[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [CD] CD Proposal: VOTE (Voting Requirements)
> From: 'aleph1@SECURITYFOCUS.COM' [mailto:aleph1@SECURITYFOCUS.COM] > * David LeBlanc (email@example.com) [000613 22:28]: > > > > This rule is merely an attempt to codify what is currently > an informal, > > voluntary practice. I think it is a good practice - most > decision making > > bodies allow members to recuse themselves for conflict of > interest. Do you > > have a better way of saying it? > > I rather see a method of the owner of a vulnerable product or service > to contents a CVE entry. In particular I would give them a way to > state they believe some of the votes approving the CVE entry are > malicious and with competition in mind. We could then vote again, > including the entities they claim are malicious, but have a higher > standard to approve the contested CVE entry (e.g. we would need > 6 votes instead of 3). I don't see that this procedure would take the place of either a rule or a guideline which states that conflicts of interest are to be avoided. Personally, I'm going to NOOP anything that affects a vendor of products which compete with Microsoft, even if I have direct knowledge of the bug. Just seems to be the ethical thing to do. We don't currently have a problem with other people doing anything wrong, and given the caliber of people on the board, I don't think we are in any real danger of having a substantial problem. I think that all we really need to do here is make a guideline, and then let Steven work personally with anyone who he thinks doesn't understand the way we work. We're making this whole thing a lot harder than it needs to be. My $0.02.