Re: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

["Landfield, Kent" < Kent_Landfield@McAfee.com >]

Here are a few items that are included in the attached doc but I wanted to call them out for the sake of discussion.

Links don’t work but others have stated that.

1. I would like to see the following paragraph replaced with the suggested text.

Organizations are limited to two representatives on the CVE Editorial Board. Each organization is encouraged to have two representatives, an implementer and a liaison, on the Board. Implementers include content team members, vulnerability analysts, security researchers, and incident responders. Liaisons include product managers, product strategists, chief technology officers, and marketing representatives.

Replace with: 

In an effort to guard against organizational bias, a single organization may be represented by a maximum of two individuals with the expectation that one individual would be focused on strategic direction and the other individual would be focused more on technical decisions.

A replacement is sought for a departing Board member.

I do not think this is what has been done in the past.  If this is more a Board of contributing individuals, this makes it sound as if we are going back to the same company looking for a body.  I believe the bulleted items previously listed cover the need.

3. 3. In the MITRE Evaluation. The last bullet states: " The prospect, and the prospect's parent organization , approves the level of effort required for the prospect ’ s participation. ”  

Will the organization have any say? That should be between the company and the employee? Will MITRE be notifying the organization of the amount of time a person will be required to participate? I don ’t think that’s been the case in the past. People can do a massive amount of CVE work (massive is subjective here. ;-)) after hours if need be. Not sure they really need company approval in all cases.

4. The Editorial Board members are allowed at least 2 weeks to provide feedback on a candidate ?  Do we really need to delay it two weeks?  I’d say one is more than enough but that’s just my opinion. I believe people ignore these types of action and the more you delay it, the more they forget to respond.  Maybe if Board members requested additional information, an additional week could be added, but I am not sure we have really had that situation too often in the past.  Personal preference since I tend to forget in my old age. ;)

5. Statement:

To maintain the limit of two representatives per organization on the CVE Editorial Board, if a merger or acquisition results in an organization having more than two individuals on the Board, then the organization must choose which two individuals will remain on the Board.

General comment:

Maybe one could be a non-voting member but able to participate in all other respects.  I REALLY hate kicking off good people due to situations beyond their control

Kent Landfield
Director, Standards and Technology Policy
Intel

+1.817.637.8026

From: <Boyle>, "Stephen V." < sboyle@mitre.org >
Date: Tuesday, April 7, 2015 at 2:59 PM
To: Kent Landfield < Kent_Landfield@McAfee.com >, Carsten Eiram < che@riskbasedsecurity.com >
Cc: cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >, "Boyle, Stephen V." < sboyle@mitre.org >
Subject: RE: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

Hi Kent and Carsten,

Thank you for your always-thoughtful comments and recommendations.

We do not mean to imply that the subject documents have suddenly taken on a new, higher level of importance to the CVE Editorial Board. To the contrary, we have developed many unwritten rules over the years – some of which may be buried in pages of Board discussion threads from years ago, others of which were decided internally by MITRE or developed as “common practice” – and we are beginning to document these rules and practices explicitly. In this case, we simply thought we’d start by picking off the processes and documents that would be most straightforward, and where we thought the Board would be most likely to quickly come to agreement. As always, we are actively seeking Board member comments and suggestions on both documents, and we plan to discuss them during the Board meeting at RSA.

I’m not surprised the documents look like efforts for the OVAL Board – we spoke with the OVAL team quite a bit leading up to those efforts. Your comments based on the efforts relating to the OVAL Board are well-founded, as are the cautions. CVE has traditionally been a “one member – one vote” model, regardless of whether the member was an independent or an organization, as we saw during the Syntax ID change voting.

We do not want nor expect the Board to ever be comprised solely of organizational representatives. By its nature and purpose, the CVE Editorial Board should, and always continue to, be representative of the entire community. That alone requires that the Board include independent members. We mention that point (albeit not very explicitly) on the CVE Editorial Board web page, and leave it open in the draft documents. I personally like the way you phrased the Board membership as “ based on the individuals who have contributed to this community and to CVE.”   I can see places in the document where we can make it more explicit that we seek independent members that can contribute and who view CVE Editorial Board membership to hold (again, as you said), “a personal responsibility to the community.”

With respect to the comment in the document encouraging organizations to have “an implementer and a liaison,” we put that in partly to try to encourage more engagement within organizations where the “ implementer” (or, to Carsten’s point, technical ) member can sometimes be invisible to those in an organization who might or should otherwise understand CVE within their own organizational context.

We agree that Board members should be active and engaged, and we are seeking comments on the drafts to help us formalize CVE’s and the community’s best interests.

Best Regards,

Steve Boyle

From: Landfield, Kent [ mailto:Kent_Landfield@McAfee.com ]
Sent: Wednesday, April 01, 2015 4:30 PM
To: Boyle, Stephen V.; cve-editorial-board-list
Subject: Re: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

Hi Steve,

Can I ask why this is important now? Not like it has been an issue since 2001 ;-)  I am really just a bit curious.  This looks like something we put together on the OVAL Board.  There was a reason we did so there that may not be all that valuable here. The intent was to assure promotion of OVAL and at the same time we were seeing a growing numberer of companies asking to have more that one representative. We wanted to: (From the OVAL Board info)

In an effort to guard against organizational bias, a single organization may be represented by a maximum of two individuals with the expectation that one individual would be focused on strategic direction and the other individual would be focused more on technical decisions.

We also only allowed one vote per organization because not all organizations had two members.  In reality the process cost us a good participating individual.  We had a situation where one organization ended up with three people and the organization decided who would be on the list.  This meant we lost one of the more consistent contributors while keeping less a participating member.  

I have always felt the CVE Editorial Board not to be organizationally-based but rather based on the individuals who have contributed to this community and to CVE.  Yes, because we have more than one person from specific companies, the voting process needs to use the organizational slant to reduce the possibility of organizational bias in the vote results but I have always viewed the Board not as an organizational responsibility but a personal one because of my belief in the value of CVE. 

Recommending two people from each company seems to bloat and dilute the Board.  By injecting those who are not as passionate about CVE and its value, we end up with individuals who look at this more as a resume item instead of a personal responsibility to the community. 

JMHO .

Kent Landfield
Director, Standards and Technology Policy
Intel Security

+1.817.637.8026

From: <Boyle>, "Stephen V." < sboyle@mitre.org >
Date: Wednesday, April 1, 2015 at 9:50 AM
To: cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Cc: "Boyle, Stephen V." < sboyle@mitre.org >
Subject: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]

Some people have asked us for editable versions of the two Editorial

Board governance document drafts we recently sent out for your

review and comments. Attached please find MS-Word (.docx) versions

of both documents for your review and comments.

We appreciate your time and attention reviewing the drafts, and we

want to thank those of you who have already provided your comments.

As we requested in the original transmittance email:

- Please review the documents and send us your comments before April 13th.

- If you do not have any comments or suggestions, a quick email to us

   saying so will record the fact that you have read and reviewed the drafts.

Best Regards,

The MITRE CVE Team

Adding and Removing CVE Editorial Board Members-KBL.docx