 From your perspective, what does CVD mean to you and kind of what are your motivations when you're working on an issue and you need to disclose something? So I think the main point of CVD is of course to protect users. And my main thought is a bit historical. So I've been around in the 90s where disclosure was you find a mailing list where other hackers hang out and you're zero day everybody and nobody really cares and then became responsible disclosure which is the predecessor for coordinated vulnerability disclosure. The problem with responsible disclosure is that it was really made to shame hackers that didn't follow the desired protocol of industry types and the current iteration, coordinated vulnerability disclosure is instead of trying to be coercive, trying to actually work with people that want to submit issues and it is a much much improved over that and it does a much better job of making sure that every body to a vulnerability disclosure that means vendors, customers and hackers have their needs met. So that's what I think vulnerability disclosure, coordinated vulnerability disclosure is for me. Awesome. Daniel, another researching perspective, what do you think about coordinated vulnerability disclosure? So we are interested in understanding how things work and sometimes that involves understanding how things work that are not supposed to happen, which we then call vulnerability. And of course then we want to figure out the truth behind it and that involves talking to the vendor. Very often they tell us that we got something slightly wrong and that is an opportunity to correct these mistakes before we submit the paper or publish the paper. But also from my perspective, it's the only ethical thing to do to protect the customers, to protect people who are using these products. And for me, I'm not in this game for finding vulnerabilities as a motivation by itself. My main motivation is finding the truth, finding a better understanding of how things work. That's awesome. Katie, you've had a lot of experience of monkeying around with CVD. What does the CVD mean to you? Hold on a minute. So CVD means to me. So when I think about it, I think of it from a risk-based perspective. And so what we're probe is alluding to here is that my background is government in nature. So I spent about 15 years in the U.S. government, 12 years of that in the U.S. Air Force. And then several other years at Department of Homeland Security where I ran the vulnerability disclosure profiles programs that most people are familiar with. So like the NIST NVD program and the Carnegie Mellon CERT CC program and the MITRE CVD program. So I was a sponsor for those programs. So in a single year, 2017, we coordinated and disclosed 14,800 vulnerabilities for public disclosure. So it's 14,000 IT vulnerabilities and about 800 ICS vulnerabilities. In the following two years, so 18 and 19, we coordinated and disclosed over 20,000 cybersecurity vulnerabilities. So I've kind of seen things from lots of different perspectives. And when I think about CVD, I think about balancing risk, right? So CVD is really a process. And every time you, when you're going through this process, understand like every organization is going to treat it differently, because there isn't a standardized like one size fits all kind of stuff here. There's differences that are going to happen across the coordination stack. So if you're looking at digital services, it's going to be different from software, which is going to be different from open source, which is going to be different from hardware or ICS, like all the differences are going to come into play there. But the overarching sort of thing, the big takeaway here is that CVD is balancing risk. It's all about making sure that there is an opportunity for the product vendor to fix the problem before an adversary has the opportunity to take advantage of that. So like, it's all about protecting the end user. And I think everybody that I've ever met in the entire ecosystem is all focused on that. Like we may be speaking different languages, we may talk past each other, but I think that everyone is trying to protect the end user. So to me, that's what that's what CVD is about. That's awesome. And remind you, remind me to circle back to you later in our talk, talk a little about some of the psychology behind some of this. Oh, yeah. I would love to hear my dearest friend Lisa's thoughts on kind of coordinating vulnerability disclosure and kind of what some of your motivations that you've seen or kind of what's behind your modus operandi. Yeah, so I think where I've seen a sort of an evolution of what we do now, where I think Heartbleed was sort of the big start of where we paid attention, realized we all need to come together a little bit, and then Spectre Meltdown sort of brought us even closer. So my thought is that not only did we work with the researchers, but we work across the industry to, you know, make sure that we're all doing our best to protect our customers. So like Katie was talking about, it's really our end users that are our focus and making sure that we have the right people involved to be able to solve the