[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE ID Syntax Change Voting - Procedures and Timeline (starts April 1)



Folks,

We apologize for the length of this email, but we want to make sure we have correctly captured comments received about the voting process, as well as to ensure the voting process is completely open and well understood.

This email will be posted on the CVE web site and other locations to ensure we don't miss any Board members due to outdated contact info, etc. If you are a CVE Editorial Board member and did not read this email on the cve-editorial-board list, please contact us immediately so we can update your contact info.

Based on the feedback and post-meeting comments from the Editorial Board meeting/call on February 26th, we have been in intense discussions regarding the specifics of conducting the vote on the options for the CVE ID Syntax change. 

In order to ensure that we have correctly interpreted the wishes of the Board, we are extending the comment period to allow discussion of the vote proposal. The revised timeline is as follows (all dates and times are US EDT):
 - Sunday, March 31, 2013 - Comment and discussion period closes at midnight EDT
 - Monday, April 1, 2013 - Official voting period opens
 - Sunday, April 14, 2013 - Official voting period closes at midnight EDT

*Please note* -- no one has "voted" yet.
- All of the comments received to date are purely the opinions of the respective commenter, even if phrased as "I/we vote for ..."
- The official voting period has not been opened.
- None of the input received to date is an official vote.
- Board members will need to send (or resend) their selections for a preferred option. (More below.) 

Incorporating comments received and based on further discussion, we propose the following for the call and management of the vote. More information about the major points follows the list.

1. The voting process should be completely open and public, and will be posted and archived on the CVE web site. 
2. Voters must list a first and second choice and clearly indicate which option is the first choice and which is the second.
3. All votes must include a short write up of the reason(s) for supporting or not supporting each of all three options.
4. Only votes received by the mailing list before midnight US EDT on Sunday, April 14, 2013 will be counted.
5. Only one vote per organization will be accepted, regardless of how many eligible voting members are in a specific organization.
6. If more than one Board member from the same organization votes, only the first vote received will be counted.
7. Some Board members are excluded from the vote for other reasons - details are in the list of Board members (below).
8. No changes to a vote will be accepted; no reclama.
9. At least a simple majority of the eligible Editorial Board members is required for the overall vote to be declared valid.
10. At least a simple majority of the votes cast is required for any option to be selected.


1. Open voting process
------------------------------
All votes and comments will be sent to the Editorial Board list and will be copied to the CVE web site.


2. Voters must list a first and second choice
----------------------------------------------------------
To help obviate a need for a second, "run off" vote, each voting member must indicate a first and second choice (including a comment for each) and clearly indicate which option is their first choice and which is their second choice.


3. Reason(s) for or against each option
--------------------------------------------------
A short write up or comment for/against each option is required as part of the vote, i.e., for all three options. This was requested by Board members, and will capture both the votes and reasons for the votes for the archive.


4. Only votes with a timestamp before midnight US EDT on Sunday, April 14, 2013 .
-----------------------------------------------------------------------
If a vote is received at or later than 00:00:00 US EDT Monday, April 15, 2013 it will not be counted. If a member wants to ensure that their vote will be counted, they need to take into account the many kinds of delays that may occur between hitting "send" and receipt. The only exception to this condition will be if the mailing list is unavailable.


5., 6. Only one vote per organization; first vote counts
-----------------------------------------------------------------------
Board members from the same organization should coordinate their organization's vote. In the event of duplicate submissions from the same organization, only the first vote received will be accepted.


7. Some Board members are excluded from the vote for other reasons
--------------------------------------------------------------------------------------------
Other conditions or circumstance may obviate a Board member's vote. These cases are noted (below).


8. No changes to a vote will be accepted.
-----------------------------------------------------
Your first vote is the only vote that counts. If necessary, we will go to a "tie breaker" after the voting period closes using voters' expressed second choices, but there will not be a re-vote.


9. At least a simple majority of the eligible Editorial Board members is required for the overall vote to be declared valid.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
The overall vote will not be accepted as valid unless at least a simple majority of the eligible Board Members votes. As of this email, we believe there are 23 CVE Editorial Board members/organizations that are eligible to vote (list below), which means there must be at least 12 votes cast in total for the overall vote to be declared valid. Please note that this is 12 votes *total*, not 12 votes for a specific option.


10. At least a simple majority of the votes cast is required for any option to be selected.
------------------------------------------------------------------------------------------------------------------
Please take careful note of this statement. Although a simple majority of the eligible Board members must cast a vote for the overall vote to be declared valid, only a simple majority *of_the_valid_votes_cast* is required for an option to be selected. Please note that this means that if, for example, only a total of 12 votes are received, it will only require 7 votes for any given option to be selected.


********************************************************

Current CVE Editorial Board Members eligible to vote

If you believe you are eligible to vote and are not listed below, please contact us immediately at cve@mitre.org.

Name Org
--------------------------------------------------------------
Ken Williams CA
Andy Balinsky Cisco
Ken Armstrong EWA-Canada
Bill Wall  Harris STAT
Jimmy Alderson or Troy Bollinger IBM
Tim Collins Independent
Al Huger Independent
Scott Lawler Lightspeed
Kent Landfield McAfee
Adam Shostack Microsoft
Steve Christey MITRE
Tim Keanini nCircle
Harold Booth or Peter Mell NIST
Russ Cooper NTBugtraq
Brian Martin OSVDB
Pascal Meunier or Gene Spafford Purdue
Mark Cox Red Hat
Carsten Eiram Risk Based Security
Alan Paller  SANS
Casper Dik Oracle (Sun)
Mike Prosser  Symantec
Matt Bishop  UC Davis
Art Manion  US-CERT

Other Board members who are listed on the CVE web page but are not eligible to vote include other MITRE staff (Steve Christey holds the official MITRE vote), and Tom Stracener (although he is Independent) is excluded because he is currently on contract with MITRE.

Please let us know immediately of any thoughts, comments or concerns.

We deeply appreciate the involvement and participation of the Editorial Board in shaping this important discussion and in the upcoming vote.

Best Regards,
The MITRE CVE Team



 
Page Last Updated: October 03, 2014