[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE ID Syntax Change Voting - Procedures and Timeline (starts April 1)



Folks,

We apologize for the length of this email, but we want to make sure we have correctly captured comments received about the voting process, as well as to ensure the voting process is completely open and well understood.

This email will be posted on the CVE web site and other locations to ensure we don't miss any Board members due to outdated contact info, etc. If you are a CVE Editorial Board member and did not read this email on the cve-editorial-board list, please contact us immediately so we can update your contact info.

Based on the feedback and post-meeting comments from the Editorial Board meeting/call on February 26th, we have been in intense discussions regarding the specifics of conducting the vote on the options for the CVE ID Syntax change. 

In order to ensure that we have correctly interpreted the wishes of the Board, we are extending the comment period to allow discussion of the vote proposal. The revised timeline is as follows (all dates and times are US EDT):
                - Sunday, March 31, 2013              - Comment and discussion period closes at midnight EDT
                - Monday, April 1, 2013                  - Official voting period opens
                - Sunday, April 14, 2013                 - Official voting period closes at midnight EDT

*Please note* -- no one has "voted" yet.
- All of the comments received to date are purely the opinions of the respective commenter, even if phrased as "I/we vote for ..."
- The official voting period has not been opened.
- None of the input received to date is an official vote.
- Board members will need to send (or resend) their selections for a preferred option. (More below.) 

Incorporating comments received and based on further discussion, we propose the following for the call and management of the vote. More information about the major points follows the list.

1. The voting process should be completely open and public, and will be posted and archived on the CVE web site. 
2. Voters must list a first and second choice and clearly indicate which option is the first choice and which is the second.
3. All votes must include a short write up of the reason(s) for supporting or not supporting each of all three options.
4. Only votes received by the mailing list before midnight US EDT on Sunday, April 14, 2013 will be counted.
5. Only one vote per organization will be accepted, regardless of how many eligible voting members are in a specific organization.
6. If more than one Board member from the same organization votes, only the first vote received will be counted.
7. Some Board members are excluded from the vote for other reasons - details are in the list of Board members (below).
8. No changes to a vote will be accepted; no reclama.
9. At least a simple majority of the eligible Editorial Board members is required for the overall vote to be declared valid.
10. At least a simple majority of the votes cast is required for any option to be selected.


1. Open voting process
------------------------------
All votes and comments will be sent to the Editorial Board list and will be copied to the CVE web site.


2. Voters must list a first and second choice
----------------------------------------------------------
To help obviate a need for a second, "run off" vote, each voting member must indicate a first and second choice (including a comment for each) and clearly indicate which option is their first choice and which is their second choice.


3. Reason(s) for or against each option
--------------------------------------------------
A short write up or comment for/against each option is required as part of the vote, i.e., for all three options. This was requested by Board members, and will capture both the votes and reasons for the votes for the archive.


4. Only votes with a timestamp before midnight US EDT on Sunday, April 14, 2013 .
-----------------------------------------------------------------------
If a vote is received at or later than 00:00:00 US EDT Monday, April 15, 2013 it will not be counted. If a member wants to ensure that their vote will be counted, they need to take into account the many kinds of delays that may occur between hitting "send" and receipt. The only exception to this condition will be if the mailing list is unavailable.


5., 6.  Only one vote per organization; first vote counts
-----------------------------------------------------------------------
Board members from the same organization should coordinate their organization's vote. In the event of duplicate submissions from the same organization, only the first vote received will be accepted.


7. Some Board members are excluded from the vote for other reasons
--------------------------------------------------------------------------------------------
Other conditions or circumstance may obviate a Board member's vote. These cases are noted (below).


8. No changes to a vote will be accepted.
-----------------------------------------------------
Your first vote is the only vote that counts. If necessary, we will go to a "tie breaker" after the voting period closes using voters' expressed second choices, but there will not be a re-vote.


9. At least a simple majority of the eligible Editorial Board members is required for the overall vote to be declared valid.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
The overall vote will not be accepted as valid unless at least a simple majority of the eligible Board Members votes. As of this email, we believe there are 23 CVE Editorial Board members/organizations that are eligible to vote (list below), which means there must be at least 12 votes cast in total for the overall vote to be declared valid. Please note that this is 12 votes *total*, not 12 votes for a specific option.


10. At least a simple majority of the votes cast is required for any option to be selected.
------------------------------------------------------------------------------------------------------------------
Please take careful note of this statement. Although a simple majority of the eligible Board members must cast a vote for the overall vote to be declared valid, only a simple majority *of_the_valid_votes_cast* is required for an option to be selected. Please note that this means that if, for example, only a total of 12 votes are received, it will only require 7 votes for any given option to be selected.


********************************************************

Current CVE Editorial Board Members eligible to vote

If you believe you are eligible to vote and are not listed below, please contact us immediately at cve@mitre.org.

Name                                                                    Org
--------------------------------------------------------------
Ken Williams                                                      CA
Andy Balinsky                                                    Cisco
Ken Armstrong                                                 EWA-Canada
Bill Wall                                                                 Harris STAT
Jimmy Alderson or Troy Bollinger              IBM
Tim Collins                                                           Independent
Al Huger                                                               Independent
Scott Lawler                                                       Lightspeed
Kent Landfield                                                   McAfee
Adam Shostack                                                 Microsoft
Steve Christey                                                   MITRE
Tim Keanini                                                         nCircle
Harold Booth or Peter Mell                          NIST
Russ Cooper                                                       NTBugtraq
Brian Martin                                                       OSVDB
Pascal Meunier or Gene Spafford             Purdue
Mark Cox                                                             Red Hat
Carsten Eiram                                                    Risk Based Security
Alan Paller                                                           SANS
Casper Dik                                                           Oracle (Sun)
Mike Prosser                                                      Symantec
Matt Bishop                                                        UC Davis
Art Manion                                                          US-CERT

Other Board members who are listed on the CVE web page but are not eligible to vote include other MITRE staff (Steve Christey holds the official MITRE vote), and Tom Stracener (although he is Independent) is excluded because he is currently on contract with MITRE.

Please let us know immediately of any thoughts, comments or concerns.

We deeply appreciate the involvement and participation of the Editorial Board in shaping this important discussion and in the upcoming vote.

Best Regards,
The MITRE CVE Team



Page Last Updated or Reviewed: October 03, 2014