[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[BOARD] CVE Editorial Board Roles, Tasks, and Qualifications



Please review and comment on this document, especially in light of
your own participation on the Board.

A separate email will be sent to each Board member outlining my
current understanding of that member's role, tasks, and their general
level of participation in those tasks.  This may help the Board as a
whole identify the appropriate expectations for current and future
members.

- Steve



CVE Editorial Board Roles, Tasks, and Qualifications
----------------------------------------------------
Version: 1.0
Modified: June 7, 2001


Introduction
------------

This document clarifies the roles, tasks, and qualifications for CVE
Editorial Board members.  Much of the background discussion was held
during a meeting in March 2001, as documented at:

  http://cve.mitre.org/board/archives/2001-03/msg00014.html


Roles for MITRE
---------------

The following roles are unique to MITRE.

The CVE Editor is responsible for creating and publishing CVE content,
including candidates, CVE versions, content decisions, etc.

The Editorial Board Chair is responsible for Editorial Board
structure, recruitment, and activities.

Task leaders are responsible for one or more major strategic tasks
such as community outreach, web sites, CVE compatibility, CVE content,
future planning, and related work.

Content team members support the CVE Editor.


Roles for Editorial Board Members
---------------------------------

Note that some members may have more than one role on the Editorial
Board.  However, all members have only one primary role.

Technical members participate in the creation, design, review,
maintenance, and applications of CVE.

Liaisons represent a significant constituency, related to or affected
by CVE, in an area which does not necessarily have technical
representation on the Board.  In some cases, a liaison may represent
an individual organization.  This role may include software vendors.

Advocates actively support or promote CVE in a highly visible fashion.
This role is reserved for respected leaders in the security community
who help bring credibility to the CVE Initiative and give CVE a wider
reach outside of the security community.

Emeritus members are individuals who were formerly active and
influential in the CVE Initiative, and who maintain an honorary
position as a result.


Minimum Expectations for Editorial Board Members
------------------------------------------------

Board members must meet the minimum levels of effort consistent with
the tasks that they undertake.  If a Board member participates in
multiple tasks, then the minimum expectations for each individual task
may be lowered accordingly.

All members are expected to commit a minimum of 2 hours per month to
maintain high-level awareness of ongoing CVE and Editorial Board
activities.  There may be additional requirements depending on
additional tasks.

Participation should be consistent with respect to the specific task,
but allowances can be made for extenuating circumstances that
temporarily prevent a member from meeting the minimum level of
participation.


=================================================================
Tasks for All Members
=================================================================

All members are expected to perform the following tasks.

1) Consultation: This includes participating in Board meetings, or
   discussion of ad hoc issues related to CVE content or Editorial
   Board processes such as content decisions, Board membership, or CVE
   compatibility.

2) Awareness: This includes participating in Board meetings and/or
   reading meeting summaries, and regularly reading posts on the
   Editorial Board mailing lists.

Many members may perform the following tasks.

1) Outreach.  Some Board members actively promote CVE and educate the
   public about CVE, or introduce various contacts to MITRE within the
   CVE context.

2) Non-CVE activities.  Some Board members may participate in
   activities that are undertaken under the Board context, but not
   directly related to CVE.


Expected Level of Effort
------------------------

The amount of effort for these tasks may vary widely.  Each
consultation task may require 1 to 10 hours, or more.  Such tasks may
occur approximately once every 2 months.


=================================================================
Technical Member Tasks
=================================================================

Each technical member should regularly perform one or more of the
following tasks.

1) Voting on candidates.  The primary task for most technical members
   is to review, comment on, and accept or reject CVE candidates that
   are proposed to the Editorial Board.  Some members vote regularly;
   others vote on an ad hoc basis, e.g. when there is an effort to
   reach a specific content goal.

2) Content provider.  Some Board members provide their vulnerability
   databases to MITRE for conversion into candidates, which ensures
   that CVE content is as complete as possible.  Others are actively
   involved in candidate reservation.  Others may be Candidate
   Numbering Authorities (CNA's), which are authorized to assign CVE
   candidate numbers to security issues before they are publicized.

