[CVEPRI] Important changes to CVE candidates and voting

["Steven M. Christey" <coley@linus.mitre.org>]

All:

In light of recent discussions, especially those at the last Editorial
Board meeting, the following changes to CVE candidates and the voting
process are being made.  These changes begin with the next round of
new candidates, which will be proposed tomorrow.

1) Each candidate has a special "Analysis" slot that provides analysis
   and commentary that came out of the submission stage, i.e. the
   conversion of raw data into candidates.  Included in the analysis
   are the affected content decisions and reasons why the content
   decisions apply.  (See below).

   Analysis results will not be available on the public web site for
   the moment, due to engineering requirements.  However, the
   Editorial Board voting site will include these, as will each
   proposal to the Board mailing list.  Analysis results will be made
   available to the public at a later date.

2) The voting ballots that are sent to the mailing list now include an
   additional field, ACCEPT_REASON.  If you ACCEPT or MODIFY a
   candidate, you should provide a reason in this field.  These
   reasons mirror those that are on the voting web site.

3) Based on feedback from the Editorial Board over the past few
   months, content decisions will now be treated as high-level
   guidance instead of hard-and-fast rules.  As Board members ACCEPT
   various candidates, any related CD's will be annotated to include
   those candidates as precedents.  Those precedents in turn will
   guide the application of CD's for later candidates.  However, the
   Board will be given the freedom to override the guidance in the
   CD's.  The CVE Editor (i.e. me) and the rest of the CVE content
   team will do its best to ensure consistency in the application of
   CD's.

   The Analysis field provides a high-level description of each CD and
   why they apply to that particular candidate.  This will help
   address some Board members' concerns that not enough concrete,
   specific examples have been provided in the past.

   If you ABSTAIN or NOOP a lot, but you care about content decisions,
   then you should still view the affected candidates and comment if
   necessary.  You can find affected candidates via string search in
   the initial ballots that are posted to the Editorial Board mailing
   list, or in the "Interesting candidates" sections on the voting web
   site.  Further enhancements to the voting web site are expected to
   be made.

4) Content decisions will be made available on the voting web site at
   a later date.  Most CD's, however, have been discussed on this
   list, so voters would already be aware of the surrounding issues.

5) All older candidates that are affected by CD's will be annotated
   with an Analysis field accordingly and re-introduced to Board
   members, whether in the form of customized ballots for individual
   members, or by re-proposal to the whole Board.

6) Participating Board members have almost unanimously advocated a
   "split-by-default" approach when there is insufficient information
   to determine whether a single candidate or multiple candidates
   should be created.  This is being implemented accordingly.

7) After proposal to the Board and upload to the CVE web site, all
   newly created candidates will be posted to the cve-data-update
   mailing list so that non-Board consumers of candidates can receive
   timey updates of candidate information.


Feedback, as usual, is welcome.

- Steve