is when to tell that the product owners to come back for another review like a major release or so in. Oh, so we have a yearly update in our sort of plan and we haven't done one of those yet, but we have been attempting to have issues for all of the open things where we're highlighting things that we brought up or things that we think are important so that my thinking is that if a project hasn't done a major release that has security implications, maybe we just look at it, one person volunteers to look at it and says, oh, look, they fixed some things, right? I don't see any red flags with changes that have happened. But then, like maybe we would have a deeper look like more like the first assessment if there's been more changes. And we don't have a process for like, oh, some major relation changes their security profile in between updates, but I think right now where the majority of CNCF projects don't have an assessment, that's not our biggest concern. Our biggest concern is more the like vast field of things that are unknowns than making sure that everything is timely. I hear you and so this may be a future topic and I don't wanna derail the agenda, but in our organization, this is kind of tied to the agile process and it's an important problem because some of the security gaps end up in technical debt that are supposed to get resolved later on. Features could be rolled back for initial production use and then introduced later, but they don't come back for review. Also, some of the solutions that are being put in place to address the security elements that were addressed have to themselves go through a review process. So there's a fork and then a return to a future junction point for that. So it's a non-trivial problem and it's one in which maybe the product owners need to be the key advocates for that as opposed to the security TOC itself. Just the thought is like, it might be interesting to poll maybe not today the other folks on this call as to how they handle this. I actually think it is somewhat pertinent. One of the reasons I didn't jump in and say, I'll volunteer for the Cloud custodian lead is because I'm already lead on Falco. Implicitly, I sort of assume that the lead would have to take on the burden, at least initially, of that kind of annual review process. Now that's not written in stone anywhere. It's not an official part of the process, but I think I had opened up a GitHub issue on how this annual might work and I think I put a flow chart in there at some point. But just implicitly for me, I was assuming as the lead for Falco that everyone's gonna come back to me a year later and say, where are we with that annual process? So I didn't want to jump on too many lead roles for that very reason. I think you can always say no to something like that. And I think, I mean, there's something nice about having at least some of the team from the prior assessment participate, but there's also something nice about having other people come in and take a fresh look. So we haven't really discussed this, but I definitely would not, I would not be in favor of a process where the entire team was expected to do it in their same roles. And I wouldn't be in favor of a process where the entire team must be switched out. So I'd like to see a balance in between. Right. Personally, but. Which is why I kind of thought that the tether might be the lead. So the whole team doesn't need to come back a year later, but maybe the lead would be the point of contact that says, you know, it doesn't necessarily have to be me as the lead, but I'll be the one that kind of does the reach out a year later to try to. Right, you know, I wasn't really so fretting. I was, I mean, the who problem is important, but the when problem seems more problematic to me. Like on a year, let me introduce a use case here. So, you know, somebody comes to us for a review. We do these reviews too, right? And we say, oh, you don't have any audit for this transaction. So, okay, we'll do that, but we need to get the product out without one. Okay, go ahead. So they put the audit thing in, there's no Apogee interface, so we forgot to do that. So the whole team doesn't need to come back who it is, you know, isn't so important as, you know, catching this technical debt thing and making sure that the review for this, you know, critical function from a security point of view that was omitted in, you know, previous release gets put in. And so I think an annual review is like an artificial, maybe it's better than nothing, but it's an artificial one that really should be more tied to what happens on the product feature set than anything else. I agree, it's totally artificial. It's arbitrary in that sense. I had put in the flow chart, I had envisioned, you know, some other triggers, you know, CVE discovered, and maybe that should be trigger thing. I think there's some debate, but I think practically speaking, just getting the time from the project to do it on an annual basis might be onerous. So I was, you know, certainly. Also, these are the assessments, not the audits, and there's a. True. Projects. Well, I think that we've made an effort to make it as like lightweight on the projects as possible while adding a benefit that is hopefully of more value than the effort put in. And I think that we, generally the CNCF, like it's the projects have responsibility here. We can't dictate anything to the project. That's not our role as the special insurance group on security. We can, you know, make recommendations to the TOC and the TOC could potentially, you know, exert pressure on projects to do something or not to do something, I know has the right to kick them out of the CNCF or whatnot. But mostly I think that, you know, I sort of like in my roles as engineering manager and doing security stuff in companies is sort of echoes what we're seeing here, which is that the project itself has to actually care about security and take responsibility. And I think that in like a