[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about non-board-member posts to the list



Hi Brian,

> Would Steve or MITRE please make it clear what happened here?

Sure, I'd be happy to. (I figured I'm "a" Steve if not "the" Steve, so close enough.)

Tom Millar is subscribed to the Editorial Board List as are other people who are not members of the Board. As you know, Tom, since he is part of the sponsoring organization, is not allowed to be on the Editorial Board. However, it has been longstanding practice for CVE to  offer read-only access to the Editorial Board list as a courtesy to certain people; in this case, to our sponsor. People who are not Board members can see what goes by, but they do not have posting privileges because they are not, well, Board members. That is another reason why we maintain the separate, private Editorial Board-only email list -- cve-private-eboard-list. 

> Given that Mr. Millar replied within an hour to that post on a Thursday 
> night...

That's not at all unusual for Tom, or lots of us.

> ... when he would not have been included in the general distribution 
> list, it is fair to say that he was BCC'd.

Except that Tom was included in the general distribution list, as described above. Because Tom sees Board list messages that go by, he wouldn't need a BCC or other out-of-band notification of our request -- he saw it at the same time as other members of the Editorial Board list. So, Tom is on the list, was on the list, and was not BCC'd or otherwise given a preview of the email. 

>  Further, that he was likely warned of the incoming post and encouraged to reply to it.

Except that Tom wasn't warned and he wasn't encouraged to reply. He read the post, presumably on the Board list, and responded to cve-id-change (as we requested) with his offer of help to publicize the change. More on this below.

> Given Steve's mail specifically asked 
> repliers to "contact cve-id-change@mitre.org if you wish to participate", 
> which is odd for an Editorial Board posting...

In the normal case, it would be odd to ask the Board to reply to another list. However, in the case of the exceptional, singular event that was the change to the CVE ID syntax, we asked people to respond to cve-id-change because we were asking for lots of participation from others, not just the Board, and using the cve-id-change list kept it all together. In addition, cve-id-change was an open list so anyone could post, making it even more handy for replies from non-Board members. The attendant Board message was a cut-and-paste of what we were sending out. We simply previewed it to the Board members, thereby asking them to reply to the same email address as everybody else. 

> it is doubly odd that a random non-board member would be involved.

I hope I've sufficiently explained how that came about (above). 

I understand your concerns, and I appreciate the fact that you raised them here, where they could be addressed. I invite and encourage you to continue to ask questions and look for answers, especially when things seem odd or otherwise squirrelly.

I 'll close by saying that I can't tell you anything more than what I know and what I remember, but I can personally assure you that MITRE has not and does not circumvent the Board, in any way, with any person or organization.

Best Regards,
Steve Boyle
CVE Project Leader

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of jericho
Sent: Wednesday, September 02, 2015 1:35 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Question about non-board-member posts to the list
Importance: High

https://cve.mitre.org/data/board/archives/2014-09/msg00000.html

To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Request to include Board members in a press release about CVE 
IDsyntax change
From: "Christey, Steven M." <coley@mitre.org>
Date: Thu, 4 Sep 2014 19:12:43 +0000

Steve posted to the editorial board list, for members of the editorial 
board and MITRE, asking about a press release.

There was a single reply to this post:

https://cve.mitre.org/data/board/archives/2014-09/msg00003.html

To: "'cve-id-change@mitre.org'" 
<cve-id-change@mitre.org>,"'cve-editorial-board-list@lists.mitre.org'"<cve-editorial-board-list@lists.mitre.org>
Subject: Re: Request to include Board members in a press release about 
CVEID syntax change
From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Date: Thu, 4 Sep 2014 20:18:36 +0000

Thomas Millar, from DHS, is not on the CVE editorial board per the 
membership list (by name or org):

https://cve.mitre.org/community/board/

Given that Mr. Millar replied within an hour to that post on a Thursady 
night, when he would not have been included in the general distribution 
list, it is fair to say that he was BCC'd. Further, that he was likely 
warned of the incoming post and encouraged to reply to it.

Would Steve or MITRE please make it clear what happened here? Why was Mr. 
Millar brought into this mail before hand, BCC'd on a mail to the list, 
and likely encouraged to reply? Given Steve's mail specifically asked 
repliers to "contact cve-id-change@mitre.org if you wish to participate", 
which is odd for an Editorial Board posting, it is doubly odd that a 
random non-board member would be involved.

Thanks,

.b


Page Last Updated or Reviewed: September 14, 2015