[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CD] CD Proposal: VOTE (Voting Requirements)

As promised many times over the past few months, here is the first new
content decision for discussion and approval.

The following content decision (CD) is related to requirements for
voting on candidates.  While we've been voting all along, a number of
issues came up during the last Editorial Board meeting which are
addressed here.  Feedback is requested.  Modified CD's will be posted
until the voting period begins.

For a refresher on the content decision adoption process, see
http://cve.mitre.org/Board_Sponsors/archives/msg00848.html

CD Proposal Date: 6/12/2000
Voting Period: 7/10/2000
Final Decision: 7/24/2000


Background notes
----------------

VOTE.1, VOTE.3, VOTE.4, VOTE.5, and VOTE.9 all formalize much of my
existing approach to vote processing.

VOTE.2 implicitly allows MITRE Board members to cast a vote.  This is
different than the original voting requirements agreed to by the Board
in September 1999; as discussed at AXENT and in subsequent summaries
posted to the Board list, a vote by a MITRE Board member (besides me)
should count as a valid vote.  The rate that the Board has been adding
entries is only slightly faster than the rate at which new problems
are announced, which doesn't bode well for legacy candidates.  So it
makes sense for the other MITRE Board members to be able to help out,
provided their voting activities remain independent of me.

VOTE.2 also says that the discoverer's own vote does not count.  This
came out of the AXENT meeting.

VOTE.6 effectively states that other MITRE Board members may cast
votes.

VOTE.7 addresses another concern that was raised at the AXENT meeting,
related to individuals voting on problems in competitor products.  I
believe that if one organization acknowledges a security problem, then
it should be OK for a competing organization to vote on it.

VOTE.8 formalizes the "one organization, one vote" principle, which
becomes more important as the number of multiple-member organizations
grows.

VOTE.10 does 2 things.  First, it formalizes my current approach of
allowing at least 2 weeks after initial proposal before moving to
Interim Decision.  Second, it explicitly allows for "emergency" cases
in which people may want to vote and approve a CVE number as soon as
possible.


The voter guidance reflects the discussions at AXENT.  It assumes that
approved content decisions are well-documented and available to Board
members, so some of that guidance will not apply until CD's have been
approved and made easily available on the web site.



************************************************************************
CD:VOTE (Voting Requirements)
************************************************************************
Type: PERVASIVE
Version: 1.0
Proposed: N/A
Approved: N/A


Short Description
-----------------

A candidate must satisfy minimum voting standards before it can become
an official CVE entry.


Definitions
-----------

All definitions are informal.

The "Candidate Numbering Authority" (CNA) is the entity that is
responsible for assigning candidate numbers to security problems, and
ensuring that candidates satisfy all approved content decisions.  As
of June 3, 2000, MITRE is the only CNA.

The "CVE Editor" is the individual(s) who makes Interim and Final
Decisions to ACCEPT or REJECT candidates.  As of June 3, 2000, the CVE
Editor is Steve Christey.

A "voting member" is any member of the Editorial Board who votes on a
candidate, not including the CVE Editor.

A "Quorum" is the minimum number of votes that must be cast in order
to move the candidate to the Interim and Final Decision phases.


Application
-----------

A candidate must satisfy all of the following voting requirements
before an Interim or Final Decision can be made:

1) The candidate must not be affected by any content decisions (CD's)
   that have not been adopted by the Editorial Board.  If it is, then
   it must not be moved to Interim or Final Decision until the
   associated content decisions have been reviewed and approved by the
   Board.

2) To be ACCEPTed, a candidate must garner enough votes to establish
   a Quorum.  A Quorum is established if any of the following occur:
   - At least 3 voting members ACCEPT the candidate, not including the
     original discoverer of the problem
   - *Or*, at least 2 voting members ACCEPT the candidate, and the
     vendor has publicly acknowledged that the problem exists

3) There must be more ACCEPT votes than REJECT votes for the
   candidate.  The Editor should work with disagreeing voters to
   establish consensus, if possible.  If consensus cannot be achieved
   in a timely fashion, then the Editor may make the decision based on
   approved content decisions and voter feedback.

4) The Candidate Numbering Authority (CNA) and the Editor are
   responsible for interpreting whether a REJECT vote is contradictory
   to approved content decisions, and must make the voter aware of the
   contradiction.

5) If a voting member casts a REVIEWING vote, then the Editor may
   delay an Interim or Final Decision for at least 2 weeks after the
   vote was cast.  After the 2 week time period, the Editor may extend
   the delay, or disregard the REVIEWING vote and move the candidate
   to Interim Decision.

6) Members who belong to the CVE Editor's organization may vote.  The
   Editor may only "vote" as part of the Interim or Final Decision.

7) If a voting member votes on a candidate for a security problem
   found in a product owned by a competing organization, then that
   member's vote cannot be counted towards the Quorum, unless the
   competing organization has publicly acknowledged the problem.

8) If multiple individuals from the same organization vote on the same
   candidate, only one of those votes may be counted towards the
   Quorum.

9) The CVE Editor must determine that further discussion of the
   candidate will not affect the decision with respect to the
   candidate, *or* it is in the best interests of CVE to make a
   decision.

10) After its initial proposal, the candidate must not be moved to
    Interim Decision for at least 2 weeks, unless it receives unanimous
    approval by at least 6 voting members.



Guidance
--------

1) A voting member should only ACCEPT a candidate if:
   - they believe that the related problem really exists
   - they believe that the problem is not a duplicate of existing
     candidates or entries

2) A voting member is encouraged, but not required, to review the
   candidate with respect to approved content decisions.

3) A voting member should vote on candidates according to approved
   content decisions, instead of their own personal preferences.
   Informally, a voting member should not REJECT a candidate if all of
   the following apply:
   - the candidate is not a duplicate of other candidates/entries
   - it satisfies all approved content decisions (CD's)
   - it satisfies CVE's vulnerability/exposure definition

   Examples: if a voter doesn't believe a candidate should be included
   in CVE because they wouldn't include it in their own database, but
   an approved inclusion CD specifically allows it, then the voter
   should not vote to REJECT.  Or, if the voter prefers to use a level
   of abstraction that is contrary to approved abstraction CD's, the
   voter should not vote to REJECT or RECAST.  A voter may use an
   ABSTAIN or NOOP vote instead.

4) A voting member should not vote for a candidate that is related to
   a security problem in a competitor's product, unless the competitor
   has acknowledged that the problem exists.



Dissenting Opinions
-------------------

Upon approval of this CD, this section will include a summary of any
dissenting opinions.
Page Last Updated or Reviewed: May 22, 2007