CVE Board Member Roles, Tasks, and Qualifications
June 12, 2015Document version:
Table of Contents
Roles for Editorial Board Members
Members may fulfill one or more of the following roles on the Editorial Board.
Technical Implementers provide input and guidance related to issues regarding the creation, design, review, maintenance, and applications of CVE. This role may include individuals who integrate CVE Identifiers into products, such as content and development engineers working for software vendors.
Subject Matter Experts (SMEs) represent a significant constituency, related to or affected by CVE, and are domain experts in the vulnerability field. In some cases, a SME may represent an individual organization. This role may include representatives from software vendors who represent the needs of their company, customers, and partners, such as product managers and product strategists.
Advocates actively support or promote CVE in a highly visible fashion. This role is reserved for respected leaders in the security community who help bring credibility to the CVE Initiative and give CVE a wider reach outside of the security community.
Emeritus members were formerly active and influential in the CVE Initiative. As a result of significant contributions, they maintain an honorary position on the Board.
Minimum Expectations for Editorial Board Members
CVE Editorial Board members must meet the minimum levels of effort consistent with the tasks that they undertake. If an Editorial Board member participates in multiple tasks, then the minimum expectations for each individual task may be lowered accordingly.
All members are expected to commit a minimum of 2 hours per month to maintain high-level awareness of ongoing CVE and Editorial Board activities. There may be additional requirements depending on additional tasks.
Participation should be consistent with respect to the specific task. Allowances can be made for extenuating circumstances that temporarily prevent a member from meeting the minimum level of participation.
Tasks for All Members
All members are expected to perform the following tasks:
- Consultation: Participate in Editorial Board meetings or discussion of ad hoc issues related to CVE content or Editorial Board processes such as content decisions, Editorial Board membership, or CVE compatibility.
- Awareness: Participate in Editorial Board meetings and/or reading meeting summaries, and regularly reading posts on the Editorial Board mailing lists.
Note: In general, if a member provides no response to an Editorial Board discussion topic, it is viewed as agreement. No response to an Editorial Board vote, however, is viewed as lack of participation.
Many members may perform the following tasks:
- Outreach: Actively promote CVE and educate the public about CVE, or introduce various contacts to MITRE within the CVE context.
- Non-CVE activities: Participate in activities that are undertaken under the Editorial Board context, but not directly related to CVE.
Estimated Level of Effort
The amount of effort for these tasks may vary widely. Each consultation task usually requires 1 to 10 hours, occasionally more. Such tasks may occur approximately once every 2 months.
Technical Implementer Tasks
In addition to those tasks that are required of all members, each Technical Implementer should regularly perform one or more of the following tasks:
- Oversight and Review: Review and comment on new CVE Identifiers, as necessary.
- Content Provision: Provide portions of their vulnerability databases to MITRE for conversion into CVE Identifiers, which ensures that CVE content is as complete as possible.
- Reservation and Assignment: Be actively involved in CVE Identifier reservation; or act as CVE Numbering Authorities (CNAs), which are authorized to assign CVE Identifiers to security issues before they are publicized.
Expected Level of Effort
Technical Implementers are expected to provide oversight and review on an ad hoc, as needed basis. Those providing content should expect to spend 1 to 5 hours, approximately once every 2 months.
Qualifications for Technical Implementers
- Technical Implementers should have a minimum of 3 years of experience as a computer security professional (preferably 5 years). Exceptions may be made for individuals who have made noteworthy contributions to the security community.
- Technical Implementers should be experts in the use or development of one or more of the following technical areas:
- Vulnerability assessment and related tools
- Intrusion detection and related tools
- Incident response or forensics
- Academic/research topics such as vulnerability or exploit analysis, taxonomies and classification, new security models, or programmer behaviors
- Related areas
- Technical Implementers should have strong knowledge about computer security issues in most of the following areas:
The individual's knowledge may be broad (e.g., general knowledge of various types of flaws in many different OSes) or deep (e.g., analysis of programming errors in a single OS or programming language).
