[CVEPRI] Content Decision Adoption Process
As mentioned in the past, a large number of candidates are being held
back by content decisions that have not been fully discussed by the
Editorial Board. There are over 40 content decisions at this time.
Many content decisions (CD's) were proposed in summer 1999, but only a
few of them received sufficient review by the Editorial Board, as this
took place just before CVE was publicly released. Additional
discussions took place at the AXENT meeting in March 2000.
As of this posting, almost 300 active candidates are affected by
unresolved content decisions. That's almost half of all active
candidates. 50 candidates are documented in security advisories from
trusted organizations. 70 could be ACCEPTed right now if they were
not being held back by unresolved CD's, and another 100 are one more
Of the most concern, however, is the fact that 170 of those candidates
have been active since before September 1999. Almost 60 of them will
turn a year old in June!
Unresolved content decisions are a critical bottleneck at this time,
since they are holding back important candidates for serious problems
that should be official entries by now. Past experience indicates
that some of these CD's could be debated for months, leaving
candidates languishing in the process. On the other hand, I believe
it is important that the Editorial Board at least review these issues
so that the finalized content decisions are well thought out and
With this in mind, I propose the following approach:
1) Several content decisions will be proposed to the Board per week,
with the most critical ones first. The [CD] tag will be used in
the Subject lines. Specific examples will be provided. Affected
candidates will be labeled in the voting record so that non-Board
members can see why some year-old candidates are languishing. The
new Board voting site, when published, will list the associated
CD's with the candidate. CD's are already listed in vote
2) The Board will be given 1 month to review and discuss the CD's.
This reduces the chance that vacations or deadlines prevent a Board
member from reviewing the CD, but it also allows us to finalize
them quickly and allow the associated candidates to move into
Interim and Final Decisions.
3) CD's will be modified appropriately as the Board reaches consensus.
Dissenting opinions will also be recorded.
4) After one month, MITRE will hold a vote to adopt the CD. The
voting period will last 2 week. MITRE will then use the vote to
guide its Final Decision (it is expected that very few CD's will
receive unanimous approval). A minimum of 5 votes will be
required, and the majority of those votes will be deemed sufficient
for adoption of the CD. The completed CD will be published on the
CVE web site so that interested individuals can obtain this
information. Dissenting opinions will also be included.
5) Affected candidates will be "released" and processed according to
normal voting rules.
The first set of content decisions will be proposed next week.
Feedback on this process is welcome.