CVE Board Charter

Date: May 9, 2018Document version: 2.6

Table of Contents

  1. Board Overview and Member Responsibilities
  2. 1.1 CVE Board Overview
    1.2 Board Member Backgrounds
    1.3 Structure of the Board
      1.3.1 Full Members
      1.3.2 Emeritus Members
      1.3.3 CNA Liaison Board Representative
      1.3.4 Board Moderator
    1.4 Minimum Board Member Responsibilities
    1.5 Role of the MITRE Corporation
    1.6 Board Member Compensation
    1.7 Size of the Board
  3. Board Membership and Operations
  4. 2.1 Selection of Full Board Members
      2.1.1 Full Board Member Prospect Evaluation
      2.1.2 Board Review and Vote
    2.2 Membership Approval
    2.3 Resignation from the Board
    2.4 Change in Affiliation
    2.5 Professional Conduct Guidance for All Board Members
    2.6 Removing Board Members
    2.7 CNA Representative Removal or Resignation
    2.8 Recognition of Former Members
    2.9 Term Limits
    2.10 Voting
      2.10.1 Proxy Voting
    2.11 Board Meetings
    2.12 Working Groups
  5. Board Charter Review
  6. 3.1 Steps for Charter Review and Update
  7. Appendix A. Board Nomination Form

    1. Board Overview and Member Responsibilities

    1.1 CVE Board Overview

    The CVE Board (the Board) is essential for ensuring the CVE Program (CVE) meets the vulnerability identification needs of the global cybersecurity and technology community (community); the Board’s primary responsibilities are to work with each other and the community to oversee CVE, provide input into CVE’s strategic direction, and advocate for CVE.

    Board members represent numerous cybersecurity-related organizations, including commercial security tool vendors, academia, research institutions, government departments and agencies (D/As), and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and the strategic direction of CVE. The Board comprises a set of passionate individuals wishing to advance CVE and vulnerability identification. The Board ensures that CVE serves the community and public interest.

    1.2 Board Member Backgrounds

    Board members are not limited to but traditionally fit into one or more of the following categories:

    • Technical Implementers provide input and guidance regarding the creation, design, review, maintenance, and applications of CVE List entries (CVE Entries). This may include individuals who integrate CVE Entries into products, such as content and development engineers working for product vendors, and others who consume CVE Entries.
    • Subject Matter Experts (SMEs) represent a significant constituency related to — or affected by — CVE, and are domain experts in the vulnerability management and reporting field. These members may include representatives from product vendors who represent the needs of their company, such as PSIRT team members, or product managers and product strategists who are representing customers.
    • Advocates actively support or promote CVE in a highly visible fashion. These individuals are respected leaders within the security community who help bring credibility to CVE and give it a wider reach outside of the security community.

    1.3 Structure of the Board

    There are four different types of Board membership.

    1.3.1 Full Members

    Full members of the Board have no term limits.

    1.3.2 Emeritus Members

    Emeritus members were formerly active and influential in CVE who maintain an honorary position on the Board and are consulted from time-to-time as circumstances require. Emeritus members must have made significant contributions to CVE.

    1.3.3 CNA Liaison Board Representative

    The Board has authorized the creation of a single seat on the Board for a CNA community liaison representative from the CNA community. This is an elected position which program-of-record CNAs vote on annually. This position is a voting member of the Board, with a one-year term. The person can serve more than one term as long as the CNA community so desires as indicated by the results of the voting. This person is responsible for acting as a representative to the CNA community, assuring CNAs are updated with various status and activity related information. This position is a two-way conduit for CNAs to bring things to and from the Board in a more official and structured way.

    1.3.4 Board Moderator

    The MITRE Corporation (MITRE) created the Board in 1999, and currently serves as the Board moderator and coordinates Board activities.

    1.4 Minimum Board Member Responsibilities

    Board members are responsible for collaborating effectively with each other, and the community, relative to all aspects of CVE governance, operation, and future direction. Members’ primary responsibilities are to actively promote CVE goals and adoption, and participate in decision-making processes through established Board mechanisms.

    Board members have a responsibility to participate by voting. Members will lose voting privileges if they do not vote in at least one of the three previous (consecutive) Board votes. Votes to abstain count toward participation and toward a quorum. Votes that are terminated before the stated voting period because an early decision is reached, do not count as a part of the three previous votes. Members may regain voting privileges by asking to have their voting privileges reinstated through the private mailing list or during a Board meeting. If members have not voted in the past year, they can be removed from the Board by a Board vote, following the procedures for forced removal. If there are multiple Board members from a single organization then the above applies to the organizational members, not the individual members. In other words, a vote submitted by an organizational member counts as a single vote with credit for voting recognized for all Board members for that organization.

