Board Member Roles, Tasks, and Qualifications

Date: December 6, 2011Document version: 1.3

Table of Contents

Introduction

This document clarifies the roles, tasks, and qualifications for CVE Editorial Board members. Much of the background discussion was held during a meeting in March 2001, as documented in the summary at http://cve.mitre.org/community/board/archives/2001-03/msg00014.html

Roles for Editorial Board Members

Note that some members may have more than one role on the Editorial Board. However, all members have only one primary role.

Technical members participate in the creation, design, review, maintenance, and applications of CVE.

Liaisons represent a significant constituency, related to or affected by CVE, in an area that does not necessarily have technical representation on the Board. In some cases, a liaison may represent an individual organization. This role may include software vendors.

Advocates actively support or promote CVE in a highly visible fashion. This role is reserved for respected leaders in the security community who help bring credibility to the CVE Initiative and give CVE a wider reach outside of the security community.

Emeritus members were formerly active and influential in the CVE Initiative. As a result of significant contributions, they maintain an honorary position on the Board.

1. Minimum Expectations for Editorial Board Members

Board members must meet the minimum levels of effort consistent with the tasks that they undertake. If a Board member participates in multiple tasks, then the minimum expectations for each individual task may be lowered accordingly.

All members are expected to commit a minimum of 2 hours per month to maintain high-level awareness of ongoing CVE and Editorial Board activities. There may be additional requirements depending on additional tasks.

Participation should be consistent with respect to the specific task. Allowances can be made for extenuating circumstances that temporarily prevent a member from meeting the minimum level of participation.

2. Tasks for All Members

All members are expected to perform the following tasks:

  1. Consultation: This includes participating in Board meetings, or discussion of ad hoc issues related to CVE content or Editorial Board processes such as content decisions, Board membership, or CVE compatibility.
  2. Awareness: This includes participating in Board meetings and/or reading meeting summaries, and regularly reading posts on the Editorial Board mailing lists.

Many members may perform the following tasks:

  1. Outreach: Some Board members actively promote CVE and educate the public about CVE, or introduce various contacts to MITRE within the CVE context.
  2. Non-CVE activities: Some Board members may participate in activities that are undertaken under the Board context, but not directly related to CVE.
Expected Level of Effort

The amount of effort for these tasks may vary widely. Each consultation task may require 1 to 10 hours, or more. Such tasks may occur approximately once every 2 months.

3. Technical Member Tasks

Each technical member should regularly perform one or more of the following tasks:

  1. Oversight and review: Review and comment on new CVE Identifiers, as necessary.
  2. Content provider: Some Board members provide their vulnerability databases to MITRE for conversion into CVE Identifiers, which ensures that CVE content is as complete as possible. Others are actively involved in CVE Identifier reservation. Others may be CVE Numbering Authorities (CNAs), which are authorized to assign CVE Identifiers to security issues before they are publicized.
Expected Level of Effort

Following is the amount of effort believed needed to participate regularly in a task:

  1. Oversight and Review: ad hoc, as needed
  2. Content provider: 1 to 5 hours, approximately once every 2 months
Qualifications for Technical Members
  1. Members should have at least 3 years of experience as a computer security professional (preferably 5 years). Exceptions may be made for members who have made noteworthy contributions to the security community.
  2. Participants should be experts in the use or development of one or more of the following technical areas:
    • vulnerability assessment and related tools
    • intrusion detection and related tools
    • incident response or forensics
    • academic/research topics such as vulnerability or exploit analysis, taxonomies and classification, new security models, or programmer behaviors
    • related areas
  3. Participants should have strong knowledge about computer security issues in most of the following areas:
    • concepts such as buffer overflows, race conditions, design errors, insecure configurations, etc.
    • commonly exploited vulnerabilities, or related tools
    • security models in operating systems, protocols, applications, etc.
    • vulnerability information sources, e.g. advisories, mailing lists, or hacker sites
    • extensive "real-world," operational experience in one or more of the areas described in (1)
    The participant’s knowledge may be broad (e.g., general knowledge of various types of flaws in many different OSes) or deep (e.g., analysis of programming errors in a single OS or programming language).
  4. Participants should be able to effectively identify and communicate technical issues that relate to CVE and their particular area of expertise.
  5. Participants should have a demonstrated commitment to sharing information to enhance research or education, or to improving overall enterprise security, e.g., by active participation in conferences or other forums.

Liaison Tasks

Liaisons should perform one or more of the following tasks, in addition to those tasks that are required of all members:

  1. The liaison must educate the liaison’s own community about CVE, where appropriate.
  2. The liaison must educate the Editorial Board about the needs and interests for CVE of the liaison's community, where appropriate.
  3. Liaisons may undertake other technical tasks.
  4. The liaison should participate regularly in ad hoc consultation tasks, if the liaison previously agreed to perform those tasks.
Expected Level of Effort

Liaisons will need to commit approximately 1-2 hours per week to maintain enough high-level knowledge of CVE and Editorial Board activities to effectively educate their constituency, and the Board, on CVE-related issues.

Qualifications for Liaisons
  1. A liaison that represents a constituency beyond an individual organization must be visible and active in the liaison’s constituency community.
  2. A liaison that represents an individual organization must be able to effectively communicate with all other relevant parts of that organization.
  3. Software vendor liaisons must be able to effectively communicate with the vendor's security and product development teams.

Advocate Tasks

  1. Endorse CVE to constituencies that will benefit from it.
  2. Foster better communication between constituencies.
  3. Participate in Editorial Board activities, especially in decisions related to Board structure and strategic activities.
  4. Advocates may undertake technical or liaison tasks.
Expected Level of Effort

The expected level of effort is variable, but the advocate should participate at least once every 6 months.

Qualifications for Advocates
  1. The advocate should be a recognized leader in the security community, as approved by members of the Editorial Board.

Emeritus Tasks

Emeritus members may participate periodically in technical, liaison, or advisory tasks.

Expected Level of Effort

Emeritus members are not expected to participate regularly in the CVE Initiative, but they should participate in some task approximately every 6 months.

Qualifications for Emeritus
  1. Emeritus members must have made significant contributions to the CVE Initiative, as determined by MITRE.

Recognition of Former Members

A person who has left the Editorial Board is recognized in one of the following ways:

  1. If the person has qualified for Emeritus status, then the member is identified as Emeritus.
  2. If the person did not qualify for Emeritus status but made clear contributions to CVE as determined by MITRE, then the member is identified as a former contributing member.
  3. If the person did not make any measurable contribution to CVE, then the person is not identified as a former member.

Roles for MITRE

The following roles are unique to MITRE:

  1. The CVE Editor is responsible for creating, publishing, and maintaining CVE content, including CVE Identifiers, CVE versions, content decisions, etc.
  2. The Editorial Board Chair is responsible for Editorial Board structure, recruitment, and activities.
  3. Task leaders are responsible for one or more major strategic tasks such as community outreach, web sites, CVE compatibility, CVE content, future planning, and related work.
  4. Content team members support the CVE Editor.
 
Page Last Updated: January 03, 2012