issue, and then provide a security update so that our customers could get it and be best protected. That I didn't say CVD. Oh, you just did that. I know. Yeah, yeah. So Omar, kind of you've been doing this for a while, and you work for a very large company. So I'm sure you get the opportunity to see a lot of different vulnerabilities. So what does the whole process meaning? What are some of the motivations you've seen? Yeah, I think that pretty much everybody has summarized very well is protecting the end consumer at the end of the day. But I see it as a very, very complex ecosystem, right, that we're trying to actually solve. And Katie, you know, mentioned, in one side hardware, another side software, then if you decompose that, then you have open source, which we're going to probably talk about a lot in here. And you have things that, you know, perhaps you cannot even control. I have had a, I guess, a pleasure or not a pleasure in some cases where we're looking at vulnerabilities and even in some cases, whenever we try to actually solve the issues, the companies don't even exist anymore. That's that's another predicament, you know, that in some cases, we actually have to take into consideration. And it's a fairly complex ecosystem. And at the end of the day, what we have to actually put our heads together is how can we modernize our practice into the way that not only yes, we deal with a single vulnerability, we reproduce it, we actually fix it, we find the patch. But how can we accelerate that process? That one, everybody's talking somewhat the correct vocabulary, or at least they can understand each other. And then we also understand the overall risk, right? And how to prioritize things and so on. So it's fairly complex, we can actually talk about it for quite some time. And that's what we're here for. But those are some of the initial perspectives that I want to share. Thank you, I appreciate that. I want to talk about something we touched on in one of our prep calls. We have Anders and Daniel that come at this research angle from slightly different angles. So maybe you two gentlemen can figure out who wants to start first, but thinking about the perspective of academia versus a professional bug hunter, a security researcher, and maybe you can maybe describe some of the particulars in either area, and maybe what are some of the differences you might see between those two different types of research. So from the industry, or rather the bug hunter, the professional or not, there is very often an element of good old fashioned fun. I started out hacking things not because I wanted to achieve anything with it just because it was great fun. When you become pro with it, there is different motivations. So if you work for for company and you work on their products, obviously, your motivation is to make those products secure. And sometimes my past job, I did some some research and that was sponsored by that company. But but essentially me doing what I like to do. Their end of it was attention to that company's competences. And my end of course was having a bit of fun with it. So that is probably pretty typical of what hackers get out of hacking. Yeah, from the more academic side, it's more of advancing the field, the knowledge in the field. And there you try to figure out how things work and what the implications there are, what the security implications of certain understandings are. For instance, understanding when you can execute a certain piece of code, and that does something that is not intended. What are the implications? And this is interesting from a security perspective, then if it enables someone to do something that they shouldn't be allowed to do. Yes, often this involves disclosing a vulnerability to vendor. But I would say that, for instance, bug bounties that might be very relevant for people from the industry. I think this plays a smaller role in academia, because you, you have to participate in CBD anyway, because you, if you wouldn't, then, then you would get a lot of problems in the academic community. There's a lot of peer pressure that you participate in this, because that's the only ethical approach to handling vulnerabilities. At the same time, if you keep them secret for too long, then there's also the question on why did you keep them secret for so long? Maybe also some perspective that I can share. In academia, you see more and more often the effect that academic publications are easier to publish if you have a CVE. I don't think that's a good thing because I think that a CVE does not necessarily describe that a research result really brings you new insights, a CVE is an identifier for for a vulnerability, not an identifier that says this is something with a new insight. And also, if you participated in CBD and you mentioned this in the paper, this also gives you bonus points. At least that's my impression. To get the paper published. Of course, it's it's good if you participate in CBD. But my feeling is also that this is going going a bit too strong. And yes, now overemphasized in our community a bit. What about, you know, having an icon or a fun name? So there are there, of course, there are. I'm