    1.5 Role of the MITRE Corporation

    1. Board Moderator: MITRE, as a member and moderator of the Board, is responsible for establishing and maintaining the structure of the Board through an approved Board Charter (Charter), management of Board mailing lists and Board meetings, logistics of Board membership, and overseeing additional Board activities, such as voting and other coordinating logistics.
    2. Intellectual Property (IP) Protection: MITRE, as the operator of CVE, is responsible for protecting IP contributed and transferred to CVE, while making sure CVE is publicly available and free for use in accordance with the CVE Terms of Use.
    3. Other: MITRE undertakes additional tasks, including CVE content creation, CVE website maintenance, CNA management, and community outreach.

    1.6 Board Member Compensation

    Board members are not compensated by the CVE Program.

    1.7 Size of the Board

    There is no cap on the number of members or organizations that may join the Board, though this practice may be revisited if the Board size increases to the point that it negatively impacts the ability of the Board to make decisions or take action. It is up to the Board and the Board’s moderator to determine when actions need to be taken to resize the Board.

    2. Board Membership and Operations

    2.1 Selection of Full Board Members

    Prospective Full Board members (prospects) are those people, either at-large (i.e., independent), or representing an organization in industry, academia, or government, who will add value to CVE. Prospects may be identified by anyone; however, a prospect must be nominated by a voting Board member.

    2.1.1 Full Board Member Prospect Evaluation

    The information required to effectively evaluate a prospect is collected by the nominating Board member and provided to the Board moderator, via the accepted nominating form, for dissemination to all Board members. Such information includes, but is not limited to, biographical information (such as a resume) that details the prospect’s skills and experience in the security community and CVE specifically, and the prospect’s expected value to the CVE. The prospect should provide a write-up as to why they want to be a member of the Board. The statement should include their background with CVE and a statement describing how they feel they would add value to the effort.

    2.1.2 Board Review and Vote

    The Board moderator provides the prospect’s name and the completed nomination form, along with an indication as to who nominated the prospect, to the Board through the private mailing list. Board members are provided with at least two weeks to review and vote on a prospect. Interviewing prospects has been used in the past when a candidate is not well known to Board members. An interview is an optional part of the review process. If a Board member believes an interview is needed to answer significant questions, they must make the request on the private list to determine if there is a consensus view. If a consensus agreement is reached, the moderator will set up the interview with the prospect and the Board. If needed, the moderator can extend the review and voting period to assure the interview process can be successfully accomplished and Board members have the proper time to make a determination.

    Votes will be sent to the private mailing list by Board members. After the review period, the Board moderator will provide a tally of “yes,” “no,” and “abstain” votes received from the Board. A majority vote of “yes” or “no” will determine whether the prospect is approved or rejected, regardless of the number of votes cast. The moderator need not wait the full review period once the number of votes has indicated a majority Board position one way or the other.

    2.2 Membership Approval

    When a prospect is voted in by the Board, or elected as the CNA Representative, the Board moderator will add the individual as a full member to the Board. The Board moderator announces the new Board member to the public Board mailing list. The announcement includes the member's biographical information. The Board moderator also announces the new Board member on the CVE website, in the CVE Announce e-newsletter, and appropriate CVE social media outlets, such as Twitter.

    The new Board member is expected to immediately begin participating with the full responsibilities of a CVE Board member.

    2.3 Resignation from the Board

    Any Board member may resign at any time by giving notice in writing, such as by email, to the Board moderator. The Board moderator will confirm with the Board member that the notice is legitimate. A resignation shall take effect upon confirmation the notice is legitimate, or at a later time specified within the written notice. No formal acceptance of such resignation is necessary to make it effective.

    2.4 Change in Affiliation

    A Board member who has a change in organizational affiliation must notify the Board moderator of the change. Once received, the Board moderator will update the CVE website to reflect the member’s change in affiliation.

    If a Board member’s parent organization does not want to be listed as affiliated with a Board member, the Board moderator will change the member’s affiliation to “Independent.”

    2.5 Board Member Professional Conduct Guidance

    In the interest of fostering an open and welcoming environment, Board members agree to make participation on the Board and directly related activities, a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.

    The Board moderator and the Board are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.

    Examples of unacceptable behavior by participants include:

    • Public or private harassment.
    • The use of sexualized language or imagery and unwelcome sexual attention or advances.
    • Trolling, insulting/derogatory comments, and personal or political attacks.
    • Publishing others’ private information, such as a physical or electronic address, without explicit permission.
    • Posting responses to the public Board list when the initiator of the thread had clearly posted them to the private Board list.
    • Talking negatively about a Board member in a medium in which they are not a participant of (e.g., a Board call).
    • Other conduct which could reasonably be considered inappropriate in a professional setting.

