[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Current standards/criteria for 'Undefined Behavior'

Who is responsible for deciding how big/risky or small/minor a given 
issue is? I wouldn't want that job.

The problem is those present on the board call might think an issue is 
"small" and inconsequential. Those that might find a big problem in a 
small thing might not be present on a given call to raise such a 
concern. This is where there is value in sending a short email to the 
list to keep everyone looped in. We have had some examples of this in 
the past with changes to CVE status, impacts on downstream consumers, 


> -----Original Message-----
> From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu]
> Sent: Friday, July 07, 2017 3:46 PM
> To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
> <david.waltermire@nist.gov>
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> <cve-editorial-board-list@LISTS.MITRE.ORG>
> Subject: Re: Current standards/criteria for 'Undefined Behavior'
> On Fri, 2017-07-07 at 18:49 +0000, Coffin, Chris wrote:
> > One worry in going this route would be that we'd never actually make
> > any decisions on the Board calls and the value of them could be
> > greatly diminished.
> I understand and applaud the drive to get things done and decided.
> On the other hand, for some decisions, more time to think things 
> through
> and leverage the input of the entire board would be wise.
> Board calls are the perfect place to make decisions too minor, or 
> irrelevant to
> the board's interests, for the entire board to get involved, for 
> efficiency's
> sake.  I think it's a judgment call to decide which decisions can be 
> done on the
> calls.  However, CVE assignment policy decisions are of interest to 
> the entire
> board.  My point is that splitting the difference in the middle, and 
> having
> some categories of decisions flagged for mailing list discussions, 
> may be close
> to optimal.
> Pascal

Page Last Updated or Reviewed: July 10, 2017