CVE Board Charter

The CVE Board Charter was adopted by the CVE Board effective September 8, 2016.

Table of Contents

  1. 1. Board Overview and Member Responsibilities
    1. 1.1 CVE Board Overview
    2. 1.2 Board Members
    3. 1.3 Minimum Board Member Responsibilities
    4. 1.4 Role of the MITRE Corporation
    5. 1.5 Board Member Compensation
  2. 2. Board Structure, Membership, and Operations
    1. 2.1 Size of the Board
    2. 2.2 Selection of Board Members
      1. 2.2.1 Prospect Evaluation
      2. 2.2.2 Board Review and Vote
      3. 2.2.3 Membership Approval
    3. 2.3 Resignation from the Board
    4. 2.4 Change in Affiliation
    5. 2.5 Removing Board Members
    6. 2.6 Recognition of Former Members
    7. 2.7 Term Limits
    8. 2.8 Voting
    9. 2.9 Board Meetings and Working Groups
  3. 3. Board Charter Review
    1. 3.1 Steps for Charter Review and Update
  4. Appendix A. Board Nomination Form

    1. Board Overview and Member Responsibilities

    1.1 CVE Board Overview

    The CVE Board (the Board) is essential for ensuring CVE meets the vulnerability identification needs of the technology community (community); the Board's primary responsibilities are to work with each other and the community to oversee CVE, provide input into CVE's strategic direction, and advocate for CVE.

    Board members represent numerous cybersecurity-related organizations, including commercial security tool vendors, academia, research institutions, government departments and agencies (D/As), and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program. The Board comprises a set of passionate individuals wishing to advance CVE and vulnerability identification.

    The MITRE Corporation (MITRE) created the Board in 1999. It moderates Board discussions and coordinates Board activities. The Board ensures that CVE serves the community and public interest.

    1.2 Board Members

    Members traditionally fit into one or more of the following types.

    • Technical Implementers provide input and guidance regarding the creation, design, review, maintenance, and applications of CVE. This may include individuals who integrate CVE into products, such as content and development engineers working for product vendors, and others who consume CVEs.
    • Subject Matter Experts (SMEs) represent a significant constituency related to - or affected by - CVE, and are domain experts in the vulnerability management and reporting field. These members may include representatives from product vendors who represent the needs of their company, such as PSIRT team members or such as product managers and product strategists who are representing customers.
    • Advocates actively support or promote CVE in a highly visible fashion. These individuals are respected leaders within the security community who help bring credibility to the CVE Initiative and give CVE a wider reach outside of the security community.
    • Emeritus Members were formerly active and influential in the CVE program who maintain an honorary position on the Board and are consulted from time-to-time as circumstances require. Emeritus members must have made significant contributions to the CVE Initiative, as determined by the Board Moderator. Emeritus members may participate at-will in the CVE program. However, there is no requirement for Emeritus member participation, and Emeritus members are not given a vote in Board matters.

    1.3 Minimum Board Member Responsibilities

    Board members are responsible for collaborating effectively with each other, and the community, relative to all aspects of the CVE program's governance, operation, and future direction. Members primary responsibilities are to actively promote CVE program goals and adoption and participate in decision-making processes through established Board mechanisms.

    Board members have a responsibility to participate by voting. Members will lose voting privileges if they do not vote in at least one of the three previous (consecutive) Board votes. Votes to abstain count toward participation and toward a quorum. Members may regain voting privileges by asking to have their voting privileges reinstated through the private mailing list or during a Board meeting. If Members have not voted in the past year, they can be removed from the Board by a Board vote, following the procedures for forced removal. If there are multiple Board Members from a single organization then the above applies to the organizational Members, not the individual Members. In other words, a vote submitted by an organizational member counts as a single vote with credit for voting recognized for all Board Members for that organization.

    1.4 Role of the MITRE Corporation

    1. Board Moderator: MITRE, as member and moderator of the Board, is responsible for establishing and maintaining the structure of the Board through an approved charter, management of Board mailing lists and Board meetings, logistics surround Board membership, and additional Board activities, such as voting and other coordinating logistics.
    2. Intellectual Property (IP) Protection: MITRE, as the operator of CVE, is responsible for protecting IP contributed and transferred to CVE, while making sure CVE is publicly available and free for use in accordance with the CVE Terms of Use.
    3. Other: MITRE undertakes additional tasks, including CVE content creation, CVE website maintenance, CNA management, and community outreach.

