[Date Prev][Date Next
][Thread Prev][Thread Next
[CD] CD:VOTE (Voting Requirements)
Following is the latest version of the CD:VOTE content decision, which
takes effect immediately.
Modifications have been made in accordance with feedback from the last
few Editorial Board meeting, as well as discussions on the Editorial
Board mailing list, with the implied consent of Board members who did
not comment throughout the course of CD:VOTE's evolution over the past
15 months. Dissenting opinions are also registered.
CD:VOTE (Voting Requirements)
Date: October 2, 2000
A candidate must satisfy minimum voting standards before it can become
an official CVE entry.
All definitions are informal.
The "Candidate Numbering Authority" (CNA) is the entity that is
responsible for assigning candidate numbers to security problems, and
ensuring that candidates satisfy all approved content decisions. As
of October 2, 2000, MITRE is the only CNA.
The "CVE Editor" is the individual(s) who makes Interim and Final
Decisions to ACCEPT or REJECT candidates. As of October 2, 2000, the
CVE Editor is Steve Christey.
A "voting member" is any member of the Editorial Board who votes on a
candidate, not including the CVE Editor.
A "Quorum" is the minimum number of votes that must be cast in order
to move the candidate to the Interim and Final Decision phases.
A candidate must satisfy all of the following voting requirements
before an Interim or Final Decision can be made.
Establishing a Quorum
1) To be ACCEPTed, a candidate must obtain enough votes to establish
a Quorum. A Quorum is established if any of the following occur:
- At least 3 voting members ACCEPT the candidate, not including the
original discoverer of the problem
- *Or*, at least 2 voting members ACCEPT the candidate, and the
vendor has publicly acknowledged that the problem exists, and
neither of the 2 voting members are a representative of that
2) If multiple members from the same organization vote on the same
candidate, then only one of those votes may be counted towards the
Quorum. If the members cast conflicting votes, then it is up to
them to decide which vote is to be used in establishing a Quorum.
3) There must be more ACCEPT votes than REJECT votes for a candidate
to be included in the official CVE list. The CVE Editor should
work with disagreeing voters to establish consensus, if possible.
If consensus cannot be achieved in a timely fashion, then the
Editor may make the decision based on reviewed content decisions
and voter feedback. The Editor must define the process by which
voting conflicts are resolved.
4) An Editorial Board member who belongs to the CVE Editor's
organization may vote and be included in the Quorum, provided the
member is not the Editor. The Editor may only "vote" as part of
the Interim or Final Decision.
Timeliness of Votes
5) After its initial proposal, the candidate must not be moved to the
Interim Decision phase for at least 2 weeks.
6) The CVE Editor must determine that further discussion of the
candidate will not affect the decision with respect to the
candidate, *or* it is in the best interests of CVE to make a
7) If a voting member casts a REVIEWING vote, then the Editor may
delay an Interim or Final Decision for at least 2 weeks after the
vote was cast. After the 2 week time period, the Editor may extend
the delay, or disregard the REVIEWING vote and move the candidate
to Interim Decision. The Editor must notify the Board member
before the phase change occurs.
Voting and Content Decisions
8) The Candidate Numbering Authority (CNA) and the CVE Editor are
responsible for interpreting whether a REJECT vote is contradictory
to reviewed content decisions, and they must make the voter aware
of the contradiction.
9) The candidate must not be affected by any content decisions (CD's)
that have not been sufficiently reviewed by the Editorial Board.
If it is, then it must not be moved to Interim or Final Decision
until the associated content decisions have been reviewed by the
Board. The CVE Editor must define a separate process for
determining when content decisions have been sufficiently reviewed.
Additional Guidance for Voters
1) A voting member should only ACCEPT a candidate if:
- they believe that the related problem really exists
- they believe that the problem is not a duplicate of existing
candidates or entries
2) A voting member is encouraged, but not required, to review the
candidate with respect to reviewed content decisions. It is the
responsibility of the CVE Editor to ensure that all candidates
satisfy reviewed content decisions before they are accepted as
official CVE entries.
3) A voting member should vote on candidates according to reviewed
content decisions, instead of their own personal preferences.
Informally, a voting member should not REJECT a candidate if all of
the following apply:
- the candidate is not a duplicate of other candidates/entries
- it satisfies all reviewed content decisions (CD's)
- it satisfies CVE's vulnerability/exposure definition
Examples: if a voter doesn't believe a candidate should be included
in CVE because they wouldn't include it in their own database, but
a reviewed inclusion CD specifically allows it, then the voter
should not vote to REJECT. Or, if the voter prefers to use a level
of abstraction that is contrary to reviewed abstraction CD's, the
voter should not vote to REJECT or RECAST. A voter may use an
ABSTAIN or NOOP vote instead.
On the other hand, if a voter disagrees with the inclusion or
abstraction of a candidate, and there are no CD's which affect the
candidate (or, the CD has not been sufficiently reviewed by the
Board), then the voter may vote to REJECT or RECAST accordingly.
4) A voting member should not vote for a candidate that is related to
a security problem in a competitor's product, unless the competitor
has acknowledged that the problem exists. The CVE Editor must
identify and resolve circumstances in which voting occurs for
strictly competitive reasons.
5) A voting member may indicate that their REVIEWING vote does not
have to delay the acceptance of the candidate.
Some Editorial Board members believe that voters should be formally
prevented from voting on vulnerabilities in competitors' products.
However, in some cases, this restriction could significantly limit the
number of voters who could vote on some candidates. In addition, it
is uncertain as to how "competitors" are defined.
In summer of 1999, Editorial Board members advocated that other Board
members in the CVE Editor's organization should not vote. In several
Board meetings during 2000, however, members who expressed an opinion
agreed that this restriction should be lifted, provided the votes
occurred independently of the CVE Editor. This includes some members
who had originally objected to this approach in 1999.
Content Decision History
The following URL's provide supporting context for the evolution of
this content decision. They include Editorial Board meeting summaries
and discussion threads on the Editorial Board mailing list.
Background information on the voting process is at
Board meeting summaries: