[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVEPRI] CVE Editorial Board Roles, Tasks, and Qualifications

Below is the final version of the document that describes the roles,
tasks, and qualifications for Editorial Board members.  This will be
published on the CVE Web site.

The main changes are:

- added "Recognition of Former Members" section that distinguishes
  between Emeritus, "former contributing members," and members who
  did not contribute

- added minimum 3 years experience as a "strong recommendation" for
  technical members, with a preference for 5.

- Steve

CVE Editorial Board Roles, Tasks, and Qualifications
Version: 1.2
Modified: September 10, 2001


This document clarifies the roles, tasks, and qualifications for CVE
Editorial Board members.  Much of the background discussion was held
during a meeting in March 2001, as documented in the summary at:


Roles for Editorial Board Members

Note that some members may have more than one role on the Editorial
Board.  However, all members have only one primary role.

Technical members participate in the creation, design, review,
maintenance, and applications of CVE.

Liaisons represent a significant constituency, related to or affected
by CVE, in an area which does not necessarily have technical
representation on the Board.  In some cases, a liaison may represent
an individual organization.  This role may include software vendors.

Advocates actively support or promote CVE in a highly visible fashion.
This role is reserved for respected leaders in the security community
who help bring credibility to the CVE Initiative and give CVE a wider
reach outside of the security community.

Emeritus members were formerly active and influential in the CVE
Initiative.  As a result of significant contributions, they maintain
an honorary position on the Board.

Minimum Expectations for Editorial Board Members

Board members must meet the minimum levels of effort consistent with
the tasks that they undertake.  If a Board member participates in
multiple tasks, then the minimum expectations for each individual task
may be lowered accordingly.

All members are expected to commit a minimum of 2 hours per month to
maintain high-level awareness of ongoing CVE and Editorial Board
activities.  There may be additional requirements depending on
additional tasks.

Participation should be consistent with respect to the specific task.
Allowances can be made for extenuating circumstances that temporarily
prevent a member from meeting the minimum level of participation.

Tasks for All Members

All members are expected to perform the following tasks.

1) Consultation: This includes participating in Board meetings, or
   discussion of ad hoc issues related to CVE content or Editorial
   Board processes such as content decisions, Board membership, or CVE

2) Awareness: This includes participating in Board meetings and/or
   reading meeting summaries, and regularly reading posts on the
   Editorial Board mailing lists.

Many members may perform the following tasks.

1) Outreach.  Some Board members actively promote CVE and educate the
   public about CVE, or introduce various contacts to MITRE within the
   CVE context.

2) Non-CVE activities.  Some Board members may participate in
   activities that are undertaken under the Board context, but not
   directly related to CVE.

Expected Level of Effort

The amount of effort for these tasks may vary widely.  Each
consultation task may require 1 to 10 hours, or more.  Such tasks may
occur approximately once every 2 months.

Technical Member Tasks

Each technical member should regularly perform one or more of the
following tasks.

1) Voting on candidates.  The primary task for most technical members
   is to review, comment on, and accept or reject CVE candidates that
   are proposed to the Editorial Board.  Some members vote regularly;
   others vote on an ad hoc basis, e.g. when there is an effort to
   reach a specific content goal.

2) Content provider.  Some Board members provide their vulnerability
   databases to MITRE for conversion into candidates, which ensures
   that CVE content is as complete as possible.  Others are actively
   involved in candidate reservation.  Others may be Candidate
   Numbering Authorities (CNA's), which are authorized to assign CVE
   candidate numbers to security issues before they are publicized.

3) CIEL.  Members participate in the review and development of the
   Common Intrusion Event List (CIEL), a "CVE-for-IDS" which is
   currently being drafted by MITRE.

Expected Level of Effort

Following is the amount of effort that is believed to be needed to
participate regularly in a task.