3) CIEL.  Members participate in the review and development of the
   Common Intrusion Event List (CIEL), a "CVE-for-IDS" which is
   currently being drafted by MITRE.


Expected Level of Effort
------------------------

Following is the amount of effort that is believed to be needed to
participate regularly in a task.

1) Voting - approximately 3 hours per week, on a regular basis

2) Content provider - 1 to 5 hours, approximately once every 2 months

3) CIEL - approximately 1 hour per week, in the early stages


Qualifications for Technical Members
------------------------------------

1) Participants should be experts in the use or development of one or
more of the following technical areas:

  - vulnerability assessment and related tools
  - intrusion detection, and related tools
  - incident response or forensics
  - academic/research topics such as vulnerability or exploit
    analysis, taxonomies and classification, new security models, or
    programmer behaviors
  - related areas

2) Participants should have strong knowledge about computer security
issues in most of the following areas:

   - concepts such as buffer overflows, race conditions, design
     errors, insecure configurations, etc.
   - commonly exploited vulnerabilities, or related tools
   - security models in operating systems, protocols, applications,
     etc.
   - vulnerability information sources, e.g. advisories, mailing
     lists, or hacker sites
   - extensive "real-world," operational experience in one or more of
     the areas described in (1)

The participant's knowledge may be broad (e.g. general knowledge of
various types of flaws in many different OSes) or deep (e.g. analysis
of programming errors in a single OS or programming language).

3) Participants should be able to effectively identify and communicate
technical issues that relate to CVE and their particular area of
expertise.

4) Participants should have a demonstrated commitment to sharing
information to enhance research or education, or to improving overall
enterprise security, e.g. by active participation in conferences or
other forums.


=================================================================
Liaison Tasks
=================================================================

Liaisons should perform one or more of the following tasks, in
addition to those tasks that are required of all members.

1) The liaison must educate the liaison's own community about CVE,
   where appropriate.

2) The liaison must educate the Editorial Board about the needs and
   interests for CVE of the liaison's community, where appropriate.

3) If the member is a software vendor liaison, then the member must
   vote on candidates related to vulnerabilities in that vendor's
   products.

4) Liaisons may undertake other technical tasks.

5) The liaison should participate regularly in ad hoc consultation
   tasks, if the liaison previously agreed to perform those tasks.


Expected Level of Effort
------------------------

Liaisons will need to commit approximately 1-2 hours per week to
maintain enough high-level knowledge of CVE and Editorial Board
activities to effectively educate their constituency, and the Board,
on CVE-related issues.


Qualifications for Liaisons
---------------------------

1) A liaison that represents a constituency beyond an individual
   organization must be visible and active in the liaison's
   constituency community.

2) A liaison that represents an individual organization must be able
   to effectively communicate with all other relevant parts of that
   organization.

3) Software vendor liaisons must be able to effectively communicate
   with the vendor's security and product development teams.


=================================================================
Advocate Tasks
=================================================================

1) Endorse CVE to constituencies that will benefit from it.

2) Foster better communication between constituencies.

3) Participate in Editorial Board activities, especially in decisions
   related to Board structure and strategic activities.

4) Advocates may undertake technical or liaison tasks.


Expected Level of Effort
------------------------

The expected level of effort is variable, but the advocate should
participate at least once every 6 months.


Qualifications for Advocates
----------------------------

1) The advocate should be a recognized leader in the security
   community, as approved by members of the Editorial Board.



=================================================================
Emeritus Tasks
=================================================================

Emeritus members may participate periodically in technical, liaison,
or advisory tasks.


Expected Level of Effort
------------------------

Emeritus members are not expected to participate regularly in the CVE
Initiative, but they should participate in some task approximately
every 6 months.


Qualifications for Emeritus
---------------------------

1) Emeritus members must have made significant contributions to the
   CVE Initiative, as determined by MITRE.

Page Last Updated or Reviewed: May 22, 2007