    Complaints should be sent to the Board moderator. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The Board moderator is obligated to maintain confidentiality with regard to the reporter of an incident.

    If action is necessary due to a verified complaint:

    1. The Board moderator will notify the Board on a Board call they have received a complaint.
    2. The Board requires any response should be as transparent as possible.
    3. The Board moderator, speaking on behalf of the Board, will send a public message to the appropriate list calling out the unacceptable behavior. It will explain that such repeated behavior will result in removal from the list.
    4. The Board moderator, speaking on behalf of the Board, will send a direct warning to the Board member with the Private Board mailing list CC'd. That warning will explain to the individual that disciplinary actions will be taken, and will outline the consequences of failing to correct the inappropriate behavior. The Board member will not be removed at this time.
    5. If the unacceptable behavior is corrected, the moderator should send a message back to the initial submitter explaining the actions taken, and at this point the issue is closed.
    6. If the Board member in question has repeated complaints against him/her then the situation needs to be discussed with the Board as to the steps that need to be taken next.

    If it becomes necessary for drastic action to be taken, such as removal of the offender, the Board and the Board moderator will follow the Board member forced removal process specified in the Removing Board Members section.

    2.6 Removing Board Members

    Board members will be considered for removal if:

    1. The Board member does not respond to the annual poll on whether they would like to continue to be a Board member.
    2. The Board member asks to be removed.
    3. If a Board member’s parent organization does not want to be listed as affiliated with a Board member, the Board Moderator will change the member’s affiliation to “Independent.”
    4. A current Board member nominates the person or organization for forced removal. Forced removal may be based on lack of participation, lack of collegiality or professional conduct (e.g., not honoring the Board’s private mailing list), or failure to follow Board conventions as established in this Charter. The process for forced removal is as follows:
      • A current Board member nominates a person or organization for removal and provides a reason for removal of a Board member directly to the Board moderator via email.
      • The nomination is seconded by a voting Board member.
      • The Board Moderator submits the nomination to the Board for deliberation and voting through the private mailing list.
      • Board members have two weeks to vote, and will receive a reminder from the Board Moderator one week into the voting period through the private mailing list.
      • For forced removal, at least half (50%) of the Board must cast a vote and two thirds (2/3) of the votes cast must be in favor of the removal.

    2.7 CNA Representative Removal or Resignation

    In the event a CNA Representative either resigns or is removed, the Board will ask for nominations on the CNA list. The Board will select a CNA representative from the nominated pool to finish out the term of the departed Representative. The selected CNA cannot be an existing Board Member.

    2.8 Recognition of Former Members

    When Members leave the Board, they are recognized in one of the following ways:

    1. If the person has qualified for Emeritus status, then the member is identified as Emeritus.
    2. If the person did not qualify for Emeritus status, then the Board member is identified as a former Contributing member. Board members identified as Contributing Members have none of the participation opportunities granted to an Emeritus member.

    The Board moderator is responsible for determining the initial recognition status of a departing Board member. The moderator will inform the Board of the status. If there is disagreement on the Board with the recognition status being proposed, the Board can call for a vote to determine whether the departing Board member is to be listed as Emeritus or as a Contributing member.

    The Board moderator is responsible for updating the related CVE website pages to reflect the new status of the departing Board member.

    2.9 Term Limits

    There are no term limits placed on Board service.

    2.10 Voting

    All voting occurs through the Board’s private mailing list. Board members cast a single vote per issue. To ensure a single organization has no undue influence on the outcome of specific issues, any organization with multiple Board members will coordinate and cast a single unified vote per issue. From time-to-time, members may choose to abstain from voting. In the event an organization with two or more Board members cast more than one vote, only the first valid voting ballot counts for each organization.

    Time frames in which to cast a vote may vary as circumstances require, but must be at least one-week long. Two weeks is the recommended time frame for most votes, but is not required. Unless otherwise indicated in this Charter or by the Board moderator prior to a specific vote, a simple majority is needed to either accept or reject the item being voted on. Votes from at least a simple majority of the eligible Board members are required for the overall vote to be declared valid. In the case of a vote being declared invalid, or in the case of a tie, the Board moderator will send the issue back to the Board for further deliberations.

    2.10.1 Proxy Voting

    The following proxy voting process is meant for short-term absences. In the event a non-organizational voting Board member (the principal) knows they are going to be absent and unable to participate in one or more Board votes, that member may assign another member of the Board (the proxy) to vote on the principal’s behalf during their absence. Once a principal determines they will not be available for a vote or they will have limited availability for a period of time, that member must present the Board with the following information:

    • The anticipated timeframe for which they will be unavailable.
    • The name of the Board member acting as a proxy during their absence.

