Re: Current standards/criteria for 'Undefined Behavior'

To: <owner-cve-editorial-board-list@lists.mitre.org>
Subject: Re: Current standards/criteria for 'Undefined Behavior'
From: Scott Lawler <scott.lawler@lp3.com>
Date: Sun, 9 Jul 2017 15:07:21 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=lp3.com;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Mon Jul 10 08:14:07 2017
In-reply-to: <alpine.LNX.2.00.1707071558150.3395@forced.attrition.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <alpine.LNX.2.00.1705021224040.32256@forced.attrition.org> <BY2PR09MB104693962DC9E3AFA1117DC9CC160@BY2PR09MB1046.namprd09.prod.outlook.com> <alpine.LNX.2.00.1705081849310.32256@forced.attrition.org> <59571B66-144E-4120-B166-7EDDD6C53E5D@mitre.org> <CACph5NXYh4g=NvHMXuE3xz5yip1SuF_Qqcvq5XyGp4Ns-FkihA@mail.gmail.com> <b61d743d-fae0-b9e4-c0d4-db9ee799f230@cert.org> <MWHPR09MB1485D96532AC748942475730A1AA0@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1707071211180.3395@forced.attrition.org> <MWHPR09MB1440BDAAEA64A7057654921DF0AA0@MWHPR09MB1440.namprd09.prod.outlook.com> <MWHPR09MB14850889D355EC6534F77EF1A1AA0@MWHPR09MB1485.namprd09.prod.outlook.com> <63507D25FF3F774F9AA912018147F1DB0108624F96@USMAILMBX01> <MWHPR09MB1440C00A6B3221BC4B102B2BF0AA0@MWHPR09MB1440.namprd09.prod.outlook.com>,<alpine.LNX.2.00.1707071558150.3395@forced.attrition.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2
Thread-index: AQHSw2ozyG8u1WvuaU+sRu5xRCXsP6HitiWAgAhuogCAAoEegIABZCiAgFiXPQCAARmUcIAAR1OAgAAKdgCAABAggIAAB+8AgAAGg4CAABWDAIACwo8P
Thread-topic: Current standards/criteria for 'Undefined Behavior'

Concur.  Using both like this improves communication and helps us make 
more informed decisions.  