commercial effort or government or like when there's an organization that isn't quite so grassroots to the CNCF having some kind of a technical project manager make sure things happen because things security things fall through the cracks all the time if you don't have somebody's eagle eye on it. And sometimes you don't happen to have a product manager or engineering manager who's savvy about the implications of not doing something. So I don't know, that's just my, you know, sort of voice about how I think about these things. I don't know if other people have different models of ensuring that security stuff happens in an organization and be, you know, besides the gating reviews that typically happens before product launches. I mean, I'm in a regulated industry. So this is a giant deal. But, and, you know, so for an open source community, it's different. You know, it should be different probably, but it's really important. And, you know, the role of like, what's the role of a project manager in an open source project? Is there even an awareness of that, you know? Well, I guess Mark, I would ask kind of the question back to you as a highly regulated entity using open source, have you ever seen pushback like we're gonna not use this product or open source tool or we're gonna discontinue using this open source tool because they haven't refreshed their audit or assessment in the last 12 months? Yeah, you know, we talked about this in this group a couple of years ago, maybe, you know, so that's where Black Duck and these commercial providers try to give us impartial assessments of the status of these open source projects. And so there's that. And then we look at the CVE count and then we have, you know, individual practitioners have opinions about it, like people worked at CAP 1 in the past. I hear we got CAP 1 people on this call, so the next CAP 1 people in our company, so they have views about some of the open source projects which they bring to the table. And then there's the whole problem of how to bring automated testing into our pipeline. So open source projects with no automated test scripts means more work for us to put that in the pipeline so that it enters into it. So it's pretty messy. You know, I'm not trying to impose that messiness into the process here, but there are some important facets of it that are worth introducing and some critical omissions that might be made for good reasons. These trade-offs are realistic and important. I need to get logged in, you know, cause a triggering future review. I think there is a pressure from two sides. So most of those open source projects are, there are vendors or big businesses behind them, right? Either driving development or adopting. And then, you know, the internal classic requirements and security apply and kind of leak into the upstream. But then I feel like I'm on the mailing list for security issue reporting for open source project. I can tell you it's flooded with, you know, serious companies running scans or assessments of it before they deploy it, reporting issues. So I think from this side, it's also kind of like there is a pressure on the upstream from the adopting companies. Yes, yeah, yeah, there is, but am I wrong in offering the view that the review that we give it internally in my company is more rigorous? I haven't seen the users are. I honestly feel like that's a really good point, Mark, because I've worked with federal government. I've worked with utilities. They all have their highly regulated areas of concern and they all work differently. They all also make sure that security is top priority. The common complaint I hear is security is slowing me down from a development perspective and that mindset needs to change within an organization. It's not necessarily something that's different between an open source project versus a highly regulated industry. I think that's a mindset that typically within the organization that needs to change. And I have conversations with organizations like this all the time, especially around containers and container or applications delivery to the point where they need to understand that this needs to be part of the pipeline or their DevSecOps pipeline. It needs to be implemented into their CI in some form or fashion and they need to have policy written that we will do these things. And this will be signed off. However they do it, that's up to them. I don't think it's up to anybody or any open source community to dictate. Well, you have to do it this one way because there's lots of ways to do things. I think there's good, better and best in figuring out what those are in terms of what we're talking about here today with some of our assessments. Maybe there are some better ways to do certain things. Maybe there are certain policies to apply that make sense for everybody. So it seems like this discussion kind of is a bit deeper than I think what we wanted to go into. So in the interest of so that we have enough time for the other topics that we wanted to cover. Mark, would you mind creating an issue? And then if we have enough discussions on the issue then we can probably schedule another call where we will dedicate half the meeting to talking about just that. Okay. So I'll just wrap this up by I'm gonna move cloud custodian into the backlog because we've assembled the team and we just haven't quite kicked off. And thank you, Robert, for helping to move that along. And then on Falco, maybe Robert, you could say, are they still working on their self-assessment? Is this accurate? That is accurate. I've not received it yet. And I think Michael is busy working on some of the security events. So he's not on the call today. Can I pose a question around, say like self-assessment process and where we're going with that? Is it possible to just say that, okay, we're a sandbox project and then we can apply for incubation or is that not kosher at this point? So the security assessments are not directly correlated to the CNCF