再保险(CD): CD建议:投票(投票需求)

>:aleph1@SECURITYFOCUS。COM (mailto: aleph1@SECURITYFOCUS.COM]> * Steven m . Christey (coley@LINUS.MITRE.ORG)[000613 04:06]: > > > > 7)如果选票上候选人投票成员中发现的安全问题> >产品属于一个组织竞争,那么> >成员的投票不能计入法定人数,除非> >竞争组织已经公开承认这个问题。> >这是愚蠢的。所以如果奈没有承认的问题挑战>然后几乎没有供应商CVE董事会成员可以投票。>你必须记住,几乎每个人都是每个人的竞争对手>在这个行业。这个规则将减少>,可以投票的人数大幅考生。我认为你是极端,这不是目的是什么。作为第一个董事会成员代表一个软件供应商谁不_consume_ CVE条目,我觉得这对我不公平或适当的去投票接受每一个错误,说孙的名字。您会注意到,我一般等待任何不直接处理微软产品。我_voluntarily_开始这种做法,因为我认为这是正确的,道德和公平的行为方式。也,我不确定准确的计算,但我不认为我们在任何真正的危险的人们投票——例如,你和俄国人可能的确互相竞争,但无论是你的软件供应商在这一点上,而不直接与别人竞争。 Spaf is in a similar situation. Mitre is certainly a neutral party. This rule is merely an attempt to codify what is currently an informal, voluntary practice. I think it is a good practice - most decision making bodies allow members to recuse themselves for conflict of interest. Do you have a better way of saying it? One suggestion that I might make is that instead of making it a rule, it could be made a guideline where members are just encouraged to NOOP entries where the vendor is viewed as a direct competitor. There is also the case where one vendor finds a bug in another vendor's product (e.g., I found an exploitable BO in NetXRay 2.6 while at ISS), so it would be ridiculous for a vendor to have found a bug, released an advisory on something that is reproducible, and then not to be able to vote on that same bug. Perhaps we're focussing too much on trying to make RULES that apply to every possible situation when we can probably get by asking people to behave ethically.