[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CD] CD Proposal: VOTE (Voting Requirements)

* David LeBlanc (dleblanc@microsoft.com) [000613 22:28]:
>
> This rule is merely an attempt to codify what is currently an informal,
> voluntary practice.  I think it is a good practice - most decision making
> bodies allow members to recuse themselves for conflict of interest. Do you
> have a better way of saying it?

I rather see a method of the owner of a vulnerable product or service
to contents a CVE entry. In particular I would give them a way to
state they believe some of the votes approving the CVE entry are
malicious and with competition in mind. We could then vote again,
including the entities they claim are malicious, but have a higher
standard to approve the contested CVE entry (e.g. we would need
6 votes instead of 3).

The reason you want to include the entities they claim are malicious
in the second vote is that you don't want someone contesting a CVE
entry and claiming all voting members are malicious.

This allows owners of vulnerable products or services to contents
a CVE entry if they think its wrong and/or malicious while at the
same time not cutting down the number of entities that can vote
on a given CVE.

The idea is that malicious use of the CVE process will be rare
and as such you should handle it as an exception not as routine
business.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Page Last Updated or Reviewed: May 22, 2007