[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

Hi Kent and Carsten,


Thank you for your always-thoughtful comments and recommendations.


We do not mean to imply that the subject documents have suddenly taken on a new, higher level of importance to the CVE Editorial Board. To the contrary, we have developed many unwritten rules over the years – some of which may be buried in pages of Board discussion threads from years ago, others of which were decided internally by MITRE or developed as “common practice” – and we are beginning to document these rules and practices explicitly. In this case, we simply thought we’d start by picking off the processes and documents that would be most straightforward, and where we thought the Board would be most likely to quickly come to agreement. As always, we are actively seeking Board member comments and suggestions on both documents, and we plan to discuss them during the Board meeting at RSA.


I’m not surprised the documents look like efforts for the OVAL Board – we spoke with the OVAL team quite a bit leading up to those efforts. Your comments based on the efforts relating to the OVAL Board are well-founded, as are the cautions. CVE has traditionally been a “one member – one vote” model, regardless of whether the member was an independent or an organization, as we saw during the Syntax ID change voting.


We do not want nor expect the Board to ever be comprised solely of organizational representatives. By its nature and purpose, the CVE Editorial Board should, and always continue to, be representative of the entire community. That alone requires that the Board include independent members. We mention that point (albeit not very explicitly) on the CVE Editorial Board web page, and leave it open in the draft documents. I personally like the way you phrased the Board membership as “…based on the individuals who have contributed to this community and to CVE.”   I can see places in the document where we can make it more explicit that we seek independent members that can contribute and who view CVE Editorial Board membership to hold (again, as you said), “a personal responsibility to the community.”


With respect to the comment in the document encouraging organizations to have “an implementer and a liaison,” we put that in partly to try to encourage more engagement within organizations where the “implementer” (or, to Carsten’s point, technical) member can sometimes be invisible to those in an organization who might or should otherwise understand CVE within their own organizational context.


We agree that Board members should be active and engaged, and we are seeking comments on the drafts to help us formalize CVE’s and the community’s best interests.


Best Regards,

Steve Boyle



From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
Sent: Wednesday, April 01, 2015 4:30 PM
To: Boyle, Stephen V.; cve-editorial-board-list
Subject: Re: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]


Hi Steve,


Can I ask why this is important now? Not like it has been an issue since 2001… ;-)  I am really just a bit curious.  This looks like something we put together on the OVAL Board.  There was a reason we did so there that may not be all that valuable here. The intent was to assure promotion of OVAL and at the same time we were seeing a growing numberer of companies asking to have more that one representative. We wanted to: (From the OVAL Board info)


In an effort to guard against organizational bias, a single organization may be represented by a maximum of two individuals with the expectation that one individual would be focused on strategic direction and the other individual would be focused more on technical decisions.

We also only allowed one vote per organization because not all organizations had two members. In reality the process cost us a good participating individual.  We had a situation where one organization ended up with three people and the organization decided who would be on the list.  This meant we lost one of the more consistent contributors while keeping less a participating member.  

I have always felt the CVE Editorial Board not to be organizationally-based but rather based on the individuals who have contributed to this community and to CVE.  Yes, because we have more than one person from specific companies, the voting process needs to use the organizational slant to reduce the possibility of organizational bias in the vote results but I have always viewed the Board not as an organizational responsibility but a personal one because of my belief in the value of CVE. 

Recommending two people from each company seems to bloat and dilute the Board.  By injecting those who are not as passionate about CVE and its value, we end up with individuals who look at this more as a resume item instead of a personal responsibility to the community. 




Kent Landfield
Director, Standards and Technology Policy
Intel Security



From: <Boyle>, "Stephen V." <sboyle@mitre.org>
Date: Wednesday, April 1, 2015 at 9:50 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Cc: "Boyle, Stephen V." <sboyle@mitre.org>
Subject: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]


Some people have asked us for editable versions of the two Editorial

Board governance document drafts we recently sent out for your

review and comments. Attached please find MS-Word (.docx) versions

of both documents for your review and comments.


We appreciate your time and attention reviewing the drafts, and we

want to thank those of you who have already provided your comments.


As we requested in the original transmittance email:

- Please review the documents and send us your comments before April 13th.

- If you do not have any comments or suggestions, a quick email to us

   saying so will record the fact that you have read and reviewed the drafts.


Best Regards,




Page Last Updated or Reviewed: April 14, 2015