[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVEPRI] CVE Editorial Board Roles, Tasks, and Qualifications
Below is the final version of the document that describes the roles, tasks, and qualifications for Editorial Board members. This will be published on the CVE Web site. The main changes are: - added "Recognition of Former Members" section that distinguishes between Emeritus, "former contributing members," and members who did not contribute - added minimum 3 years experience as a "strong recommendation" for technical members, with a preference for 5. - Steve CVE Editorial Board Roles, Tasks, and Qualifications ---------------------------------------------------- Version: 1.2 Modified: September 10, 2001 ================================================================= Introduction ================================================================= This document clarifies the roles, tasks, and qualifications for CVE Editorial Board members. Much of the background discussion was held during a meeting in March 2001, as documented in the summary at: http://cve.mitre.org/board/archives/2001-03/msg00014.html Roles for Editorial Board Members --------------------------------- Note that some members may have more than one role on the Editorial Board. However, all members have only one primary role. Technical members participate in the creation, design, review, maintenance, and applications of CVE. Liaisons represent a significant constituency, related to or affected by CVE, in an area which does not necessarily have technical representation on the Board. In some cases, a liaison may represent an individual organization. This role may include software vendors. Advocates actively support or promote CVE in a highly visible fashion. This role is reserved for respected leaders in the security community who help bring credibility to the CVE Initiative and give CVE a wider reach outside of the security community. Emeritus members were formerly active and influential in the CVE Initiative. As a result of significant contributions, they maintain an honorary position on the Board. Minimum Expectations for Editorial Board Members ------------------------------------------------ Board members must meet the minimum levels of effort consistent with the tasks that they undertake. If a Board member participates in multiple tasks, then the minimum expectations for each individual task may be lowered accordingly. All members are expected to commit a minimum of 2 hours per month to maintain high-level awareness of ongoing CVE and Editorial Board activities. There may be additional requirements depending on additional tasks. Participation should be consistent with respect to the specific task. Allowances can be made for extenuating circumstances that temporarily prevent a member from meeting the minimum level of participation. ================================================================= Tasks for All Members ================================================================= All members are expected to perform the following tasks. 1) Consultation: This includes participating in Board meetings, or discussion of ad hoc issues related to CVE content or Editorial Board processes such as content decisions, Board membership, or CVE compatibility. 2) Awareness: This includes participating in Board meetings and/or reading meeting summaries, and regularly reading posts on the Editorial Board mailing lists. Many members may perform the following tasks. 1) Outreach. Some Board members actively promote CVE and educate the public about CVE, or introduce various contacts to MITRE within the CVE context. 2) Non-CVE activities. Some Board members may participate in activities that are undertaken under the Board context, but not directly related to CVE. Expected Level of Effort ------------------------ The amount of effort for these tasks may vary widely. Each consultation task may require 1 to 10 hours, or more. Such tasks may occur approximately once every 2 months. ================================================================= Technical Member Tasks ================================================================= Each technical member should regularly perform one or more of the following tasks. 1) Voting on candidates. The primary task for most technical members is to review, comment on, and accept or reject CVE candidates that are proposed to the Editorial Board. Some members vote regularly; others vote on an ad hoc basis, e.g. when there is an effort to reach a specific content goal. 2) Content provider. Some Board members provide their vulnerability databases to MITRE for conversion into candidates, which ensures that CVE content is as complete as possible. Others are actively involved in candidate reservation. Others may be Candidate Numbering Authorities (CNA's), which are authorized to assign CVE candidate numbers to security issues before they are publicized. 3) CIEL. Members participate in the review and development of the Common Intrusion Event List (CIEL), a "CVE-for-IDS" which is currently being drafted by MITRE. Expected Level of Effort ------------------------ Following is the amount of effort that is believed to be needed to participate regularly in a task. 1) Voting - approximately 3 hours per week, on a regular basis 2) Content provider - 1 to 5 hours, approximately once every 2 months 3) CIEL - approximately 1 hour per week, in the early stages Qualifications for Technical Members ------------------------------------ 1) Members should have at least 3 years of experience as a computer security professional (preferably 5 years). Exceptions may be made for members who have made noteworthy contributions to the security community. 