really a big fan of logos and names and anything that is fun. But of course, there are multiple layers here. For instance, we had this paper Hello from the other side, which had this name not just by coincidence. And it was about a covert channel in the cloud where we send data through the cache from one virtual machine to the other. And we really, we really went crazy on that. So we built an entire TCP stack on top of that and tunneled an SSH session through the cash cover channel. For whatever reason. And we then sent a music video through this cash cover channel. And of course, we couldn't just take any music videos. So we had to make our own parody of Hello from the other side. And this is just fun. I mean, we are just a bunch of people and we like to have fun. And to basically once you you finished your project, it's it's really nice to close this up with something nice and funny. And logos on the other side also help communicate about so they help you communicating about the issue. I realized that every time I create slides, I my my favorite my favorite slides are the slides that don't have any words on them just pictures, logos and icons, because then I can follow the speaker. I don't have to read because I'm I'm very bad at reading. I can't read and listen at the same time. And I bet many people can't do that. So if there's only icons and symbols and logos, I can follow what the person is saying and look at the images at the same time. And I'm always annoyed if I have to speak about the vulnerability, and I don't have a logo for it, because then I have to put text on this slide. So since Daniel brought it up, let me ask the other panelists. How do you all feel about branded vulnerabilities? Do you like logos? Do you find that helpful to you and your constituents? Oh, I'm sorry, Daniel, no. When there's a logo or PR or everything, it grabs the media's attention so quickly. And sometimes the issue is not that severe or very hard to be able to breach. And it gives a little bit of extra fear to our customers. And also encourages us to maybe reprioritize other issues first, which are, you know, more severe to our customers. So so although I think I get the point, it's easy to talk about it. They grab the media's attention really quickly. And, you know, but if you put a caveat about the, you know, the real severity of the issue in there, maybe that would help a little a little bit. Yeah, so we often have in our team, we often have this discussion, should we have a logo, should we have a website or shouldn't we? And we have meant so for most of our papers, and most of the vulnerabilities that we discovered, we don't, because we just say they are not significant enough. And I think that's also the responsibility of the researcher to first assess, is this something that's significant that I need this additional PR? Or is it not? Right, well, then you're doing it the right way. So yeah, cheers. Maybe that it's also I mean, I will have a different view on what is really important than you have, right? Everyone will have a different view on that. So something that I think is really, really important, you might say, well, it's not really exploitable in our use case. Right, we don't ever want to downplay researchers work. I mean, it's important, whatever, you know, they do, and we appreciate, especially doing CVD with them and not being zero date. You know, but yeah, it's, it's a more matter of, you know, especially in a bigger industry when you're trying to protect your customers best, how do you approach it? Yeah, there is a fight for customer attention. And for customers to make the right security decisions, they need to be attentive about the right things and logos and and hype in the press walks that and we have bad security outcomes for our customers due to that. Then of course, there's also the thing that even fixed vulnerabilities sometimes cause a cause of suffering for system administrators running around in basement and patching systems and all the like. And to some extent, I sometimes find over high bucks disrespectful to those people. Yeah, so in my case, I don't have an issue with with logos or anything, even though in a previous call and a couple of extension, Daniel, I alluded into that. Whether it's a logo, as a matter of fact, even for Cisco, we had the first vulnerability with emojis. So we have emojis, logos and everything else. So at the end of the day, if it helps to do an alias for, you know, a vulnerability and bring some awareness, I'm perfectly okay with that. The only challenge that I'm seeing or opportunity, right, is that in some cases, whenever we write information and even vendors, whenever we, you know, we have in my case, we have a research institution at Cisco called Talos and we find vulnerabilities in other people's product, right? And yes, yes, yes. So in that case, yes, we also have logos and we put them out there and we put the blog post and so on, right. But what we need to do collectively is to make sure that the media is not either down playing it or over proportioned. So we have to have a balance, right? And we all, you know, say the media, the media, the media, right? But it's our