[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]



Kent,

I guess the 2-week review period has maybe been one of those unwritten rules that Steve alluded to?  Here's some background.

During my tenure as the primary person responsible for Editorial Board nomination and approvals, I generally used 2 weeks as a minimum time frame for these kinds of "binding" decisions, as a convenience to Editorial Board members and to ensure that everybody had sufficient opportunity to have their perspective be heard.  The rationale was: if we are to continue to have industry-leading representatives on the Editorial Board, then it stands to reason that they will often be busy, so we should be considerate of Board members' busy schedules.

To my way of thinking, only 1 week is too little - what if a member happens to be on vacation, international travel, or some other commitment during that single week?  This led to my personal rationalization for a 2-week minimum, plus a periodic reminder to Board members in case a discussion topic fell off some people's plates.

With respect to the organizations vs. individuals question - during my tenure as the primary person handling Editorial Board activities, the individual was the most critical.   However, in seeking appropriate organizational diversity for the many different perspectives of CVE, the parent organization was often important, too (see the categories we've generally used at http://cve.mitre.org/community/board/index.html).  So, when a person left one organization for another - often for a very different position - it would typically leave a gap in the Board's makeup.  I didn't simply *add* a new member, but the original parent organization was given an opportunity to nominate a replacement, and the replacement would be put through the typical nomination/approval process.  Over the years, there have been several occasions in which an organization hasn't asked or hasn't been able to provide a qualified prospect.

I hope that provides some useful historical context.

- Steve

=========================================

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent
Sent: Monday, April 13, 2015 5:34 PM
To: Boyle, Stephen V.; Carsten Eiram
Cc: cve-editorial-board-list
Subject: Re: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

Here are a few items that are included in the attached doc but I wanted to call them out for the sake of discussion.

Links don't work but others have stated that.

1. I would like to see the following paragraph replaced with the suggested text.

Organizations are limited to two representatives on the CVE Editorial Board. Each organization is encouraged to have two representatives, an implementer and a liaison, on the Board. Implementers include content team members, vulnerability analysts, security researchers, and incident responders. Liaisons include product managers, product strategists, chief technology officers, and marketing representatives.

Replace with:
In an effort to guard against organizational bias, a single organization may be represented by a maximum of two individuals with the expectation that one individual would be focused on strategic direction and the other individual would be focused more on technical decisions.
2. In the process for adding a new board member I recommend removing the following bulleted item.
A replacement is sought for a departing Board member.
I do not think this is what has been done in the past. If this is more a Board of contributing individuals, this makes it sound as if we are going back to the same company looking for a body. I believe the bulleted items previously listed cover the need.
3. 3. In the MITRE Evaluation. The last bullet states: "The prospect, and the prospect's parent organization, approves the level of effort required for the prospect's participation."
Will the organization have any say? That should be between the company and the employee? Will MITRE be notifying theorganization of the amount of time a person will berequired to participate? I don't think that's been the case in the past. People can do a massive amount of CVE work (massive is subjective here. ;-)) after hours if need be. Not sure they really need company approval in all cases.
4. The Editorial Board members are allowed at least 2 weeks to provide feedback on a candidate ? Do we really need to delay it two weeks? I'd say one is more than enough but that's just my opinion. I believe people ignore these types of action and the more you delay it, the more they forget to respond. Maybe if Board members requested additional information, an additional week could be added, but I am not sure we have really had that situation too often in the past. Personal preference since I tend to forget in my old age. ;)

5. Statement:
To maintain the limit of two representatives per organization on the CVE Editorial Board, if a merger or acquisition results in an organization having more than two individuals on the Board, then the organization must choose which two individuals will remain on the Board.

General comment:
Maybe one could be a non-voting member but able to participate in all other respects. I REALLY hate kicking off good people due to situations beyond their control.
Kent Landfield
Director, Standards and Technology Policy
Intel
+1.817.637.8026

From: <Boyle>, "Stephen V." <sboyle@mitre.org>
Date: Tuesday, April 7, 2015 at 2:59 PM
To: Kent Landfield <Kent_Landfield@McAfee.com>, Carsten Eiram <che@riskbasedsecurity.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>, "Boyle, Stephen V." <sboyle@mitre.org>
Subject: RE: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

Hi Kent and Carsten,

Thank you for your always-thoughtful comments and recommendations. 

