RE: [CD] CD Proposal: VOTE (Voting Requirements)
> From: aleph1@SECURITYFOCUS.COM [mailto:aleph1@SECURITYFOCUS.COM]
> * Steven M. Christey (coley@LINUS.MITRE.ORG) [000613 04:06]:
> > 7) If a voting member votes on a candidate for a security problem
> > found in a product owned by a competing organization, then that
> > member's vote cannot be counted towards the Quorum, unless the
> > competing organization has publicly acknowledged the problem.
> Thats silly. So if NAI had not acknowledged the problem in Gauntlet
> then almost none of the vendor members of the CVE board could vote.
> You have to remember that almost everyone is a competitor of everyone
> else in this industry. This rule would reduce the number of people
> that could actually vote on some candidates drastically.
I think you're taking that to extremes, and that isn't what was intended.
As the first member of the board representing a software vendor who doesn't
_consume_ CVE entries, I thought it wouldn't be fair or proper for me to go
voting ACCEPT on every bug that comes along with say Sun's name on it.
You'll note that I generally NOOP anything that doesn't deal directly with
Microsoft products. I _voluntarily_ began this practice because I thought
it was the correct, ethical, and fair way to behave.
Also, I'm not sure about the exact count, but I don't think we're in any
real danger of running out of people to vote - for example, you and Russ may
indeed compete with one another, but neither of you are software vendors at
this point, and do not directly compete with anyone else on the list. Spaf
is in a similar situation. Mitre is certainly a neutral party.
This rule is merely an attempt to codify what is currently an informal,
voluntary practice. I think it is a good practice - most decision making
bodies allow members to recuse themselves for conflict of interest. Do you
have a better way of saying it?
One suggestion that I might make is that instead of making it a rule, it
could be made a guideline where members are just encouraged to NOOP entries
where the vendor is viewed as a direct competitor. There is also the case
where one vendor finds a bug in another vendor's product (e.g., I found an
exploitable BO in NetXRay 2.6 while at ISS), so it would be ridiculous for a
vendor to have found a bug, released an advisory on something that is
reproducible, and then not to be able to vote on that same bug. Perhaps
we're focussing too much on trying to make RULES that apply to every
possible situation when we can probably get by asking people to behave