responsibility, right, on how we create our security advisories and it's both ways is, you know, even though we're vendors here and everything, you know, but we have to point fingers to us, you know, how clear is our advisories, can we have some collateral that the end consumer actually knows about, you know, what are the implications are? And we work with a researcher to make sure that we all understand, you know, what the problem is. And in the previous conversation, I also mentioned that the biggest nerd fights in history is whenever it comes to CVSS scoring, right? And, you know, whenever it comes to risk and at the end of the day, you know, whether it's CVSS, whenever we come up with some new ways and everything, we have to have some type of way of saying, yeah, you have to jump right now and fix this vulnerability versus the other 100 criticals that we were also, you know, dependent on. And especially with nowadays, since it's not so much of a vulnerability coming from like a Cisco or an Intel or Red Hat or anything else is open source, right? By the time that actually I'm boring you to death in here, probably three more CBEs that are super important has been disclosed and we don't know about, right? So that's the type of balance and the type of, I guess, for a corny way of saying orchestration that needs to take place, right? In this CBE. I want to add another point here regarding the overhyping. Having a logo, having a website for something for a vulnerability for a research result does not necessarily mean that you overhype it. We had experiences where we just put papers on Archive without any website, without any logo and anything and media picked it up and media reported about it and not necessarily correct in all cases. And we had this, for instance, for the the takeaway paper where we analyzed some side channels on AMD CPUs and their media picked it up. We didn't, we intentionally didn't make any website or logo, but media picked it up and the reporting, it was not, it was not entirely wrong, but it was definitely, I would say, definitely overhyped. And we discussed this also in our team and the conclusion that we had was that in some cases we should have a website, even if it's not a vulnerability that we want to hype, because it's not that significant, but just to have a very clear message which says, how relevant is it? And I think that's the important part that we also always had on our websites, a short three sentence summary, like, what is it who has to care about this and what can an attacker do? Yeah, I think that's great. That's great you do that. And it's good advice. I think, you know, that I would love to see it be more adopted in the researcher world, for sure. I think it would help out. So before I move on to my next question, I'm just going to say, when I retire, all of you in vendor world are doomed because I'm going to offer my services to L. Reg for free, writing up crazy headlines, but to touch on a point that Daniel made, he invoked the Katie Maceris clause. Let's talk about bug bounties and CVD. Oh, Katie, maybe you should take that one. And actually, because our friend Katie and Melville Schrimble here actually has a lot to do with that in her organization. Could you maybe talk about how coordinated disclosure interacts both good and bad with bug bounty? Yeah, so I love Katie Moe. I think that first off, let me just say that it is an honor to be confused with Katie Moe. My hair color is like, you know, getting close to hers too now. I don't know. I think I have been accepted to conferences because they thought that I was she when I showed up. I don't think they were nearly as excited to see me instead of her. So but so, yeah, bug bounties. So bug, tinfoil hat, really. So bug bounties are a tool. I'm trying to be serious here about bug bounties. So bug bounties are a tool, right? So they're a tool and a tool kit and they are there to incentivize, but they're a part of a well-structured product security portfolio. They're not the whole thing. And there are different motivations that will help people from different perspectives. So in the academic world, for instance, bug bounties may not weigh as much because a lot of academic institutions don't allow an individual to accept that the heart coal hard cash, right? If you are a professional bug hunter, you know, that might be how you pay your mortgage. And so there's a lot more tied to that. But the problem becomes that like bug bounties are a wonderful tool and they're they're great, but you have to have a good program in place already to to accept that that information, to be able to execute on that information and figure out like how do you how do you actually there are so many questions about it. How do you award? How do you manage it? Like, are we going to tie the payments to CVSS scores? Are we going to tie the payments to a well thought out proof of concept? There's so many pieces that go into it. And so I'd say like bug bounty is not a one-size-fits-all. It's going to vary from organization to organization. And some organizations are going to have different timelines, different pieces. It it's yeah, it's complex. So Bug Bounty