[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CD] CD:VOTE (Voting Requirements)



Following is the latest version of the CD:VOTE content decision, which
takes effect immediately.

Modifications have been made in accordance with feedback from the last
few Editorial Board meeting, as well as discussions on the Editorial
Board mailing list, with the implied consent of Board members who did
not comment throughout the course of CD:VOTE's evolution over the past
15 months.  Dissenting opinions are also registered.

- Steve


************************************************************************
CD:VOTE (Voting Requirements)
************************************************************************
Type: PERVASIVE
Version: 1.1
Date: October 2, 2000


Short Description
-----------------

A candidate must satisfy minimum voting standards before it can become
an official CVE entry.


Definitions
-----------

All definitions are informal.

The "Candidate Numbering Authority" (CNA) is the entity that is
responsible for assigning candidate numbers to security problems, and
ensuring that candidates satisfy all approved content decisions.  As
of October 2, 2000, MITRE is the only CNA.

The "CVE Editor" is the individual(s) who makes Interim and Final
Decisions to ACCEPT or REJECT candidates.  As of October 2, 2000, the
CVE Editor is Steve Christey.

A "voting member" is any member of the Editorial Board who votes on a
candidate, not including the CVE Editor.

A "Quorum" is the minimum number of votes that must be cast in order
to move the candidate to the Interim and Final Decision phases.


Application
-----------

A candidate must satisfy all of the following voting requirements
before an Interim or Final Decision can be made.


Establishing a Quorum
---------------------

1) To be ACCEPTed, a candidate must obtain enough votes to establish
   a Quorum.  A Quorum is established if any of the following occur:
   - At least 3 voting members ACCEPT the candidate, not including the
     original discoverer of the problem
   - *Or*, at least 2 voting members ACCEPT the candidate, and the
     vendor has publicly acknowledged that the problem exists, and
     neither of the 2 voting members are a representative of that
     vendor

2) If multiple members from the same organization vote on the same
   candidate, then only one of those votes may be counted towards the
   Quorum.  If the members cast conflicting votes, then it is up to
   them to decide which vote is to be used in establishing a Quorum.

3) There must be more ACCEPT votes than REJECT votes for a candidate
   to be included in the official CVE list.  The CVE Editor should
   work with disagreeing voters to establish consensus, if possible.
   If consensus cannot be achieved in a timely fashion, then the
   Editor may make the decision based on reviewed content decisions
   and voter feedback.  The Editor must define the process by which
   voting conflicts are resolved.

4) An Editorial Board member who belongs to the CVE Editor's
   organization may vote and be included in the Quorum, provided the
   member is not the Editor.  The Editor may only "vote" as part of
   the Interim or Final Decision.


Timeliness of Votes
-------------------

5) After its initial proposal, the candidate must not be moved to the
   Interim Decision phase for at least 2 weeks.

6) The CVE Editor must determine that further discussion of the
   candidate will not affect the decision with respect to the
   candidate, *or* it is in the best interests of CVE to make a
   decision.

7) If a voting member casts a REVIEWING vote, then the Editor may
   delay an Interim or Final Decision for at least 2 weeks after the
   vote was cast.  After the 2 week time period, the Editor may extend
   the delay, or disregard the REVIEWING vote and move the candidate
   to Interim Decision.  The Editor must notify the Board member
   before the phase change occurs.


Voting and Content Decisions
----------------------------

8) The Candidate Numbering Authority (CNA) and the CVE Editor are
   responsible for interpreting whether a REJECT vote is contradictory
   to reviewed content decisions, and they must make the voter aware
   of the contradiction.

9) The candidate must not be affected by any content decisions (CD's)
   that have not been sufficiently reviewed by the Editorial Board.
   If it is, then it must not be moved to Interim or Final Decision
   until the associated content decisions have been reviewed by the
   Board.  The CVE Editor must define a separate process for
   determining when content decisions have been sufficiently reviewed.


Additional Guidance for Voters
------------------------------

1) A voting member should only ACCEPT a candidate if:
   - they believe that the related problem really exists
   - they believe that the problem is not a duplicate of existing
     candidates or entries

2) A voting member is encouraged, but not required, to review the
   candidate with respect to reviewed content decisions.  It is the
   responsibility of the CVE Editor to ensure that all candidates
   satisfy reviewed content decisions before they are accepted as
   official CVE entries.

3) A voting member should vote on candidates according to reviewed
   content decisions, instead of their own personal preferences.
   Informally, a voting member should not REJECT a candidate if all of
   the following apply:
   - the candidate is not a duplicate of other candidates/entries
   - it satisfies all reviewed content decisions (CD's)
   - it satisfies CVE's vulnerability/exposure definition

   Examples: if a voter doesn't believe a candidate should be included
   in CVE because they wouldn't include it in their own database, but
   a reviewed inclusion CD specifically allows it, then the voter
   should not vote to REJECT.  Or, if the voter prefers to use a level
   of abstraction that is contrary to reviewed abstraction CD's, the
   voter should not vote to REJECT or RECAST.  A voter may use an
   ABSTAIN or NOOP vote instead.

   On the other hand, if a voter disagrees with the inclusion or
   abstraction of a candidate, and there are no CD's which affect the
   candidate (or, the CD has not been sufficiently reviewed by the
   Board), then the voter may vote to REJECT or RECAST accordingly.

4) A voting member should not vote for a candidate that is related to
   a security problem in a competitor's product, unless the competitor
   has acknowledged that the problem exists.  The CVE Editor must
   identify and resolve circumstances in which voting occurs for
   strictly competitive reasons.

5) A voting member may indicate that their REVIEWING vote does not
   have to delay the acceptance of the candidate.


Dissenting Opinions
-------------------

Some Editorial Board members believe that voters should be formally
prevented from voting on vulnerabilities in competitors' products.
However, in some cases, this restriction could significantly limit the
number of voters who could vote on some candidates.  In addition, it
is uncertain as to how "competitors" are defined.

In summer of 1999, Editorial Board members advocated that other Board
members in the CVE Editor's organization should not vote.  In several
Board meetings during 2000, however, members who expressed an opinion
agreed that this restriction should be lifted, provided the votes
occurred independently of the CVE Editor.  This includes some members
who had originally objected to this approach in 1999.


Content Decision History
------------------------

The following URL's provide supporting context for the evolution of
this content decision.  They include Editorial Board meeting summaries
and discussion threads on the Editorial Board mailing list.

Background information on the voting process is at
http://cve.mitre.org/docs/docs2000/naming_process.html

Board meeting summaries:
  http://cve.mitre.org/board/archives/2000-08/msg00013.html
  http://cve.mitre.org/board/archives/2000-07/msg00000.html
  http://cve.mitre.org/board/archives/2000-03/msg00007.html
  http://cve.mitre.org/board/archives/1999-08/msg00036.html

Discussion threads:
  http://cve.mitre.org/board/archives/2000-06/msg00022.html
  http://cve.mitre.org/board/archives/1999-06/msg00003.html

Page Last Updated or Reviewed: May 22, 2007