RE: Current standards/criteria for 'Undefined Behavior'

• To: "pmeunier@cerias.purdue.edu" <pmeunier@cerias.purdue.edu>, "Coffin, Chris" <ccoffin@mitre.org>
• Subject: RE: Current standards/criteria for 'Undefined Behavior'
• From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
• Date: Fri, 7 Jul 2017 19:55:12 +0000
• Accept-language: en-US
• Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=nist.gov;
• Cc: Carsten Eiram <che@riskbasedsecurity.com>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
• Delivery-date: Mon Jul 10 08:14:07 2017
• In-reply-to: <1499456776.14288.3.camel@cerias.purdue.edu>
• List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
• List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
• List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
• List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
• References: <alpine.LNX.2.00.1705021224040.32256@forced.attrition.org> <BY2PR09MB104693962DC9E3AFA1117DC9CC160@BY2PR09MB1046.namprd09.prod.outlook.com> <alpine.LNX.2.00.1705081849310.32256@forced.attrition.org> <59571B66-144E-4120-B166-7EDDD6C53E5D@mitre.org> <CACph5NXYh4g=NvHMXuE3xz5yip1SuF_Qqcvq5XyGp4Ns-FkihA@mail.gmail.com> <b61d743d-fae0-b9e4-c0d4-db9ee799f230@cert.org> <MWHPR09MB1485D96532AC748942475730A1AA0@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1707071211180.3395@forced.attrition.org> <MWHPR09MB1440BDAAEA64A7057654921DF0AA0@MWHPR09MB1440.namprd09.prod.outlook.com> <MWHPR09MB14850889D355EC6534F77EF1A1AA0@MWHPR09MB1485.namprd09.prod.outlook.com> <1499456776.14288.3.camel@cerias.purdue.edu>
• Sender: <owner-cve-editorial-board-list@lists.mitre.org>
• Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
• Spamdiagnosticoutput: 1:2
• Thread-index: AQHSw2oz93QCGXm7q0K8yn+4ozVIrKHitiWAgAhuogCAAoEegIABZCiAgFiXPQCAARp8gIAARmuAgAAJMiCAABFkgIAAD8gAgAAAtEA=
• Thread-topic: Current standards/criteria for 'Undefined Behavior'

Who is responsible for deciding how big/risky or small/minor a given 
issue is? I wouldn't want that job.

The problem is those present on the board call might think an issue is 
"small" and inconsequential. Those that might find a big problem in a 
small thing might not be present on a given call to raise such a 
concern. This is where there is value in sending a short email to the 
list to keep everyone looped in. We have had some examples of this in 
the past with changes to CVE status, impacts on downstream consumers, 
etc. 

Regards,
Dave

> -----Original Message-----
> From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu]
> Sent: Friday, July 07, 2017 3:46 PM
> To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
> <david.waltermire@nist.gov>
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> <cve-editorial-board-list@LISTS.MITRE.ORG>
> Subject: Re: Current standards/criteria for 'Undefined Behavior'
> 
> On Fri, 2017-07-07 at 18:49 +0000, Coffin, Chris wrote:
> > One worry in going this route would be that we'd never actually make
> > any decisions on the Board calls and the value of them could be
> > greatly diminished.
> 
> I understand and applaud the drive to get things done and decided.
> 
> On the other hand, for some decisions, more time to think things 
> through
> and leverage the input of the entire board would be wise.
> Board calls are the perfect place to make decisions too minor, or 
> irrelevant to
> the board's interests, for the entire board to get involved, for 
> efficiency's
> sake.  I think it's a judgment call to decide which decisions can be 
> done on the
> calls.  However, CVE assignment policy decisions are of interest to 
> the entire
> board.  My point is that splitting the difference in the middle, and 
> having
> some categories of decisions flagged for mailing list discussions, 
> may be close
> to optimal.
> 
> Pascal

• Follow-Ups:
  • Re: Current standards/criteria for 'Undefined Behavior'
    • From: Kurt Seifried <kseifried@redhat.com>
  • Re: Current standards/criteria for 'Undefined Behavior'
    • From: "Landfield, Kent" <Kent_Landfield@McAfee.com>

• References:
  • Re: Current standards/criteria for 'Undefined Behavior'
    • From: Art Manion <amanion@cert.org>
  • RE: Current standards/criteria for 'Undefined Behavior'
    • From: "Coffin, Chris" <ccoffin@mitre.org>
  • RE: Current standards/criteria for 'Undefined Behavior'
    • From: jericho <jericho@attrition.org>
  • RE: Current standards/criteria for 'Undefined Behavior'
    • From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
  • RE: Current standards/criteria for 'Undefined Behavior'
    • From: "Coffin, Chris" <ccoffin@mitre.org>
  • Re: Current standards/criteria for 'Undefined Behavior'
    • From: Pascal Meunier <pmeunier@cerias.purdue.edu>

• Prev by Date: Re: Current standards/criteria for 'Undefined Behavior'
• Next by Date: Re: Current standards/criteria for 'Undefined Behavior'
• Previous by thread: Re: Current standards/criteria for 'Undefined Behavior'
• Next by thread: Re: Current standards/criteria for 'Undefined Behavior'
• Index(es):
  • Date
  • Thread