stages. Okay. So we have now established that anyone who has not already had an audit, which people are eligible for during graduation, during incubation, and I think is typically pre-graduation, that before you have an audit, you should have an assessment because that helps the process. But other than that, it's not a gate. Although we have talked about that it would be good if people did a self-assessment before, because I think that has good inputs. But we've been asked by, well, Joe suggested that maybe we should look at our self-assessments and see if we could factor some of the material to be, some of the other material that's generated. So there's like a little process alignment happening right now. But yeah, it's not like one is a precondition of the other right now. Got it. So theoretically, we could go ahead and push for sandbox and in good faith continue on the due diligence route with the audits and self-assessment to make sure we button up all the requirements. So which project are you? Sorry, cloud custodian. Oh, cloud custodian. Yeah, do you think we could move this into the kind of offline discussion? Sure, that's fine. We're gonna leave some time for the cognitive security day. No worries. Yep, thank you. All right, I will share. Okay, so quickly, that's a RSA conference. If you're there, someone has created an issue. I think definitely I'm creating an event right. So I'll take a look at that if you're gonna be there or in the area, I wanna meet up. If not, Cognitive Security Day, I guess Amy or Emily. I wanna click on this. Hi, Emily. Go ahead. So fabulous news. If nobody was paying attention in the Slack channel, we have a schedule for Cognitive Security Day. So thank you to everybody and anybody that you know that submitted for it. We had a lot of really good submissions and we had a lot of really good discussion on everything. So the schedule is live. It is posted. It is linked in the Slack channel. Feel free to retweet any of the number of tweets going on around it. So we've got a wide variety of speakers. We're hopeful that this year we'll have a significant amount of diversity in the talks as well as in the presenters. So if you're interested, you can go and check out the schedule. Right now we are beginning to look at day of logistics and planning and day of staff. So the ticket number 305, we do have a couple of people already signed up for a day of staff. But if you are planning on already being at Security Day and you're interested in helping out while you're there, please go ahead and comment on the issue. That way we can make sure that we've got the right amount of work distribution for everybody and nobody is slammed. We also have another sponsor, Amy. Is that right? I know that we have a stick and rack space. We may have more on top of my head. Okay, so stick and rack and rack space are confirmed and we're hopeful that we're gonna get more now that the schedule has been posted and announced. So if you know of anybody that is interested, the sponsorship prospectus is out on the Cognitive Security Day website. I think that's all I have for Security Day updates. Yep, Amy, anything else? No, that was great. I thought you have everything that we have right now, which is like, there is a schedule, buy your tickets. Yeah. Awesome. All right. So Amy, do you wanna go ahead and talk a little bit about the issue that you put in? Yep. So this is a little bit about the conversation that was going on earlier on the call. There, I opened a ticket a while ago, issue number 326, to talk about potential process improvements to how we're doing security assessments and SIG security. We have some really good information to help us help new reviewers and new lead reviewers get started on what the process looks like. But when I was going through it and working with Brandon and working with Justin, I didn't feel like there was enough information where I felt empowered to do what it was that I needed to do. And I had a lot of questions. So this ticket is specifically to address the naive or clarifying question phase that was brought up by Chris at one of the previous meetings, as well as some other things that I've noticed doing the specific fire assessment, some things that I've ever heard in phone call conversations, some things that have been in the Slack channels. So if you have any commentary on how we can improve the security assessment process, clarify some of the instructions, go ahead and throw a comment in that ticket. I'll probably be going through it later next week to refine some of those things and break up the work a little bit more because the list of things for me at least is getting very long. So if anybody has any recommendations or if they had questions, we could potentially capture responses, do an FAQ on a security assessment, things like that. I also just threw in the notes a link to, you can just click on any assessment process label because there's a lot, we've been collecting a lot of process improvements that are like, they tend to be the bigger ones. I think the ones that you've brought up, Emily, are worth making some adjustments to the actual process because that'll help our next two or three. And maybe we can keep that issue for things that people think would really like, are getting in the way of our proceeding rather than the reflective time that we've scheduled for after our first five. Yeah. Cool, yeah, I think I have some feedback also. And then I was speaking to Andreas who also had some feedback for us as well. So I'll make sure that I get them to comment on this PR as well, on this issue. All right. I think that's all that we had on the agenda today. Any other topics to bring up in the last 10 minutes? All right. If not, tweet about Cognitive Security Day and get your tickets. And we will be having the Spiffy Inspire review hopefully next week. I will post an update on that in the Slack channel. All right. Thank you, everyone. Bye, everybody. Thank you, bye-bye.