is not the end of the world. Bug Bounty is a tool. It's a tool in your toolkit. So it's a great tool. I love the tool because I'm the director of it at Intel. But it's not it's not everything. So vulnerability disclosure is more than bug bounty alone. Yeah, I think when you think about it, too, like there's a lot of smaller companies that probably, you know, don't have that or don't have the funding funding for it. But that that doesn't mean that they're not wanting to work with researchers. They just can't get the budget to do it, you know. So so, you know, do your best to try to figure out how to reach out to those companies. Hopefully they have a web page or email address, you know, Secure Ad, Peacert Ad, Security Ad. I know we struggle a little bit. But, you know, there's plenty of us around that could help find the right contacts because we're you sort of come together from all over the place. And we're sort of an expanding group here. I like it. But boundaries are one of the wonderful signs of how the industry has changed back in the 90s. Researchers was often rewarded with that disclosure was rewarded with lawsuits. And now people are the industry are working with the people and have started actually paying the researchers for their efforts. So I'm very much thumbs up on especially because it shows how the industry has changed on all of you hackers, hackers on our days, helpers and not the enemy. Yeah, I thought you were going to say t-shirts for a minute there in the early days. I like I wanted to see it just want the t-shirt. Oh, earlier than that, it was lawsuits. Then it became t-shirts and then maybe stickers. And then, yeah. And now, and now financial reward and awesome stickers. So let's we've touched on it a little bit. Let's see if we spend some time now that we're past the top of the hour here. Let's talk about coordinated vulnerability disclosure inside an open source context. So I'll go last, but let our esteemed panel here, maybe whether it's our researchers or our vendor friends, kind of describe what you're what works out really well and what what are some challenges for you within the open source world, which makes up about 90 percent of all software now. Hey, Jerry, open source one. Ah, I guess I start. So basically, that's top of mind for me. And, you know, it sounds corny whenever people say, hey, what keeps you up at night and everything else? It's actually open source right now. And it's not so much of the predicament of using open source. We have to use and embrace and contribute to open source. I mean, I'm super big fan of that. And the challenge when it comes to open source is that it can be anything, right? It's like IOT can be anything, right? So and it's critical infrastructure for a lot of things. So to give you some somewhat of a real life, you know, I guess a realization that we had while back probably about four or five years ago, whenever Harbleed came, we were looking in the industry, right? Not not only Cisco, but a whole bunch of other companies, right? So what to prioritize as far as actually giving funding, probably doing research and so on. So we said, OK, so open SSL and things like that, which are actually super important for us. There's a lot of people looking at it right now. So can we look at things that perhaps are actually critical infrastructure that nobody actually has probably taken a look at it, right? Where we're going down the list and and as a matter of fact, that number two is perfectly fine. Oh, there are two guys that work on open SSL that get paid to do it. Yes, indeed, indeed. And the the example that I was going to go is is NTP, the network time protocol. So NTP is specifically and there's also two guys that don't get paid, which is bad, right? Is there not even the full time job, right? Well, I guess it's now you fast forward this year. It's a little bit better now, right? So it's a lot better. And it is not that the problem is that poor guys that actually are contributing to the code is a matter of scalability. It's a matter of actually even, you know, running static analysis into the thing didn't even assist, you know, five years ago for these components. Now, of course, we're modernizing our ways, you know, even if you submit things of GitHub, a lot of things actually happening. You know, we're we're getting we're getting better, for sure. It's just that it's getting way more complicated, right? And more people actually are not only, of course, contributing, but using it more than contributing, which is the other predicament. And in some cases, we were talking about bug bounties. And there are in some cases, actually, amazing. I'm a big fan of bug bounties, right? The challenge is that in some cases, we also don't think about does this affect other vendors that might actually find in some type of vulnerabilities that, you know, perhaps, yes, it's a single injection cross-site scripting, which is actually pretty, pretty common. But I'm doing some fuzzing and I, you know, crash an application. What is the underlying issue? Right. And in some cases, it's actually kind of a commodity, you know, goes back and forth and it hasn't been shared. And then two