Adopt the Alpha-Omega 10k critical OSS Projects list under this WG

[JLLeitschuh]

The @ossf/alpha-omega team has collected a list of the top 10k OSS projects which we are using as a target for security scanning, vulnerability reporting, and, in the future, as a list of projects that any automated bulk PR generation campaign is required to report vulnerabilities privately to.

We'd like to propose that this list be owned by this WG, both to avoid confusion between your lists, and the one @ossf/alpha-omega uses, and also because it seems like the right fit.

https://docs.google.com/spreadsheets/d/1fgj0DOoNC-HpHhokN75AfXk9m02mZDpFt1jpkacohus/edit#gid=0

[SecurityCRob]

The TAC is here to help manage reputational and technical risk for the foundation (The "T" and "A" of our name [Technical Advisory Council]). Approximately two years ago the Governing Board had requested that the TAC review all of our public-facing blogs to ensure they aligned with our values, technical vision, and strategic goals. This request wasn't to add latency to the process or add additional "power" to the group, but rather was to ensure we were outputting collateral that was satisfactorily representative of our membership and added value to the broader community. We are elected or appointed to this role to help balance the needs of the community as well as our members.

No one in the TAC has objections to having a dedicated, focused presence in place like India (which has a long and deep interaction with open source communities), or any other geography that has contributors or members resident. The more people we have following good security practices and using security tools such as our foundation creates, curates, and participates in, the better off it is for the whole ecosystem. We are concerned about not being included in any type of review process or hearing about plans or status on a group that appears to be representing itself as an active member of our community and seemingly presenting a tool that no one in our group has any knowledge of nor that has gone through any of our standard Technical Initiative vetting and processes. PINNY may be an amazing tool, but as presented, it looks as if it is an approved project leveraging our brand and follows our requirements and processes, which it does not as of this time. We'd like to see some kind of report out periodically from groups like this as we have in place for all the other TIs.

I'd love it if the MAC would better collaborate with the TAC and institute some kind of mandatory review period (24-48 business hours perhaps) to allow us to perform our duty as desired by the GB and provide feedback, comments, etc. It is challenging to un-communicate things once they are public, and allowing us the opportunity to catch potential provocative wordings allows us to help manage that brand reputation and avoid as much negative public feedback as possible for us.

[sevansdell]

So far there has been the addition of a slack channel for Tac to review guest blogs. What else should we document? I can put the interlock in a PR for TAC procedures interlocking with MAC.

[SecurityCRob]

TAC & MAC are now included in all blog efforts and each group is given opportunity to provide feedback as a native part of the process now. thanks!