- Concepts such as buffer overflow, SQL injection, open-redirect, cross-site scripting, etc.
- Commonly exploited vulnerabilities, or related tools
- Security models in operating systems, protocols, applications, etc.
- Vulnerability information sources, e.g. advisories, mailing lists, or hacker sites
- Extensive, real-world operational experience in patch prioritization, vulnerability scanning, policy compliance, and/or threat and incident management
- Technical Implementers should be able to effectively identify and communicate technical issues that relate to CVE and their particular area of expertise.
- Technical Implementers should have a demonstrated commitment to sharing information to enhance research or education, or to improving overall enterprise security, e.g., by active participation in conferences or other forums.
SMEs should perform one or more of the following tasks, in addition to those tasks that are required of all members:
- Community Education: Educate the SME's own user community in various aspects of CVE, where appropriate.
- Editorial Board Education: Educate the Editorial Board about the needs and interests for CVE within the SME-specific community, particularly relating to patch prioritization, vulnerability scanning, policy compliance, and/or threat and incident management.
- Other: Undertake other technical tasks and ad hoc consultation tasks.
Expected Level of Effort
SMEs are expected to commit approximately 1-2 hours per week to maintain enough high-level knowledge of CVE and Editorial Board activities to effectively educate their constituency, and the Editorial Board, on CVE-related issues.
Qualifications for SMEs
- SMEs that represent a constituency beyond an individual organization must be visible and active in the SME's constituency community.
- SMEs that represent an individual organization must be able to effectively communicate with all other relevant parts of that organization.
- SMEs must be familiar with patch prioritization, vulnerability scanning, policy compliance, and/or threat and incident management.
- Software vendor SMEs must be able to effectively communicate with the vendor's security and product development teams.
Advocates should perform one or more of the following tasks, in addition to those tasks that are required of all members:
- Endorse CVE: Endorse CVE to constituencies that will benefit from it.
- Foster Communication: Foster better communication between constituencies.
- Editorial Board Participation: Participate in Editorial Board activities, especially in decisions related to Editorial Board structure and strategic activities.
- Other: Advocates may undertake Technical Implementer or SME tasks.
Expected Level of Effort
The expected level of effort is variable, but the Advocate should participate at least once every 6 months.
Qualifications for Advocates
- Advocates should be recognized leaders in the security community, as approved by members of the Editorial Board.
- Advocates must be knowledgeable about patch prioritization, vulnerability scanning, policy compliance, and/or threat and incident management.
Emeritus members may participate periodically in Technical Implementer, SME, or Advocate tasks.
Expected Level of Effort
Emeritus members may participate at will in the CVE Initiative, and are invited and encouraged to do so. However, there is no requirement for Emeritus member participation.
Qualifications for Emeritus
- Emeritus members must have made significant contributions to the CVE Initiative, as determined by MITRE.
Recognition of Former Members
A person who has left the Editorial Board is recognized in one of the following ways:
- If the person has qualified for Emeritus status, then the member is identified as Emeritus.
- If the person did not qualify for Emeritus status, but made clear contributions to CVE as determined by MITRE, then the member is identified as a former contributing member.
Editorial Board Roles for MITRE
The following roles are unique to MITRE:
- Editorial Board Moderator: MITRE, as moderator of the Editorial Board, is responsible for the structure of the Editorial Board, management of Editorial Board mailing lists and meetings, recruitment of new Editorial Board members, and additional Editorial Board activities.
- IP Protection: MITRE is responsible for protecting contributed and transferred intellectual property (IP) and makes non-competitive use of contributed IP, with appropriate licensing and access.
- Other: MITRE undertakes additional tasks, including CVE content creation, CVE website maintenance, CVE adoption, and community outreach.
For background discussion on Editorial Board Member Roles, Tasks, and Qualifications, refer to archived notes from a meeting held in March 2001, as documented in the summary at