    1.5 Board Member Compensation

    Board members are not compensated by the CVE Program.

    2. Board Structure, Membership, and Operations

    2.1 Size of the Board

    There is no cap on the number of members or organizations that may join the Board, though this practice may be revisited if the Board size increases to the point that it negatively impacts the ability of the Board to make decisions or take action. It is up to the Board and the Board's Moderator to determine when actions need to be taken to resize the Board.

    2.2 Selection of Board Members

    Prospective Board members (prospects) are those people, either at-large (i.e., independent), or representing an organization in industry, academia, or government, who will add value to the CVE Program. Prospects may be identified by anyone; however, a prospect must be nominated by a voting Board member.

    2.2.1 Prospect Evaluation

    The information required to effectively evaluate a prospect is collected by the nominating Board member and provided to the Board Moderator, via the accepted nominating form, for dissemination to all Board members. Such information includes, but is not limited to, biographical information (such as a resume) that details the prospect's skills and experience in the security community and CVE specifically, and the prospect's expected value to the CVE Program. The prospect should provide a write-up as to why they want to be a member of the Board. The statement should include their background with CVE and a statement on why they feel they would add value to the effort.

    2.2.2 Board Review and Vote

    The Board Moderator provides the prospect's name and the completed nomination form to the Board through the private mailing list. Board members are provided with at least two weeks to review and vote on a prospect. Votes will be sent to the private mailing list by Board members. After the review period, the Board Moderator will provide a tally of "yes," "no," and "abstain" votes received from the Board. A majority vote of "yes" or "no" will determine whether the prospect is approved or rejected, regardless of the number of votes cast. The Moderator need not wait the full review period once the number of votes have indicated a majority Board position one way or the other.

    2.2.3 Membership Approval

    If the prospect is voted in by the Board, the Board Moderator adds the prospect as a full member to the Board. The Board Moderator announces the new Board member to the public Board mailing list. The announcement includes the member's biographical information. The Board Moderator also announces the new Board member on the CVE website and in the CVE Announce e-newsletter.

    The new Board member is expected to immediately begin participating with the full responsibilities of a CVE Board member.

    2.3 Resignation from the Board

    Any Board member may resign at any time by giving notice in writing, such as by email, to the Board Moderator. The Board Moderator will confirm with the Board member that the notice is legitimate. A resignation shall take effect upon confirmation the notice is legitimate, or at a later time specified within the written notice. No formal acceptance of such resignation is necessary to make it effective.

    2.4 Change in Affiliation

    A Board member who has a change in organizational affiliation must notify the Board Moderator of the change. Once received, the Board Moderator will update the CVE website to reflect the member's change in affiliation.

    2.5 Removing Board Members

    Board members will be considered for removal if:

    1. The Board member does not respond to the annual poll on whether they would like to continue to be a Board member.
    2. The Board member asks to be removed.
    3. If a Board member's parent organization does not want to be listed as affiliated with a Board member, the Board Moderator will change the member's affiliation to "Independent."
    4. A current Board member nominates the person or organization for forced removal. Forced removal may be based on lack of participation, lack of collegiality or professional conduct (e.g., not honoring the Board's private mailing list), or failure to follow Board conventions as established in this Charter. The process for forced removal is as follows:
      • A current Board member nominates a person or organization for removal and provides a reason for removal of a Board member to the Board Moderator.
      • The nomination is seconded by a voting Board member.
      • The Board Moderator submits the nomination to the Board for deliberation and voting through the private mailing list.
      • Board members have two weeks to vote, and will receive a reminder from the Board Moderator one week into the voting period through the private mailing list.
      • For forced removal, at least half (50%) of the Board must cast a vote and two thirds (2/3) of the votes cast must be in favor of the removal.

    2.6 Recognition of Former Members

    When Members leave the Board, they are recognized in one of the following ways:

    1. If the person has qualified for Emeritus status, then the member is identified as Emeritus.
    2. If the person did not qualify for Emeritus status, then the member is identified as a former Contributing Member. Members identified as Contributing Members have none of the participation opportunities granted to an Emeritus member.

    The Board Moderator is responsible for determining the initial recognition status of a departing member. The Moderator will inform the Board of the status. If there is disagreement on the Board with the recognition status being proposed, the Board can call for a vote to determine whether the departing member is to be listed as Emeritus or as a Contributing Member.

