Action items

- Chet to follow up with the Swaggerhub guys, provide feedback on our discussion and ask about using free license to trial.

- Chet to check with Jamie on risks posed by embargoes of vulnerability reports

- Chet see how we might gain query access to shadow databases

- Chet - correct invitation times for TAB going forward

- Patrick, Jacques - please provide feedback on OpenC2 TC's first csprds

- Chet - write up a draft work plan and send to the list for reaction.

- NEW Chet - send draft work plan to Board for review

- NEW Chet - connect Patrick and Paul to work out a solution to converting relative links when publishing TC work products

Agenda

1) Roll call

2) Approve agenda

3) Approve minutes

4) Status of public reviews

5) Status of action items

6) 2019 work plan and event schedule

7) ReSpec relative links

8 ) Drafting vulnerability policy

9) AOB

Minutes

1) Roll call

Trey Darley
Jacques Durand
Patrick Durusau
Chet Ensign
Stefan Hagen

Invited experts:

Ashok Malhotra

2) Approve agenda

No discussion of agenda. No objections to approval. Agenda approved.

3) Approve minutes

28 November 2018: https://lists.oasis-open.org/archives/tab/201812/msg00000.html

No discussion of minutes. No objections to approval. Minutes approved.

4) Status of public reviews

Comments provided to OpenC2 TC's first csprds

No new first reviews in the queue at this time

5) Status of action items

Tabled until next meeting

6) 2019 work plan and event schedule

Discussion about proposal for office hours. The proposal is to open TAB meetings to any members with questions for the first half of the meeting. Members can bring questions or concerns to the TAB for discussion. We noted that this could interfere with TAB getting work done but agreed that we'd address that if it becomes a problem. We also want to avoid people trying to assign work to the TAB.

Agreement that I should forward the proposed work plan to the Board for their reaction.

7) ReSpec relative links

Patrick explained that he was simply trying to answer a TC question about using relative links in their drafts. Agreed that it might be easier to fix links once TC Admin has the files in hand. Agreed that Chet will put Patrick and Paul together to look for a solution.

8 ) Drafting vulnerability policy

Discussion of the policy outline. Suggestion that we consult with outside experts, e.g. Carnegie-Mellon SEI, CIRCL, FIRST Ethics SIG members, DHS, Bugcrowd, HackerOne, and Katie Moussouris (Luta Security Founder and founder of Microsoft's bug bounty program).

9) AOB

Stefan announces that he is dropping his OASIS membership but offers to continue to support OASIS and the TAB.

Trey moves that the TAB invite Stefan to continue his participation as an invited expert. Patrick seconds. No discussion. No objections to unanimous approval. The motion passes.

Next meeting will be 09 January 2019 at 17:00 UTC/6:00 PM Geneva/Noon US east coast/9:00 AM US west coast.

Minutes submitted by Chet Ensign, 03 January 2019.

Chat log

Chet: Vulnerability policy draft is at https://docs.google.com/document/d/1Vx-ul_MTenguAmFZKnMS89yEu1YMbvRenJGk0D7N3KI/edit#
Chet: Attending: Patrick, Stefan,Ashok, Chet
Chet: Hi Jacques!
anonymous morphed into Patrick
Chet: Agenda. no disc, no objs, agenda
Chet: Minutes. no discussion. any obj. minutes approved.
Chet: Public reviews
Chet: Patrick notes the export from JIRA was incomplete
Chet: Trey joins
Chet: No new PRs upcoming
Chet: 2019 work plan
Chet: email w/ work plan - https://www.oasis-open.org/apps/org/workgroup/tab/email/archives/201812/msg00010.html
Chet: Ashok: looks good as a start
Chet: Trey: clarify the intent of office hours
Chet: Stefan - noted that it could help TCs avoid long round-robins of debate on questions that we could just answer
Chet: Trey - might make it harder to advance some of the TAB work - or it could turn into a vehicle for people to try to assign work to the TAB
Chet: Stefan - examples from TCs. Let's do it as a trial - if it does become a problem, we'll find another way around it.
Chet: Trey: sounds good.
Chet: jacques: summary please - we'll do it as a test run
Stefan Hagen: +1 from me to forward the plan to the board
Chet: Patrick: what about the idea of reviewing the UI workflow
Chet: How should I phrase it?
Patrick: Suggest work-flow based views of OASIS resources
Chet: Stefan: would we develop use cases?
Stefan Hagen: Yes, the line is OK with me and workflow has room for improvement on kava and co (technically and from content navigation ease)
Stefan Hagen: We should I guess, only so with some persona definition we can write requirements and validation tests for meaning workflows
Stefan Hagen: IMO
Chet: Make the resources more accessible
Stefan Hagen: yes from me
Chet: Consensus: add Patrick's line item and send work plan to Board for review and comment
Chet: ReSpec relative links
Chet: Patrick: I'm trying to answer their question about how they maintain their relative links in their drafts and then we fix the links
Chet: Chet: connect Paul and Patrick to discuss further
Chet: Draft vulnerability policy
Chet: https://docs.google.com/document/d/1Vx-ul_MTenguAmFZKnMS89yEu1YMbvRenJGk0D7N3KI/edit#
Chet: Trey - review our draft policy with bug-bounty folks, cert, etc
Trey: I would consult with Carnegie-Mellon SEI, CIRCL, FIRST Ethics SIG members, DHS, Bugcrowd, HackerOne, and Katie Moussouris (Luta Security Founder and founder of Microsoft's bug bounty program).
Patrick: I'm stepping away for a moment
Patrick: I'm back.
Jacques (Fujitsu): Have to go: I have a hard stop at 10amPT
Chet: Vet this first w/ a group of experts
Chet: Present set up a call w/ Baord and TAB to present this
Chet: AOB
Chet: Stefan - dropping his membership with OASIS
Chet: Trey - motion that we extend to Stefan an invitation as an invited expert - OAISS will be improverished by losing his expertise. Patrick seconds. motion
Sent transcript to: chet.ensign@oasis-open.org

20181212 (last edited 2019-01-03 20:36:57 by chet.ensign)