[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question re: old orgs nominating a new person



>Wait...
>
>When did the precedent start that an existing org has the right to 
>replace 
>someone like this? Wasn't the board elected on PERSONAL merit all 
>these 
>years?
>
>Just because a person/org has been on the board for sixteen years, 
>doesn't 
>mean they provide any value.
>
>To wit, I deeply respect Casper Dik, I always have. I corresponded 
>with 
>him frequently over a decade ago regarding Sun vulnerabilities, am a 
>fan 
>of his work, and know he has great insight into our industry. That 
>said, 
>in sixteen years, he has posted to the board list *twice* (compared to 
>Landfield 68 times, Seifried 47 times, Scott 14 times... and two of 
>them 
>have bee on the board for under two years). For whatever reason, 
>Casper 
>did not commit to the board and opt to provide his exceptional 
>experience 
>and insight to this endeavor over all those years, and as an industry, 
>we 
>are worse for it.

The reason that I wanted to resign was because I didn't contribute; I 
think I asked for this several years ago, IIRC, also because my role at 
Oracle
did not and hasn't for quite some time the proper role for a CVE board
member.

>Oracle, as a company, does not embody the goals and mindset of a CNA 
>at 
>all. They have explicitly *countered* many of the things we strive 
>for, 
>primarily around vulnerability clarity in tracking and abstraction, 
>and 
>continue to fight that to this day. As an organization, Oracle is not 
>fit 
>to be a CNA, despite it being terribly convenient for MITRE.

>Remove Casper from the picture, which you just did, and Oracle is no 
>different than any other random company that wishes to have a presence 
>on 
>this board. In fact, they are actually LESS suited to than a newcomer 
>that 
>may be more open to the industry goals CVE is designed for.
>
>If there is some policy about existing CNAs automagically getting a 
>spot 
>on the board, please cite that public reference so I can kick myself 
>for 
>not noticing and arguing it sooner.

Joe told me that the CVE board would like to keep a company as large as 
Oracle on board; so I looked around and found some people who work 
better 
as CVE members but I only did that because I was asked to do so.

It is also clear that Sun Microsystems had quite a different policy for 
communicating about security problems; Oracle does not allow any such 
discussions or communication such as "this problem does not affect
Solaris".

However, this is only a small part of my job and the take over was by 
and 
large a positive effect for our organization so I did not feel I should 
leave Oracle.

We can hope that the people in charge at Oracle see the light.  There 
are 
a lot of smart people as Oracle; politics, however, can't be changed by 
being smart.

Casper


Page Last Updated or Reviewed: May 02, 2016