[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Editorial Board Teleconference Summary - May 19, 2016

The CVE Editorial Board met via teleconference on May 19, 2016. The meeting was oriented around progress on CNA efforts, Board charter updates, and maximizing community participation. Members of the MITRE CVE Team also attended the call. Board members in attendance were:



Pascal Meunier, CERIAS

Harold Booth, NIST

Ken Williams, CA

Kurt Seifried, Red Hat

Scott Lawler, LP3

Dave Waltermire, NIST

Andy Balinsky, Cisco


The following discussions were held:

1.      CNA Updates

a.      MITRE Legal is updating the CVE Terms of Use to ensure contributions to CVE from outside of MITRE can be published to the CVE List and are available to downstream users without a lot of licenses as overhead. The terms will also allow for description contributions, and will specify that CVE contributions to MITRE and all CNAs are covered under the CVE Terms of Use.


b.      Intel is expected to finish the process of becoming a CNA by the end of May, and is currently going through and assigning CVE IDs to their backlog.


c.       DWF CNA

                          i.      DWF has completed two CVE ID assignments (CVE-2016-1000000 and CVE-2016-1000001), which have been added to the CVE List. The CVE website is being updated and the new CVEs will be on the CVE website once the update is complete.

                         ii.      DWF is currently working on identifying their backlog and is identifying “beta testers” who will make CVE assignments on behalf of DWF with the expectation they will later become sub-CNAs.


2.      Editorial Board charter updates

a.      Board process issues that will impact the ongoing Editorial Board Charter revisions were discussed. The purpose of today’s discussion was to elicit feedback and suggestions; not to make decisions. Decisions will be made through the Charter revision process and Board votes over the private e-mail list.


b.      The primary topic of discussion was the makeup of the Board membership, including how many people should be on the Board, how many organizations should be represented, and how many votes they should get, participation requirements, and representation of stakeholder groups.


                          i.      Though these were only discussions and not formal decisions, the group, in general, felt that there should not currently be a cap on the number of individuals or organizations on the Board, but there should only be a cap on voting: a single vote per organization.

                         ii.      Board members felt that there should be some form of participation over the course of a year, but there should not be a required amount of meetings to attend or e-mails to send. In addition, the Board thinks that there should be an annual poll to all members of the Board asking whether they would like to continue to be Board members.

                       iii.      The Board thinks that anyone should be able to be nominated, as long as they are recommended by a sitting member of the Board.

1.      Despite requests that MITRE vet the Board prospects, MITRE believes that the Board should vet and select its own members via a Board vote.

2.      MITRE will develop a template for nominating a candidate that sitting members of the Board can use to share information on an individual they are recommending. This template will include collection of a resume, experience working with CVE, expected value of the candidate to CVE in the future, etc.

                       iv.      The Board would like to increase membership where possible, including expansion to other IT stakeholders (e.g., hardware vendors) and sectors (e.g., finance).  In particular, several Board members expressed the desire to see more representation from CVE end-users.  The Board members committed to reaching out to their own contacts to identify interest in increased participation in CVE.


3.      The final conversation on potential Charter updates led the Board to discuss ways of increasing community participation. In addition to nominating new members representing new stakeholder groups to become CNAs and Board members, the group discussed options like holding “open” Board meetings (approximately once per year) where the public is invited to join and participate. It was noted that the participation of new sectors may be more appropriate when the federated CVE concept has matured further.


Action Items:

-          Update the Board charter and distribute out to the Board for discussion and vote (MITRE)

-          Send out list of working groups to solicit members (MITRE)

-          Send an email to the Board to discuss swim lanes and products and sources (MITRE)

-          Develop a template for nominating prospective Board members (MITRE)

-          Look into Google Hangouts as a possibility to replace Skype (MITRE)


The next Editorial Board meeting will be held on June 2.



Attachment: CVE_Editorial_Board_Meeting_summary_20160523.pdf
Description: CVE_Editorial_Board_Meeting_summary_20160523.pdf

Page Last Updated or Reviewed: June 01, 2016