    It is understood the Board member, acting as the proxy, will vote twice but they must identify they are a proxy for the principal when voting on the principal’s behalf. The principal and proxy will coordinate their votes in a manner of their choosing. For example, the proxy may have an alternate method of contacting and obtaining the voting preference from the principal. Upon returning, the principal needs to notify the Board they will be voting on their own behalf going forward. It is expected organizational members will work out absences between themselves. If all of an organization’s members will be absent at the same time, the proxy voting processes can be used as long as each of the organization’s members send an individual request to the Board and all request the same Board member to be their proxy.

    2.11 Board Meetings

    Board meetings are held routinely, with a goal of every two weeks or more frequently, as required. The Board moderator will establish the agenda for each meeting after obtaining input from the Board members. Board members are free to raise subjects during meetings that are not on the agenda for that particular meeting. The agenda, and any supporting documents, will be provided to the Board members prior to each meeting, and should be reviewed in advance. Actions items carried over or identified during the previous Board meeting should be included in the agenda sent to Board members.

    2.12 Working Groups

    Working groups (WGs) are advisory in nature and established to effectively address specific areas or issues. They are forums better suited for the detailed work necessary to achieve the proposed objectives of the WG. WGs must have documented objectives and outcomes defined in the charter of the WG.

    Any Board member can establish a WG with approval from the Board moderator. The Board may call a vote if it deems the Board moderator’s decision for the creation of a WG is incorrect. The results of the vote would determine approval.

    When forming a WG the WG’s charter will indicate the participation model. If the WG’s charter does not restrict participation then the WG will be considered open to participation from the public at large.

    WG progress must be reported back to the Board on an ad hoc, Board requested, or routine basis-either through the Board meetings, or through the Board email lists, as appropriate. Activities coming out of the WGs should be an extension of the Board activities. The WGs need Board approval before making changes or decisions that can either adversely or favorably affect CVE. The WG should notify the appropriate Board email list (public or private) whenever the WG requires this kind of change or decision.

    The WGs need to keep the Board apprised of what they are doing and decisions they are making. The WGs need to provide a report-out to the Board list, ensuring any WG decisions made are clearly identified as “recommendations” to the Board. The Board will then have an opportunity, for a timeframe specified in the report-out, to review the recommendations. If Board members have issues or questions, they are expected to ask for clarification and have the discussions needed to come to a consensus. In many cases, there may be no need for clarification or discussions. If no Board members respond within the specified timeframe, acceptance of the change, decision, or the recommendation(s) is considered approved. Silence begets acceptance.

    3. Board Charter Review

    The Board will review the Charter when a significant change or issue is identified. If the Board determines that a revision is necessary, the updated language will be incorporated into a draft for review by the Board. Any change to the Charter requires a vote.

    All email communications concerning CVE Board Charter changes will occur on the private CVE Board list.

    3.1 Steps for Charter Review and Update

    If a revision to the charter is called for, the following steps should be taken:

    1. The Charter document goes through a set of revisions. The number of revision cycles vary, based on the complexity of modifications needed.
    2. When the edits received have been incorporated, and the proposed Charter appears near-final, the Board moderator will issue a final call for edits via email. The email will include a date by which the final edits need to be received by the Board moderator.
    3. Final edits received are incorporated.
    4. Several days prior to the tentative start date of the voting period, the Board moderator will send a message to the Board list that includes:
      • a clean and complete copy of the proposed Charter for the Board to review,
      • a notice indicating this is the proposed Charter update,
      • a request for Board members to respond via email indicating whether they believe the proposed Charter update is ready to be voted on, and
      • the tentative date the vote is proposed to begin and when it will end.
    5. If the Board members indicate further Charter updates are necessary and provide reasonable justification, another revision cycle begins. The Board moderator will send a message to the Board indicating such.
    6. If the majority of respondents believe the Charter is ready to be voted on, the Board moderator will send a message to the Board list with the date the vote will begin and end, and any special instructions as needed.
    7. On the day the vote is to begin, the Board moderator will resend the Charter being voted on to the Board list, along with any special instructions and request to vote to adopt the new Charter.
    8. Board members who vote against the Charter are strongly encouraged to give a reason why they are doing so as a part of their actual vote. This will allow other Board members to understand the reasons and will assist in improving a future version of the Charter in the event it is voted down by the Board.
    9. The Board moderator will post the results of the vote to the Board list.
    10. If the Board votes down the new Charter, then it will be sent back to the Board for discussions and further revisions.
    11. If the vote indicates the Board’s acceptance, the new Charter will immediately take effect and the Board moderator will update the related CVE website pages to reflect the new Charter.

    Appendix A. Board Nomination Form

    Word (32K)

Page Last Updated or Reviewed: May 22, 2018