Meeting Minutes: Board and BAC Monthly (2026-05-11)

Below are the minutes from the recent BAC and Board of Directors meeting. All members receiving this notification are encouraged to review the minutes and actively participate in the discussion. That’s one of the opportunities to engage directly with BAC members by replying in the thread below. Your input helps us ensure the OpenSSL community remains transparent, collaborative, and responsive to your needs.

Attendees

@Anton Arapov, @Jaroslav Reznik, @Jeff Johnson, @Lenka Luklová, @Paul Yang, @Randall Becker, @Tim Hudson

High-level topics covered

•       Face-to-face week in May: logistics, schedule, and remote participation

•       Community engagement and LBC meeting cadence

•       ICMC feedback and future event planning (Toronto, Asia-Pacific)

•       AI policy update

•    Mythos / AI-generated vulnerability findings: scaling, geopolitics, and cross-org collaboration

Detailed points and discussion

1) Face-to-face week logistics

The upcoming in-person week in May is the primary focus. Lenka is serving as the main coordinator and offered assistance with airport transportation. Paul and Randall confirmed they will participate remotely; remote access will be available for all meetings but not social events. Tim confirmed that a meeting room was secured at ICMC and that this will be standard practice at future events. Key external participants — Thomas, Igor, Daniel, and the marshals — are expected Tuesday through Wednesday. The week is technically intensive at the front, with advisory committee discussions scheduled around Wednesday. Jaroslav confirmed limited availability on Friday afternoon. Tim noted a new team song has been prepared for the conference.

2) Community engagement and LBC meeting cadence

Tim reported increased traffic on the Communities website, with community members submitting a broad range of individual concerns. Jeff identified provider performance as a recurring theme. Jeff has established a regular monthly LBC meeting modeled on the working group cadence observed at ICMC. Tim suggested publicizing this change via a blog post or similar outreach to reach community members who are not actively following the Communities website.

3) ICMC feedback and future event planning

Jeff described ICMC as high-energy and valuable for in-person networking. The dedicated meeting room was highlighted as a significant improvement. Tim confirmed ICMC 2026 will be in Toronto during the week of April 12, and RSA will be in San Francisco during the week of April 5. Randall expects to attend ICMC next year, barring a conflicting European conference. Paul raised the idea of a future Asia-Pacific event, suggesting Hong Kong or Singapore as alternatives.

4) AI policy update

Tim confirmed that OpenSSL Project is actively working on an AI policy update in collaboration with the Foundation. The Foundation has already produced a draft for review, and legal feedback along with internal input is being collected. Tim emphasized the need to publish the draft for community comment as soon as possible.

5) Mythos and AI-generated vulnerability findings

The main discussion centred on Mythos and the challenge of scaling security response to handle AI-generated vulnerability findings. Jeff explained that Cisco’s concern is not just the volume of findings, but Mythos’s ability to determine exploitability, generate proof-of-concept exploits, and propose patches — creating a prioritised, weaponised backlog that overwhelms existing development and security teams. Tim confirmed that OpenSSL Project has seen Mythos output as high quality compared to other tools, and that the project wants direct access inside Glasswing rather than working from exported results only. Tim offered to share OpenSSL Corporation’s security response process with Cisco’s team and to open the security response team to external collaborators. Tim also raised concern about older releases and less common platforms being outside Mythos’s mainstream focus. Jaroslav stressed the geopolitical dimension: many European security teams and companies do not have access to Mythos, and access asymmetry is a growing concern both for open source projects and for regulators. He advised against overreaction while emphasising that scaling security operations is unavoidable. Randall echoed the geopolitical concern, noting that virtually every security team in his domain is outside the US and lacks access. The group agreed that collaboration — sharing OpenSSL Project’s findings and processing experiences across organisations — is more valuable than parallel internal efforts. Tim clarified that the Anthropic relationship is managed through the Corporation, the Foundation relationship is separate, but security work is shared centrally across organisational boundaries.