[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [CD] CD Proposal: VOTE (Voting Requirements)
> From: aleph1@SECURITYFOCUS.COM [mailto:aleph1@SECURITYFOCUS.COM] > * Steven M. Christey (coley@LINUS.MITRE.ORG) [000613 04:06]: > > > > 7) If a voting member votes on a candidate for a security problem > > found in a product owned by a competing organization, then that > > member's vote cannot be counted towards the Quorum, unless the > > competing organization has publicly acknowledged the problem. > > Thats silly. So if NAI had not acknowledged the problem in Gauntlet > then almost none of the vendor members of the CVE board could vote. > You have to remember that almost everyone is a competitor of everyone > else in this industry. This rule would reduce the number of people > that could actually vote on some candidates drastically. I think you're taking that to extremes, and that isn't what was intended. As the first member of the board representing a software vendor who doesn't _consume_ CVE entries, I thought it wouldn't be fair or proper for me to go voting ACCEPT on every bug that comes along with say Sun's name on it. You'll note that I generally NOOP anything that doesn't deal directly with Microsoft products. I _voluntarily_ began this practice because I thought it was the correct, ethical, and fair way to behave. Also, I'm not sure about the exact count, but I don't think we're in any real danger of running out of people to vote - for example, you and Russ may indeed compete with one another, but neither of you are software vendors at this point, and do not directly compete with anyone else on the list. Spaf is in a similar situation. Mitre is certainly a neutral party. This rule is merely an attempt to codify what is currently an informal, voluntary practice. I think it is a good practice - most decision making bodies allow members to recuse themselves for conflict of interest. Do you have a better way of saying it? One suggestion that I might make is that instead of making it a rule, it could be made a guideline where members are just encouraged to NOOP entries where the vendor is viewed as a direct competitor. There is also the case where one vendor finds a bug in another vendor's product (e.g., I found an exploitable BO in NetXRay 2.6 while at ISS), so it would be ridiculous for a vendor to have found a bug, released an advisory on something that is reproducible, and then not to be able to vote on that same bug. Perhaps we're focussing too much on trying to make RULES that apply to every possible situation when we can probably get by asking people to behave ethically.