We do not mean to imply that the subject documents have suddenly taken on a new, higher level of importance to the CVE Editorial Board. To the contrary, we have developed many unwritten rules over the years - some of which may be buried in pages of Board discussion threads from years ago, others of which were decided internally by MITRE or developed as "common practice" - and we are beginning to document these rules and practices explicitly. In this case, we simply thought we'd start by picking off the processes and documents that would be most straightforward, and where we thought the Board would be most likely to quickly come to agreement. As always, we are actively seeking Board member comments and suggestions on both documents, and we plan to discuss them during the Board meeting at RSA.

I'm not surprised the documents look like efforts for the OVAL Board - we spoke with the OVAL team quite a bit leading up to those efforts. Your comments based on the efforts relating to the OVAL Board are well-founded, as are the cautions. CVE has traditionally been a "one member - one vote" model, regardless of whether the member was an independent or an organization, as we saw during the Syntax ID change voting. 

We do not want nor expect the Board to ever be comprised solely of organizational representatives. By its nature and purpose, the CVE Editorial Board should, and always continue to, be representative of the entire community. That alone requires that the Board include independent members. We mention that point (albeit not very explicitly) on the CVE Editorial Board web page, and leave it open in the draft documents. I personally like the way you phrased the Board membership as ".based on the individuals who have contributed to this community and to CVE."  I can see places in the document where we can make it more explicit that we seek independent members that can contribute and who view CVE Editorial Board membership to hold (again, as you said), "a personal responsibility to the community."

With respect to the comment in the document encouraging organizations to have "an implementer and a liaison," we put that in partly to try to encourage more engagement within organizations where the "implementer" (or, to Carsten's point, technical) member can sometimes be invisible to those in an organization who might or should otherwise understand CVE within their own organizational context.

We agree that Board members should be active and engaged, and we are seeking comments on the drafts to help us formalize CVE's and the community's best interests.

Best Regards,
Steve Boyle


From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com] 
Sent: Wednesday, April 01, 2015 4:30 PM
To: Boyle, Stephen V.; cve-editorial-board-list
Subject: Re: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

Hi Steve,

Can I ask why this is important now? Not like it has been an issue since 2001. ;-) I am really just a bit curious. This looks like something we put together on the OVAL Board. There was a reason we did so there that may not be all that valuable here. The intent was to assure promotion of OVAL and at the same time we were seeing a growing numberer of companies asking to have more that one representative. We wanted to: (From the OVAL Board info)

In an effort to guard against organizational bias, a single organization may be represented by a maximum of two individuals with the expectation that one individual would be focused on strategic direction and the other individual would be focused more on technical decisions.



We also only allowed one vote per organization because not all organizations had two members.In reality the process cost us a good participating individual. We had a situation where one organization ended up with three people and the organization decided who would be on the list. This meant we lost one of the more consistent contributors while keeping less a participating member. 



I have always felt the CVE Editorial Board not to be organizationally-based but rather based on the individuals who have contributed to this community and to CVE. Yes, because wehavemore than one person from specific companies, the voting process needs to use the organizational slant to reduce thepossibilityof organizational bias in the vote results but I have always viewed the Board not as an organizational responsibility but a personal one because of my belief in the value of CVE.



Recommending two people from each company seems to bloat and dilute the Board. By injecting those who are not as passionate about CVE and its value, we end up with individuals who look at this more as a resume item instead of a personal responsibility to the community.

JMHO..

Kent Landfield
Director, Standards and Technology Policy
Intel Security
+1.817.637.8026

From: <Boyle>, "Stephen V." <sboyle@mitre.org>
Date: Wednesday, April 1, 2015 at 9:50 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Cc: "Boyle, Stephen V." <sboyle@mitre.org>
Subject: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

Some people have asked us for editable versions of the two Editorial
Board governance document drafts we recently sent out for your
review and comments. Attached please find MS-Word (.docx) versions
of both documents for your review and comments.

We appreciate your time and attention reviewing the drafts, and we 
want to thank those of you who have already provided your comments.

As we requested in the original transmittance email:
- Please review the documents and send us your comments before April 13th. 
- If you do not have any comments or suggestions, a quick email to us 
 saying so will record the fact that you have read and reviewed the drafts.

Best Regards,
The MITRE CVE Team





Page Last Updated or Reviewed: April 14, 2015