Greetings everyone, This week at OpenInfra Days NA, I held a session on resurrecting the project security discussion[0]. I had intended to resurrect this discussion for the past few months, but I was stuck in the middle of dealing with two CVEs. Furthermore there was a leadership meet and greet session where some of the discussion continued as well. At a *high* level, the consensus surfaced in the discussion that the Open Regulatory Compliance working group was the best path to try to identify recommendations and requirements as it relates to what we will likely want to assert for projects and our communities in terms of legal requirements coming from the compliance frameworks. The discussion then pivoted to management of security vulnerability management within projects. Goutham Pacha Ravi, the chair of the OpenStack Technical Committee, was present and agreed that the committee likely needs to implement some sort of process to require projects to actively update security contacts with known active contributors each cycle. Furthermore, consensus in the room surfaced that the OpenStack VMT should likely become mandatory for all OpenStack projects. It should be noted, at present it is not mandatory. It is important to note, this is only the beginning of the discussion of specific changes, and we'll want to follow-up with the Technical Committee in the near future and, depending on those discussions, then make recommendations to our other projects. The concept of a minimum threshold pool of security contacts for each project was also briefly discussed, but it was quickly recognized that it would be a hard policy to implement. An interesting idea came up regarding having some sort of required yearly security training for contributors. While an intriguing concept, there was no specifics on how that might work. One last item to note: During a community leadership meet and greet session[1], some frustration was expressed by community members as to what they perceived as "pressure to retire projects". Specifically the example was the OpenStack Freezer project which was not being actively maintained. The community members sought to understand why there was any pressure. As we are aware, these sorts of decisions revolve around risk management, and we were able to point back to the Murano issue earlier this year as an example why. Discussion pivoted to how might they be able to raise interest, awareness, and collaborators prevent such actions in the future. Understandably, this is difficult when community leadership has already made such attempts and no contributors stepped up to engage. If any director would like to discuss further, please let me know and we can set up a time to discuss. Thanks, -Julia [0]: https://etherpad.opendev.org/p/forward-direction [1]: https://etherpad.opendev.org/p/leadership-na