1) Voting - approximately 3 hours per week, on a regular basis

2) Content provider - 1 to 5 hours, approximately once every 2 months

3) CIEL - approximately 1 hour per week, in the early stages

Qualifications for Technical Members

1) Members should have at least 3 years of experience as a computer
   security professional (preferably 5 years).  Exceptions may be made
   for members who have made noteworthy contributions to the security

2) Participants should be experts in the use or development of one or
   more of the following technical areas:

  - vulnerability assessment and related tools
  - intrusion detection and related tools
  - incident response or forensics
  - academic/research topics such as vulnerability or exploit
    analysis, taxonomies and classification, new security models, or
    programmer behaviors
  - related areas

3) Participants should have strong knowledge about computer security
   issues in most of the following areas:

   - concepts such as buffer overflows, race conditions, design
     errors, insecure configurations, etc.
   - commonly exploited vulnerabilities, or related tools
   - security models in operating systems, protocols, applications,
   - vulnerability information sources, e.g. advisories, mailing
     lists, or hacker sites
   - extensive "real-world," operational experience in one or more of
     the areas described in (1)

   The participant's knowledge may be broad (e.g. general knowledge of
   various types of flaws in many different OSes) or deep
   (e.g. analysis of programming errors in a single OS or programming

4) Participants should be able to effectively identify and communicate
   technical issues that relate to CVE and their particular area of

5) Participants should have a demonstrated commitment to sharing
   information to enhance research or education, or to improving
   overall enterprise security, e.g. by active participation in
   conferences or other forums.

Liaison Tasks

Liaisons should perform one or more of the following tasks, in
addition to those tasks that are required of all members.

1) The liaison must educate the liaison's own community about CVE,
   where appropriate.

2) The liaison must educate the Editorial Board about the needs and
   interests for CVE of the liaison's community, where appropriate.

3) If the member is a software vendor liaison, then the member must
   vote on candidates related to vulnerabilities in that vendor's

4) Liaisons may undertake other technical tasks.

5) The liaison should participate regularly in ad hoc consultation
   tasks, if the liaison previously agreed to perform those tasks.

Expected Level of Effort

Liaisons will need to commit approximately 1-2 hours per week to
maintain enough high-level knowledge of CVE and Editorial Board
activities to effectively educate their constituency, and the Board,
on CVE-related issues.

Qualifications for Liaisons

1) A liaison that represents a constituency beyond an individual
   organization must be visible and active in the liaison's
   constituency community.

2) A liaison that represents an individual organization must be able
   to effectively communicate with all other relevant parts of that

3) Software vendor liaisons must be able to effectively communicate
   with the vendor's security and product development teams.

Advocate Tasks

1) Endorse CVE to constituencies that will benefit from it.

2) Foster better communication between constituencies.

3) Participate in Editorial Board activities, especially in decisions
   related to Board structure and strategic activities.

4) Advocates may undertake technical or liaison tasks.

Expected Level of Effort

The expected level of effort is variable, but the advocate should
participate at least once every 6 months.

Qualifications for Advocates

1) The advocate should be a recognized leader in the security
   community, as approved by members of the Editorial Board.

Emeritus Tasks

Emeritus members may participate periodically in technical, liaison,
or advisory tasks.

Expected Level of Effort

Emeritus members are not expected to participate regularly in the CVE
Initiative, but they should participate in some task approximately
every 6 months.

Qualifications for Emeritus

1) Emeritus members must have made significant contributions to the
   CVE Initiative, as determined by MITRE.

Recognition of Former Members

A person who has left the Editorial Board is recognized in one of the
following ways:

1) If the person has qualified for Emeritus status, then the member is
   identified as Emeritus.

2) If the person did not qualify for Emeritus status but made clear
   contributions to CVE as determined by MITRE, then the member is
   identified as a former contributing member.

3) If the person did not make any measurable contribution to CVE, then
   the person is not identified as a former member.

Roles for MITRE

The following roles are unique to MITRE.

The CVE Editor is responsible for creating, publishing, and
maintaining CVE content, including candidates, CVE versions, content
decisions, etc.

The Editorial Board Chair is responsible for Editorial Board
structure, recruitment, and activities.

Task leaders are responsible for one or more major strategic tasks
such as community outreach, web sites, CVE compatibility, CVE content,
future planning, and related work.

Content team members support the CVE Editor.

Page Last Updated or Reviewed: May 22, 2007