RE: Current standards/criteria for 'Undefined Behavior'

[Beverly Finch < beverlyfinch@lenovo.com >]

I agree with Kent.

Regards,

Beverly M Finch, PMP PSIRT Program Manager Product Security Office 7001 Development Drive Office 3N-C1 Morrisville, NC  27560	+1 919 294 5873 beverlyfinch@lenovo.com
Lenovo.com  Twitter  |  Facebook  |  Instagram  |  Blogs  |  Forums

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent
Sent: Tuesday, July 11, 2017 1:13 PM
To: Millar, Thomas; kurt@seifried.org; balinsky@cisco.com
Cc: david.waltermire@nist.gov; ccoffin@mitre.org; pmeunier@cerias.purdue.edu; che@riskbasedsecurity.com; cve-editorial-board-list@lists.mitre.org
Subject: Re: Current standards/criteria for 'Undefined Behavior'

I absolutely am not! 

I have no problem having another contact list for emailing various Board related messages out but organizational reps are against the spirit of the Board.  People are not on the Board because they work for “Foo”. The Charter of the Board states, “ The Board comprises a set of passionate individuals wishing to advance CVE and vulnerability identification.”  The key there is individuals.  If there is a need that is so timely to get Board minutes out then let’s create an email list that can include the Board members plus other members as interested.

Board members should have the capabilities to talk amongst themselves.  Adding organizational representatives for local corporate needs is not beneficial to the effort. 

There are ways to deal with what Kurt wants without forcing changes to how the Board works.  From a CNA perspective, his request makes sense. From a Board decision making process perspective it does not at all.

--

Kent Landfield

817-637-8026

kent_landfield@mcafee.com

From: "Millar, Thomas" < Thomas.Millar@hq.dhs.gov >
Date: Tuesday, July 11, 2017 at 9:14 AM
To: " kurt@seifried.org " < kurt@seifried.org >, " balinsky@cisco.com " < balinsky@cisco.com >
Cc: David Waltermire < david.waltermire@nist.gov >, " ccoffin@mitre.org " < ccoffin@mitre.org >, Kent Landfield < Kent_Landfield@McAfee.com >, " pmeunier@cerias.purdue.edu " < pmeunier@cerias.purdue.edu >, " che@riskbasedsecurity.com " < che@riskbasedsecurity.com >, " cve-editorial-board-list@lists.mitre.org " < cve-editorial-board-list@lists.mitre.org >
Subject: RE: Current standards/criteria for 'Undefined Behavior'

I'm actually in favor of that idea. It would definitely help if we could have a designated #2 rep on the board.



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov

 

---

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried
Sent: Tuesday, July 11, 2017 3:11:56 AM
To: Andy Balinsky (balinsky)
Cc: Waltermire, David A. (Fed); Coffin, Chris; Landfield, Kent; pmeunier@cerias.purdue.edu ; Carsten Eiram; cve-editorial-board-list
Subject: Re: Current standards/criteria for 'Undefined Behavior'

One thing would it be acceptable to consider having organizations on the board minutes/email rather than individuals, by this I mean at Red Hat we have myself and (I think..) still mjc@redhat.com on this, but if I'm on vacation/etc. it would be nice if the minutes/board email could go to secalert@redhat.com (the incoming team, and from there whoever at redhat security who needs to be involved). 

My goal long term with the DWF for example is to be dependant on process that are driven by people, and NOT to be dependant in specific people (I want the bus factor to be N-1 =). 

On Mon, Jul 10, 2017 at 6:01 PM, Andy Balinsky (balinsky) < balinsky@cisco.com > wrote:

I think that the clock (however many days it is) needs to start from publication of the minutes, just like the US Federal government uses X days from publication in the Federal Register for its comment periods. 

There have been occasions where the minutes have not come out in a timely fashion (3 May minutes released 31 May), and this would not be fair to other board members who were not on the call. It would provide both a consistent standard, and an incentive to get the minutes out on time. Any delays would impede finalization of any proposed decisions made in that meeting. 

Maybe we need an SLA for the publication of the minutes, too, like within 7 days of the meeting.

Andy

On Jul 10, 2017, at 10:27 AM, Waltermire, David A. (Fed) < david.waltermire@nist.gov > wrote:

Chris,

I think we want consensus (the lack of sustained objection) over

agreement.
Agreed.

If a new option is chosen on the call, a new discussion period will be started

to provide a means for the board to provide feedback.
The first time I read through your response, I took this as a way to extend the
decision indefinitely. However, I think what you are saying is that if the
decision is changed in a substantial way, we would want to have all board
members review the decision again as if it were a new decision entirely. I
think this makes sense and should be left as an option in cases where there is
sustained objection. However, what I think we want to avoid is the case
where a decision is held up by a single Board member indefinitely.

Sure. We want transparency, not bureaucratic deadlock. I was only concerned about the lack of transparency that could result from a new change.

Also, I would assume that two weeks starts from the time that minutes are

posted?
Kent had originally stated one week, and I extended this based on the board
call schedule since we would want to get consensus before or during the
next call. Assuming we get the meeting minutes out within the same week as
the call, I think this still gives about a week and a half for mailing list
discussion. Does a week and a half sound reasonable?

Why not set a minimum of 1 week and allow some flexibility to expand the period as needed for issues that will need more time?

Thanks,
Dave

Andy Balinsky (balinsky)

PSIRT Engineering

balinsky@cisco.com

--

Kurt Seifried
kurt@seifried.org