2) Participants should be experts in the use or development of one or more of the following technical areas: - vulnerability assessment and related tools - intrusion detection and related tools - incident response or forensics - academic/research topics such as vulnerability or exploit analysis, taxonomies and classification, new security models, or programmer behaviors - related areas 3) Participants should have strong knowledge about computer security issues in most of the following areas: - concepts such as buffer overflows, race conditions, design errors, insecure configurations, etc. - commonly exploited vulnerabilities, or related tools - security models in operating systems, protocols, applications, etc. - vulnerability information sources, e.g. advisories, mailing lists, or hacker sites - extensive "real-world," operational experience in one or more of the areas described in (1) The participant's knowledge may be broad (e.g. general knowledge of various types of flaws in many different OSes) or deep (e.g. analysis of programming errors in a single OS or programming language). 4) Participants should be able to effectively identify and communicate technical issues that relate to CVE and their particular area of expertise. 5) Participants should have a demonstrated commitment to sharing information to enhance research or education, or to improving overall enterprise security, e.g. by active participation in conferences or other forums. ================================================================= Liaison Tasks ================================================================= Liaisons should perform one or more of the following tasks, in addition to those tasks that are required of all members. 1) The liaison must educate the liaison's own community about CVE, where appropriate. 2) The liaison must educate the Editorial Board about the needs and interests for CVE of the liaison's community, where appropriate. 3) If the member is a software vendor liaison, then the member must vote on candidates related to vulnerabilities in that vendor's products. 4) Liaisons may undertake other technical tasks. 5) The liaison should participate regularly in ad hoc consultation tasks, if the liaison previously agreed to perform those tasks. Expected Level of Effort ------------------------ Liaisons will need to commit approximately 1-2 hours per week to maintain enough high-level knowledge of CVE and Editorial Board activities to effectively educate their constituency, and the Board, on CVE-related issues. Qualifications for Liaisons --------------------------- 1) A liaison that represents a constituency beyond an individual organization must be visible and active in the liaison's constituency community. 2) A liaison that represents an individual organization must be able to effectively communicate with all other relevant parts of that organization. 3) Software vendor liaisons must be able to effectively communicate with the vendor's security and product development teams. ================================================================= Advocate Tasks ================================================================= 1) Endorse CVE to constituencies that will benefit from it. 2) Foster better communication between constituencies. 3) Participate in Editorial Board activities, especially in decisions related to Board structure and strategic activities. 4) Advocates may undertake technical or liaison tasks. Expected Level of Effort ------------------------ The expected level of effort is variable, but the advocate should participate at least once every 6 months. Qualifications for Advocates ---------------------------- 1) The advocate should be a recognized leader in the security community, as approved by members of the Editorial Board. ================================================================= Emeritus Tasks ================================================================= Emeritus members may participate periodically in technical, liaison, or advisory tasks. Expected Level of Effort ------------------------ Emeritus members are not expected to participate regularly in the CVE Initiative, but they should participate in some task approximately every 6 months. Qualifications for Emeritus --------------------------- 1) Emeritus members must have made significant contributions to the CVE Initiative, as determined by MITRE. ================================================================= Recognition of Former Members ================================================================= A person who has left the Editorial Board is recognized in one of the following ways: 1) If the person has qualified for Emeritus status, then the member is identified as Emeritus. 2) If the person did not qualify for Emeritus status but made clear contributions to CVE as determined by MITRE, then the member is identified as a former contributing member. 3) If the person did not make any measurable contribution to CVE, then the person is not identified as a former member. ================================================================= Roles for MITRE ================================================================= The following roles are unique to MITRE. The CVE Editor is responsible for creating, publishing, and maintaining CVE content, including candidates, CVE versions, content decisions, etc. The Editorial Board Chair is responsible for Editorial Board structure, recruitment, and activities. Task leaders are responsible for one or more major strategic tasks such as community outreach, web sites, CVE compatibility, CVE content, future planning, and related work. Content team members support the CVE Editor.