Scott 

> On Jul 7, 2017, at 5:15 PM, jericho <jericho@attrition.org> wrote:
> 
> 
> Seconded.
> 
> On Fri, 7 Jul 2017, Waltermire, David A. (Fed) wrote:
> 
> : I don't believe we are facing a binary decision here. It seems like 
> we want to take advantage of email and phone conversations.
> : 
> : 1) phone calls - provide high bandwidth for communication; low 
> effort; not easy for everyone to follow due to scheduling
> : 2) email - low bandwidth; high-effort to write; easier for the full 
> board to follow with variable schedules
> : 
> : I believe with good note taking and email summaries of phone 
> discussions we can get the best of both worlds. That said, I would 
> like to see all decisions be confirmed on the list. This can be as 
> simple as "We decided XYZ on the call for ABC reasons. Anyone have 
> any concerns with this? If not, we will take action on DATE." 
> : 
> : I don't see this type of approach as a big burden. 
> : 
> : Regards,
> : Dave
> : 
> : > -----Original Message-----
> : > From: Beverly Finch [mailto:beverlyfinch@lenovo.com]
> : > Sent: Friday, July 07, 2017 3:18 PM
> : > To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
> : > <david.waltermire@nist.gov>
> : > Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> : > <cve-editorial-board-list@lists.mitre.org>
> : > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> : > 
> : > I prefer calls over more email.  I apologize for missing this 
> past one....life
> : > happened and I was totally unavailable.
> : > 
> : > 
> : > 
> : > Regards,
> : > 
> : > 
> : > Beverly M Finch, PMP
> : > PSIRT Program Manager
> : > Product Security Office
> : > 
> : > 7001 Development Drive
> : > Office 3N-C1
> : > Morrisville, NC  27560
> : > 
> : > +1 919 294 5873
> : > beverlyfinch@lenovo.com
> : > 
> : > 
> : > 
> : > Lenovo.com
> : > Twitter | Facebook | Instagram | Blogs | Forums
> : > 
> : > 
> : > 
> : > 
> : > 
> : > 
> : > -----Original Message-----
> : > From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-
> : > editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
> : > Sent: Friday, July 7, 2017 2:50 PM
> : > To: Waltermire, David A. (Fed)
> : > Cc: Carsten Eiram; cve-editorial-board-list
> : > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> : > 
> : > Dave,
> : > 
> : > The meeting minutes were intended to be an overview of past 
> meetings and
> : > allow someone to be aware of what was discussed and any decisions 
> made.
> : > We apologize if this specific issue and decision was not properly 
> captured in
> : > the meeting minutes for the call in question, and will try to do 
> a better job
> : > with this moving forward.
> : > 
> : > Let's also pull on this thread a bit and discuss what this might 
> mean if we
> : > move our issues and possibly decisions to the mailing list. Are 
> we suggesting
> : > that we create a separate email thread for each issue and/or 
> decision from
> : > the calls? Would the email threads be a recount of the issues 
> discussed an
> : > decisions made on the Board call, or would we want input from the 
> list in
> : > every case before making a final decision? It sounds as though we 
> are
> : > suggesting the latter. One worry in going this route would be 
> that we'd never
> : > actually make any decisions on the Board calls and the value of 
> them could be
> : > greatly diminished.
> : > 
> : > I think this also leads to a larger question of whether folks on 
> the Board
> : > prefer fewer calls and more mailing list communications?
> : > 
> : > What are others thoughts?
> : > 
> : > Regards,
> : > 
> : > Chris
> : > 
> : > -----Original Message-----
> : > From: Waltermire, David A. (Fed) 
> [mailto:david.waltermire@nist.gov]
> : > Sent: Friday, July 7, 2017 12:52 PM
> : > To: jericho <jericho@attrition.org>; Coffin, Chris 
> <ccoffin@mitre.org>
> : > Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> : > <cve-editorial-board-list@lists.mitre.org>
> : > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> : > 
> : > What Brian is asking for here is something we absolutely should 
> be doing to
> : > host a healthy board community. My schedule has been chaotic 
> recently and
> : > I haven't been able to attend the calls like I normally do. 
> Posting these types
> : > of issues to the list would give me a way to contribute to the 
> conversation
> : > when I cannot be on the calls. I am sure others on the board 
> share the same
> : > view on this as Brian and me.
> : > 
> : > We have talked about this quite a few times, but change has been 
> slow and
> : > incomplete. How do we make this a standard practice going forward?
> : > 
> : > Thanks,
> : > Dave
> : > 
> : > > -----Original Message-----
> : > > From: owner-cve-editorial-board-list@lists.mitre.org
> : > > [mailto:owner-cve- editorial-board-list@lists.mitre.org] On 
> Behalf Of
> : > > jericho
> : > > Sent: Friday, July 07, 2017 1:15 PM
> : > > To: Coffin, Chris <ccoffin@mitre.org>
> : > > Cc: Carsten Eiram <che@riskbasedsecurity.com>;
> : > > cve-editorial-board-list 
> <cve-editorial-board-list@lists.mitre.org>
> : > > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> : > > Importance: High
> : > >
> : > > On Fri, 7 Jul 2017, Coffin, Chris wrote:
> : > >
> : > > : Yes. We discussed on a Board call and decided to discontinue
> : > > assignment
> : > > : for undefined behavior issues.
> : > >
> : > > A couple things:
> : > >
> : > > 1. Which call? I do not see this topic in the meeting minutes 
> for the
> : > > last three meetings.
> : > >
> : > > 2. If a new policy is implemented based on a conference call, 
> it would
> : > > benefit everyone if it was more clearly stated in the meeting 
> minutes,
> : > > and it should also be posted directly to the list under a new 
> thread.
> : > >
> : > > 3. There are issues I bring up on list, that are then discussed 
> almost
> : > > exclusively on the calls with a fraction of the board present. 
> The
> : > > gist of the discussion and even the final disposition are not 
> always
> : > > included in the minutes, and not brought to the list. That 
> leaves
> : > > emails to the board list that appear to be unaddressed in any 
> fashion.
> : > > Since the list is public, this is not a good external 
> perception for MITRE or
> : > the Board.
> : > >
> : > > Brian
> :

References:
- Re: Current standards/criteria for 'Undefined Behavior'
  - From: Art Manion <amanion@cert.org>
- RE: Current standards/criteria for 'Undefined Behavior'
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: Current standards/criteria for 'Undefined Behavior'
  - From: jericho <jericho@attrition.org>
- RE: Current standards/criteria for 'Undefined Behavior'
  - From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
- RE: Current standards/criteria for 'Undefined Behavior'
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: Current standards/criteria for 'Undefined Behavior'
  - From: Beverly Finch <beverlyfinch@lenovo.com>
- RE: Current standards/criteria for 'Undefined Behavior'
  - From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
- RE: Current standards/criteria for 'Undefined Behavior'
  - From: jericho <jericho@attrition.org>

Prev by Date: Change in CVE procedure Re: Current standards/criteria for 'Undefined Behavior'
Next by Date: RE: Change in CVE procedure re: board email list vs board phone calls
Previous by thread: RE: Current standards/criteria for 'Undefined Behavior'
Next by thread: Re: Current standards/criteria for 'Undefined Behavior'
Index(es):
- Date
- Thread