RE: [CD] CD Proposal: VOTE (Voting Requirements)
> From: 'aleph1@SECURITYFOCUS.COM' [mailto:aleph1@SECURITYFOCUS.COM]
> * David LeBlanc (firstname.lastname@example.org) [000613 22:28]:
> > This rule is merely an attempt to codify what is currently
> an informal,
> > voluntary practice. I think it is a good practice - most
> decision making
> > bodies allow members to recuse themselves for conflict of
> interest. Do you
> > have a better way of saying it?
> I rather see a method of the owner of a vulnerable product or service
> to contents a CVE entry. In particular I would give them a way to
> state they believe some of the votes approving the CVE entry are
> malicious and with competition in mind. We could then vote again,
> including the entities they claim are malicious, but have a higher
> standard to approve the contested CVE entry (e.g. we would need
> 6 votes instead of 3).
I don't see that this procedure would take the place of either a rule or a
guideline which states that conflicts of interest are to be avoided.
Personally, I'm going to NOOP anything that affects a vendor of products
which compete with Microsoft, even if I have direct knowledge of the bug.
Just seems to be the ethical thing to do. We don't currently have a problem
with other people doing anything wrong, and given the caliber of people on
the board, I don't think we are in any real danger of having a substantial
I think that all we really need to do here is make a guideline, and then let
Steven work personally with anyone who he thinks doesn't understand the way
we work. We're making this whole thing a lot harder than it needs to be.