or three months down the road, you say, oh, but this CBE was not shared with other these vendors that they're also affected. So we go back and and in some cases, you actually see people trying to find the same or found the same CVs and they report in a different way. But, you know, there were no coordination. So those are the things that are that are crucial, right, for us to be successful and not only among vendors, but actually downstreams and upstreams as well, right? So especially when it comes to IOT is like number one. Yeah. So Omar, you brought up a few points. You know, one is who do you bring in, right? I had a time and I think that we're seeing that even if you're the competition, we still want to work together in in in the background here. You know, we our whole goal is to protect our customers and we often have the same customers, even if we're competitors. So we like to, you know, make sure that we're all working together. And an idea is when do you bring someone in? And it's not only the researchers. OK, Krope, we got your hand raised. Go ahead. Can I tell you a secret? Yes, open source has worked with our competitors for 25 plus years. Yeah, yeah. Well, I would have to say, we, you know, with with some of those other vendors in the industry, it wasn't always so nice. They were playing with the close source. We're getting better. But I think what, you know, not only the researchers should be thinking, who else is affected? But when we are the receiving and we should be thinking, who else is affected and bring them in? I recently worked on an issue, a very recent one, where the we are in Key Base and the researchers were in, right with the industry, people who were fixing the issue. And there was great, you know, coordination between, you know, amongst the group there. It was pretty awesome to see of how how much we've evolved. How do you do that, though, with like open source, though, when everything's shown? It's super easy. Well, and I'll, I guess I'll chime in before we let other folks. I found it, I found it very interesting how some vulnerabilities have been patched wide in the open under the cover of some other patch. I don't know what, yeah, I don't know what you're talking about at all. So in general, open source, there is no single definition of what open source is. You could have two young ladies in Bangladesh that have an amazing idea and they're just trying to get this creativity out there to share with the world. You could have large corporations like a lot of the folks represented here. I mean, you can have academics. I mean, so open source is a lot of different things. And there's really no one definition or moniker that fits, that works with every community. But if you're thinking about the types of open source that might make up a product or some kind of a cloud offering, you're going to have the high end of the spectrum or things like the kernel group, which is very mature and organized, Kubernetes. And then you start moving down to like a patchy foundation, these other large communities. And then you get down to something where it's a single person, a couple of people that are just playing around. And it's hard to put any kind of structure or process to all these different models because a lot of people that code for open source aren't doing it for free for no renumeration from large companies that make a lot of money off of it. But they do it for free because they love kind of adding value and expressing their creativity. And, you know, as Daniel mentioned, open source is very creative and very creative. And some of the larger projects, we do have ways to privately take in data. So we take in a private bug report that's well established within the community for a long time. And when you're looking at a less mature community or package or library, they might not have that capability. And that's where larger kind of big brothers and big sisters like a red hat or a SUSE are canonical kind of step in and try to help mentor these smaller projects to help them get these good practices set up so they can take in a private note. Because sometimes a lot of, you know, my team, we track between three and five thousand vulnerabilities a year out of 450,000 packages. That's a lot. Not all of them really kind of bubble up to the level of they need the attention of like a Spectrum meltdown or a Heartbleed or a, you know, Blueborn, all these kind of other big named nonsense things. But, you know, they still need to get fixed. And what open source is really good at is you identify a problem. The team attacks it collaboratively. They develop a solution and release that update very quickly. And they don't like to spend a lot of time. You make it a big deal out of it because they've already they're moved on to the next feature, the next big thing. But yeah, it it it can be challenging, but there are definitely ways to do. There are methods to do it. There are groups that allow this. I see I hear a lot of bleep into the background. What's going on, folks wondering when you're going to change your hat again. Sorry. There we go. Bring out big red. All right, let me get this panel back under order. When