RE: [CD] CD Proposal: VOTE (Voting Requirements)

[David LeBlanc <dleblanc@microsoft.com>]

> From: 'aleph1@SECURITYFOCUS.COM' [mailto:aleph1@SECURITYFOCUS.COM]
 
> * David LeBlanc (dleblanc@microsoft.com) [000613 22:28]:
> >
> > This rule is merely an attempt to codify what is currently 
> an informal,
> > voluntary practice.  I think it is a good practice - most 
> decision making
> > bodies allow members to recuse themselves for conflict of 
> interest. Do you
> > have a better way of saying it?
> 
> I rather see a method of the owner of a vulnerable product or service
> to contents a CVE entry. In particular I would give them a way to
> state they believe some of the votes approving the CVE entry are
> malicious and with competition in mind. We could then vote again,
> including the entities they claim are malicious, but have a higher
> standard to approve the contested CVE entry (e.g. we would need
> 6 votes instead of 3).

I don't see that this procedure would take the place of either a rule or a
guideline which states that conflicts of interest are to be avoided.
Personally, I'm going to NOOP anything that affects a vendor of products
which compete with Microsoft, even if I have direct knowledge of the bug.
Just seems to be the ethical thing to do. We don't currently have a problem
with other people doing anything wrong, and given the caliber of people on
the board, I don't think we are in any real danger of having a substantial
problem.

I think that all we really need to do here is make a guideline, and then let
Steven work personally with anyone who he thinks doesn't understand the way
we work.  We're making this whole thing a lot harder than it needs to be.

My $0.02.