[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Change in CVE procedure re: board email list vs board phone calls

On Fri, Jul 7, 2017 at 3:35 PM, jericho <jericho@attrition.org> wrote:
Changing the subject to make this topic easier to track.

While it looks like the changes proposed are acceptable to those replying so far, I wanted to point out and remind the list of what the board calls look like as far as representation goes.

- Not once has there been 50% board attendance
- The lowest attendance has been ~18%
- On 10 calls (50%), there were more MITRE employees than board members

Is that a problem with the structure or the board members? I know that myself/Kent/Harold/Takeshi manage to make most of the calls for the last few months. Obviously it is possible for people to make the calls if they want to. Is there some specific reason people can't make the call at least once in a while?

I bring this up to reiterate that while the calls are certainly helpful as pointed out, they do not represent a majority of the board. So changes in CVE policy really need to be brought to the list for additional discussion (before and/or after the call) as well as potentially voting on an issue if there is conflicting views.

Regardless of what is decided, any policy changes made on list or call must be posted to the list, in their own new thread, with a clear subject. This makes it easy for external parties to find a given policy change, since our decisions may impact the CNAs and the industry.


(My rough sheet with calculations. Some are a bit off as I don't have the
 time to go through the list archives to see when someone was added to the
 board versus the list as seen via archive.org. But these approximate
 numbers serve the purpose.)

---------- Forwarded message ----------
From: "Coffin, Chris" <ccoffin@mitre.org>
X-Originating-IP: []
To: "Landfield, Kent" <Kent_Landfield@McAfee.com>,
    "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>,
    "pmeunier@cerias.purdue.edu" <pmeunier@cerias.purdue.edu>
Cc: Carsten Eiram <che@riskbasedsecurity.com>,
    cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Date: Fri, 7 Jul 2017 21:16:18 +0000
Subject: RE: Current standards/criteria for 'Undefined Behavior'


I think this sounds like a very reasonable approach and would be onboard with making this change moving forward. I believe this approach also aligns with what Dave had proposed, thought you have given it a few more specifics.

Proposed process:
- Board minutes email contains a list of decisions made within the body of the message
- Each decision includes a brief background statement and additional details where needed
- Board members have two weeks to raise objections to the decision (this would also include those in attendance who might later change their mind)
- If agreement cannot be reached on the list within the allotted discussion time period, we discuss and make a final decision in the following Board call taking into account new feedback or comments

Does this work for everyone?


-----Original Message-----
From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
Sent: Friday, July 7, 2017 3:50 PM
To: Waltermire, David A. (Fed) <david.waltermire@nist.gov>; pmeunier@cerias.purdue.edu; Coffin, Chris <ccoffin@mitre.org>
Cc: Carsten Eiram <che@riskbasedsecurity.com>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Current standards/criteria for 'Undefined Behavior'

As we become a more internationally diverse group, it is important all get to participate in the decision making. I agree Board calls are useful for accelerating decisions based on back-and-forth conversations but it is not fair to those that can?t participate due to time zone, travel or real day jobs.

One of the things we have agreed to as a Board is that WG decisions need to be put onto the Board list as recommendations. The Board then has a specified time to disagree with the recommendations. If there is no disagreement when the time period expires, the recommendations are approved.

Maybe we could consider that type of approach for Board call decisions.  The call minutes could have a section that specifically lists the decisions agreed to on the call with some background on the decision.  The minutes would be posted with the decisions section copied and included in the body of the Board Minutes message in addition to the attached minutes file.  The Board members then have a week (or some specified time) to disagree and initiate a conversation. Any decisions not addressed are blessed with the ?silence begets acceptance? approach.

We should be addressing the decisions that Board members have an issue with or need clarification on, not the ones we agree on.

Kent Landfield

On 7/7/17, 2:55 PM, "owner-cve-editorial-board-list@lists.mitre.org on behalf of Waltermire, David A. (Fed)" <owner-cve-editorial-board-list@lists.mitre.org on behalf of david.waltermire@nist.gov> wrote:

    Who is responsible for deciding how big/risky or small/minor a given issue is? I wouldn't want that job.

    The problem is those present on the board call might think an issue is "small" and inconsequential. Those that might find a big problem in a small thing might not be present on a given call to raise such a concern. This is where there is value in sending a short email to the list to keep everyone looped in. We have had some examples of this in the past with changes to CVE status, impacts on downstream consumers, etc.


    > -----Original Message-----
    > From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu]
    > Sent: Friday, July 07, 2017 3:46 PM
    > To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
    > <david.waltermire@nist.gov>
    > Cc: Carsten Eiram <che@riskbasedsecurity.com>; cve-editorial-board-list
    > <cve-editorial-board-list@LISTS.MITRE.ORG>
    > Subject: Re: Current standards/criteria for 'Undefined Behavior'
    > On Fri, 2017-07-07 at 18:49 +0000, Coffin, Chris wrote:
    > > One worry in going this route would be that we'd never actually make
    > > any decisions on the Board calls and the value of them could be
    > > greatly diminished.
    > I understand and applaud the drive to get things done and decided.
    > On the other hand, for some decisions, more time to think things through
    > and leverage the input of the entire board would be wise.
    > Board calls are the perfect place to make decisions too minor, or irrelevant to
    > the board's interests, for the entire board to get involved, for efficiency's
    > sake.  I think it's a judgment call to decide which decisions can be done on the
    > calls.  However, CVE assignment policy decisions are of interest to the entire
    > board.  My point is that splitting the difference in the middle, and having
    > some categories of decisions flagged for mailing list discussions, may be close
    > to optimal.
    > Pascal


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: July 10, 2017