you're thinking about doing a CVD, what are some things you might want to prepare for? What can you do to help make that coordination very successful? And let me start off with we'll start off with Lisa because she has a lot of ideas. So what from your perspective, you can what will make you successful when you're getting ready to do this multi-party coordination. So I guess it depends on on how familiar you are with it or not. Like if I was a researcher and I wasn't too familiar, I would potentially utilize cert or something like that. If I felt like it was going to cross over more than, you know, more than one company in the industry, just to have them help. Because I think it could be overbearing of figuring out how if one, you know, if industry, you know, company A wants this date to get it fixed and company B wants another date and you know, company C wants another date. So I think that's one way that people, a researcher could use. But I think the idea is to figure out when you start is what are your rules? What's your embargo date? How many days do you actually want to, you know, give the the company or vendor to fix the issue? Typically it's 90 days. I would prefer that as a company. I think it's respectful to do that, especially when things get more difficult. So think about your rules and what you want to do and how you want to approach it. But I'll pause there because I know we're running out of time to get other people in. Anders, what are your thoughts about how you could make CVD successful? Three things. Use it as a tool, not only for for vendors, but also for hackers. Listen to what a saying, what people, what vendors are saying or what hackers are saying and try to make the best out of it and be aware that there's often a lot of complexities involved with it. Right, be patient, right? Yeah. Omar, what are your thoughts on how you can make CVD successful? Yeah, I think that I'm going to capitalize on something that Daniel mentioned in a previous call. And it's in some cases, even if you provide some data to even a vendor or whoever, right? So whenever you're coordinating, you have to make it first easy to understand. But at the same time, you know, there's in some cases, you know, getting the right people at the right place at the right time to make sure that you understand the technical implications of a given vulnerability instead of running around because even if you have the 90 days or 60 days or 100 days, you know, getting that streamline and modernizing the way that we actually exchange the information among, you know, all the affected parties. That is that's number one. And Art Manion, which is actually a good friend of mine, you know, he leads the team. He's the first one that will tell you we cannot scale, right? This is a big ecosystem. And just having a roll of decks of older vendors that actually use a component is foolish, right? We will never ever be able to actually have a complete thing. But what we have to think about is what Lisa mentioned is that in some cases, we are working with competitors, right? Even more than our companies. For example, you know, I work with Lisa a lot. I work with Juniper even more in some cases, more than I work with Cisco whenever it comes to fixing a vulnerability, let's say in BGP, OSPF, or whatever the case might be. So that type of thing of, oh, I'm not going to talk to these competitors. They're problem and everything else is not, you know, that's 20 years ago, fallacy. And then the last one is that at the end of the day, I have the reality and I tell my guys at Cisco is that whenever I push a button, I publish a CV out there. The number ones that actually are reading that CV are the bad guys, right? And probably at the same time that you're committing an open source code, you know, probably that's going to be the case too, right? So what we have to do is think about how can we change information to the consumer to downstream and upstream providers in a more modern way? And I know that sounds corny, but, you know, can we actually make it more and we're trying to do that machine readable, right? So if in the case that we actually have that role of the X of people and everything else, you know, get some tool and that's what art and, you know, the guys in insert that are also doing, you know, that we're creating tools that allow us to do that. And even if you have, I don't know, even two years ago, that didn't assist and it wasn't even a thought, right? So we have to move faster. That's the one thing that I want to say. So as I close, I'll say Art Manion has the best facial hair in the industry. I love, I love art, but I want to thank our panel here. This was a great hour together. I really appreciate your time and expertise. We're going to be hanging out for a little bit on this awesome Discord channel that my kids made fun of me all week about because I've had it up. Thank you, everybody, for coming and your attention here, panelists, and thank you to the audience for DEF CON for having us here at the IoT Village. Enjoy your day and enjoy the rest of the column. Got some great stuff lined up the rest of the weekend. CBD all the way. Oh, yeah. We're out.