The CVE Editorial Board met via teleconference on May 19, 2016. The meeting was oriented around progress on CNA efforts, Board charter updates, and maximizing community participation. Members of the MITRE CVE Team also attended the call. Board members in attendance were:
Pascal Meunier, CERIAS
Harold Booth, NIST
Ken Williams, CA
Kurt Seifried, Red Hat
Scott Lawler, LP3
Dave Waltermire, NIST
Andy Balinsky, Cisco
The following discussions were held:
1. CNA Updates
b. Intel is expected to finish the process of becoming a CNA by the end of May, and is currently going through and assigning CVE IDs to their backlog.
c. DWF CNA
i. DWF has completed two CVE ID assignments (CVE-2016-1000000 and CVE-2016-1000001), which have been added to the CVE List. The CVE website is being updated and the new CVEs will be on the CVE website once the update is complete.
ii. DWF is currently working on identifying their backlog and is identifying “beta testers” who will make CVE assignments on behalf of DWF with the expectation they will later become sub-CNAs.
2. Editorial Board charter updates
a. Board process issues that will impact the ongoing Editorial Board Charter revisions were discussed. The purpose of today’s discussion was to elicit feedback and suggestions; not to make decisions. Decisions will be made through the Charter revision process and Board votes over the private e-mail list.
b. The primary topic of discussion was the makeup of the Board membership, including how many people should be on the Board, how many organizations should be represented, and how many votes they should get, participation requirements, and representation of stakeholder groups.
i. Though these were only discussions and not formal decisions, the group, in general, felt that there should not currently be a cap on the number of individuals or organizations on the Board, but there should only be a cap on voting: a single vote per organization.
ii. Board members felt that there should be some form of participation over the course of a year, but there should not be a required amount of meetings to attend or e-mails to send. In addition, the Board thinks that there should be an annual poll to all members of the Board asking whether they would like to continue to be Board members.
iii. The Board thinks that anyone should be able to be nominated, as long as they are recommended by a sitting member of the Board.
1. Despite requests that MITRE vet the Board prospects, MITRE believes that the Board should vet and select its own members via a Board vote.
2. MITRE will develop a template for nominating a candidate that sitting members of the Board can use to share information on an individual they are recommending. This template will include collection of a resume, experience working with CVE, expected value of the candidate to CVE in the future, etc.
iv. The Board would like to increase membership where possible, including expansion to other IT stakeholders (e.g., hardware vendors) and sectors (e.g., finance). In particular, several Board members expressed the desire to see more representation from CVE end-users. The Board members committed to reaching out to their own contacts to identify interest in increased participation in CVE.
3. The final conversation on potential Charter updates led the Board to discuss ways of increasing community participation. In addition to nominating new members representing new stakeholder groups to become CNAs and Board members, the group discussed options like holding “open” Board meetings (approximately once per year) where the public is invited to join and participate. It was noted that the participation of new sectors may be more appropriate when the federated CVE concept has matured further.
- Update the Board charter and distribute out to the Board for discussion and vote (MITRE)
- Send out list of working groups to solicit members (MITRE)
- Send an email to the Board to discuss swim lanes and products and sources (MITRE)
- Develop a template for nominating prospective Board members (MITRE)
- Look into Google Hangouts as a possibility to replace Skype (MITRE)
The next Editorial Board meeting will be held on June 2.