    The Board Moderator is responsible for updating the CVE related web pages to reflect the new departing Member's determined status.

    2.7 Term Limits

    There are no term limits placed on Board service.

    2.8 Voting

    All voting occurs through the Board's private mailing list. Board members cast a single vote per issue, except in the case where there are multiple Board members from a single organization. To assure a single organization has no undue influence on the outcome of specific issues, the affected Board members will coordinate who will vote in that case. An organization's Board members can cast no more than one vote per issue. From time-to-time, members may choose to abstain from voting. In the event an organization with two or more Board members cast more than one vote, only the FIRST valid voting ballot counts for each organization.

    Time frames in which to cast a vote may vary as circumstances require, but must be at least one-week long. Two weeks is the recommended time frame for most votes, but is not required. Unless otherwise indicated in this charter or by the Board Moderator prior to a specific vote, a simple majority is needed to either accept or reject the item being voted on. Votes from at least a simple majority of the eligible Board members are required for the overall vote to be declared valid. In the case of a vote being declared invalid, or in the case of a tie, the Board Moderator will send the issue back to the Board for further deliberations.

    2.9 Board Meetings and Working Groups

    Board meetings are held routinely, with a goal of every two weeks or more frequently as required. The Board Moderator will establish the agenda for each meeting after obtaining input from the Board members. Board members are free to raise subjects during meetings that are not on the agenda for that particular meeting. The agenda and any supporting documents will be provided to the Board members prior to each meeting, which members should review in advance.

    Working groups are advisory in nature and established to effectively address specific issues in depth and in a forum better suited to that focus than the regular Board meetings. Non-Board members may participate in working groups as required with prior notification sent to the Board indicating their participation. Working groups may be organized as required to meet the objectives of the group. Working groups must have documented objectives and outcomes. Group progress must be reported back to the Board on an ad hoc or routine basis, either through the Board meetings or through the Board email lists as appropriate.

    Any Board member can establish a working group with approval from the Board Moderator. The Board may call a vote if it deems the Board Moderator's decision for the creation of a working group is incorrect. The results of the vote would determine approval.

    3. Board Charter Review

    The Board will review the Charter at least annually. If the Board determines that a revision is necessary, the updated language will be incorporated into a draft for review by the Board. Any change to the CVE Board Charter requires a vote.

    All email communications concerning CVE Board Charter changes will occur on the private CVE Board list.

    3.1 Steps for Charter Review and Update

    If a revision to the charter is called for, the following steps should be taken:

    1. The Charter document goes through a set of revisions. The number of revision cycles vary based on the complexity of modifications needed.
    2. When the edits received have been incorporated and the proposed Charter appears near-final, the Board Moderator will issue a final call for edits via email. The email will include a date by which the final edits need to be received by the Board Moderator.
    3. Final edits received are incorporated.
    4. Several days prior to the tentative start date of the voting period, the Board Moderator will send a message to the CVE Board list that includes:
      • a clean and complete copy of the proposed Charter for the Board to review,
      • a notice indicating this is the proposed Charter update,
      • a request Board members respond via e-mail indicating whether they believe the proposed Charter update is ready to be voted on,
      • the tentative date of the vote is proposed to begin and when it will end.
    5. If the Board members indicate further Charter updates are necessary and provide reasonable justification, another revision cycle begins. The Board Moderator will send a message to the Board indicating such.
    6. If the majority of respondents believe the Charter is ready to be voted on, the Board Moderator will send a message to the Board list with the date of the vote will begin and end, and any special instructions as needed.
    7. On the day the vote is to begin, the Board Moderator will resend the Charter being voted on to the Board list, along with any special instructions and request to vote to adopt the new Charter.
    8. Board members who vote against the Charter are strongly encouraged to give a reason why they are doing so as a part of their actual vote. This will allow other Board members to understand the reasons and will assist in improving a future version of the Charter in the event it is voted down by the Board.
    9. The Board Moderator will post the results of the vote to the Board list.
    10. If the Board votes down the new Charter, then it will be sent back to the Board for discussions and further revisions.
    11. If the vote indicates the Board's acceptance, the new Charter will immediately take effect and the Board Moderator will update the CVE related web pages to reflect the new Charter.

    Appendix A. Board Nomination Form

    Word (32K)

Page Last Updated or Reviewed: September 13, 2016