About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE Community

Editorial Board
Mail List & Meetings Archive
Roles, Tasks, & Qualifications
Adding New Members
Sponsor

CVE In Use

CVE Compatible Products and Services
More . . .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [CD] CD Proposal: VOTE (Voting Requirements)

To: "'Steven M. Christey'" <coley@linus.mitre.org>, cve-editorial-board-list@lists.mitre.org
Subject: RE: [CD] CD Proposal: VOTE (Voting Requirements)
From: "Frech, Andre (ISSAtlanta)" <AFrech@iss.net>
Date: Tue, 13 Jun 2000 11:03:08 -0400
Delivery-Date: Tue Jun 13 11:04:53 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org

> 5) If a voting member casts a REVIEWING vote, then the Editor may
>    delay an Interim or Final Decision for at least 2 weeks after the
>    vote was cast.  After the 2 week time period, the Editor may extend
>    the delay, or disregard the REVIEWING vote and move the candidate
>    to Interim Decision.

Fine, as long as there is a REVIEWING WITHOUT DELAY voting option that
indicates to everyone that the issue is being reviewed by the voting
member, but should not be delayed in the approvai process.

> 7) If a voting member votes on a candidate for a security problem
>    found in a product owned by a competing organization, then that
>    member's vote cannot be counted towards the Quorum, unless the
>    competing organization has publicly acknowledged the problem.

Does this include the inferred vote that occurs when a competing
organization casts a MODIFY vote? Also, how is a competing organization
defined? Is it compartmentalized by vendors, academic, and government, or
perhaps IDS, VA, and other security products? (For that matter, are voting
members in the academic and governmental communities perceived as
competitors? :-) )

On a similar issue, would a MODIFY followed by a reference citation into
a voting member's database constitute a public acknowledgement of the
problem? I think I know the answer to this question, but I would like to see
it articulated for the record.

> Guidance
> --------

[...]

> 3) A voting member should vote on candidates according to approved
>    content decisions, instead of their own personal preferences.
>    Informally, a voting member should not REJECT a candidate if all of
>    the following apply:
>    - the candidate is not a duplicate of other candidates/entries
>    - it satisfies all approved content decisions (CD's)
>    - it satisfies CVE's vulnerability/exposure definition

Would it be appropriate to add a "no supporting documentation" clause to
this list? Although recent entries do not (usually) have this problem, some
older CANs have no references. It's not good form to prevent a voting member
from casting a REJECT just because CVE claims that an issue exists without
external support.

> 4) A voting member should not vote for a candidate that is related to
>    a security problem in a competitor's product, unless the competitor
>    has acknowledged that the problem exists.

Again, would a MODIFY followed by a reference citation suffice as
acknowledgement? Personally, I'm in it for the security, and I'll leave the
cutthroats in Marketing. :->

Thanks for getting these content decisions rolling.

Andre Frech
afrech@iss.net

Internet Security Systems
(678)443-6241
http://www.iss.net

Prev by Date: Re: [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
Next by Date: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
Prev by thread: Re: [CD] CD Proposal: VOTE (Voting Requirements)
Next by thread: RE: [CD] CD Proposal: VOTE (Voting Requirements)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007