[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current standards/criteria for 'Undefined Behavior'

I really do not believe an additional list is needed but I threw that out since I have NO inclination to change how the Board is constructed or operates. What Kurt wanted was something that could be done internally at Red Hat and does not need to affect the Board’s processes and procedures.  No changes are needed here. 


I have no issues with reexamining the Charter. I do think there are a few things that need to be enhanced as we have seen over the last 6 months.



Kent Landfield




From: "Coffin, Chris" <ccoffin@mitre.org>
Date: Wednesday, July 12, 2017 at 10:45 AM
To: Kent Landfield <Kent_Landfield@McAfee.com>, "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>, "kurt@seifried.org" <kurt@seifried.org>, "balinsky@cisco.com" <balinsky@cisco.com>
Cc: David Waltermire <david.waltermire@nist.gov>, "pmeunier@cerias.purdue.edu" <pmeunier@cerias.purdue.edu>, "che@riskbasedsecurity.com" <che@riskbasedsecurity.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: Current standards/criteria for 'Undefined Behavior'


Kent is correct when stating that the Board is comprised of “individuals.” He also correctly references the Board Charter (http://cve.mitre.org/community/board/charter.html), and separating the individual from the organization was definitely the intent in multiple other parts of the charter. Adding an organization-specific contact, even as a backup, seems to be moving away from the original intent. If there is a desire to go this route then an update to the Board Charter would be needed. Speaking to the suggested idea of having an organization-specific backup on the Board list, there wasn’t any mention made of how this would affect the private list. Was the original suggestion intended to apply to both lists?


On the other hand, there seems to be a legitimate call for better communication of the Board minutes and decisions made. The Board meeting minutes can currently be obtained publicly via the News section of the CVE web site (http://cve.mitre.org/news/archives/2017/news.html), or via the Nabble archive at http://common-vulnerabilities-and-exposures-cve-board.1128451.n5.nabble.com/.


If others feel it is appropriate, a separate mailing list specifically for Board meeting minutes could be created. Another option would be to push the meeting minutes via the CVEannounce Twitter feed and/or the CVE LinkedIn page.


Other ideas or thoughts?






From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
Sent: Tuesday, July 11, 2017 12:13 PM
To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>; kurt@seifried.org; balinsky@cisco.com
Cc: david.waltermire@nist.gov; Coffin, Chris <ccoffin@mitre.org>; pmeunier@cerias.purdue.edu; che@riskbasedsecurity.com; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Current standards/criteria for 'Undefined Behavior'


I absolutely am not! 


I have no problem having another contact list for emailing various Board related messages out but organizational reps are against the spirit of the Board.  People are not on the Board because they work for “Foo”. The Charter of the Board states, “The Board comprises a set of passionate individuals wishing to advance CVE and vulnerability identification.”  The key there is individuals.  If there is a need that is so timely to get Board minutes out then let’s create an email list that can include the Board members plus other members as interested.


Board members should have the capabilities to talk amongst themselves.  Adding organizational representatives for local corporate needs is not beneficial to the effort. 


There are ways to deal with what Kurt wants without forcing changes to how the Board works.  From a CNA perspective, his request makes sense. From a Board decision making process perspective it does not at all.



Kent Landfield





I'm actually in favor of that idea. It would definitely help if we could have a designated #2 rep on the board.

Tom Millar, US-CERT

Sent from +1-202-631-1915


From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried
Sent: Tuesday, July 11, 2017 3:11:56 AM
To: Andy Balinsky (balinsky)
Cc: Waltermire, David A. (Fed); Coffin, Chris; Landfield, Kent;
pmeunier@cerias.purdue.edu; Carsten Eiram; cve-editorial-board-list
Subject: Re: Current standards/criteria for 'Undefined Behavior'

One thing would it be acceptable to consider having organizations on the board minutes/email rather than individuals, by this I mean at Red Hat we have myself and (I think..) still mjc@redhat.com on this, but if I'm on vacation/etc. it would be nice if the minutes/board email could go to secalert@redhat.com (the incoming team, and from there whoever at redhat security who needs to be involved). 


My goal long term with the DWF for example is to be dependant on process that are driven by people, and NOT to be dependant in specific people (I want the bus factor to be N-1 =). 


On Mon, Jul 10, 2017 at 6:01 PM, Andy Balinsky (balinsky) <balinsky@cisco.com> wrote:

I think that the clock (however many days it is) needs to start from publication of the minutes, just like the US Federal government uses X days from publication in the Federal Register for its comment periods. 


There have been occasions where the minutes have not come out in a timely fashion (3 May minutes released 31 May), and this would not be fair to other board members who were not on the call. It would provide both a consistent standard, and an incentive to get the minutes out on time. Any delays would impede finalization of any proposed decisions made in that meeting. 


Maybe we need an SLA for the publication of the minutes, too, like within 7 days of the meeting.




On Jul 10, 2017, at 10:27 AM, Waltermire, David A. (Fed) <david.waltermire@nist.gov> wrote:



I think we want consensus (the lack of sustained objection) over


If a new option is chosen on the call, a new discussion period will be started

to provide a means for the board to provide feedback.
The first time I read through your response, I took this as a way to extend the
decision indefinitely. However, I think what you are saying is that if the
decision is changed in a substantial way, we would want to have all board
members review the decision again as if it were a new decision entirely. I
think this makes sense and should be left as an option in cases where there is
sustained objection. However, what I think we want to avoid is the case
where a decision is held up by a single Board member indefinitely.

Sure. We want transparency, not bureaucratic deadlock. I was only concerned about the lack of transparency that could result from a new change.


Also, I would assume that two weeks starts from the time that minutes are

Kent had originally stated one week, and I extended this based on the board
call schedule since we would want to get consensus before or during the
next call. Assuming we get the meeting minutes out within the same week as
the call, I think this still gives about a week and a half for mailing list
discussion. Does a week and a half sound reasonable?

Why not set a minimum of 1 week and allow some flexibility to expand the period as needed for issues that will need more time?



Andy Balinsky (balinsky)

PSIRT Engineering






Kurt Seifried

Page Last Updated or Reviewed: July 12, 2017