[CD] CD：投票（投票要求）

以下是CD：投票内容决策的最新版本，立即生效。修改是根据最近几次编辑委员会会议的反馈以及在编辑董事会邮寄列表上进行的讨论，并在CD的整个CD课程中没有评论的董事会成员的默示同意：在过去的15张投票过程中。月份。反对意见也已注册。- 史蒂夫*****************************************************************************************************************************************************************************************************************************************************************************类型：普遍版本：1.1日期：2000年10月2日简短说明-------------------候选人必须满足最低投票标准，然后才能成为CVE官方入境。定义------------所有定义都是非正式的。“候选编号权限”（CNA）是负责将候选人编号分配给安全问题的实体，并确保候选人满足所有批准的内容决定。截至2000年10月2日，MITER是唯一的CNA。 The "CVE Editor" is the individual(s) who makes Interim and Final Decisions to ACCEPT or REJECT candidates. As of October 2, 2000, the CVE Editor is Steve Christey. A "voting member" is any member of the Editorial Board who votes on a candidate, not including the CVE Editor. A "Quorum" is the minimum number of votes that must be cast in order to move the candidate to the Interim and Final Decision phases. Application ----------- A candidate must satisfy all of the following voting requirements before an Interim or Final Decision can be made. Establishing a Quorum --------------------- 1) To be ACCEPTed, a candidate must obtain enough votes to establish a Quorum. A Quorum is established if any of the following occur: - At least 3 voting members ACCEPT the candidate, not including the original discoverer of the problem - *Or*, at least 2 voting members ACCEPT the candidate, and the vendor has publicly acknowledged that the problem exists, and neither of the 2 voting members are a representative of that vendor 2) If multiple members from the same organization vote on the same candidate, then only one of those votes may be counted towards the Quorum. If the members cast conflicting votes, then it is up to them to decide which vote is to be used in establishing a Quorum. 3) There must be more ACCEPT votes than REJECT votes for a candidate to be included in the official CVE list. The CVE Editor should work with disagreeing voters to establish consensus, if possible. If consensus cannot be achieved in a timely fashion, then the Editor may make the decision based on reviewed content decisions and voter feedback. The Editor must define the process by which voting conflicts are resolved. 4) An Editorial Board member who belongs to the CVE Editor's organization may vote and be included in the Quorum, provided the member is not the Editor. The Editor may only "vote" as part of the Interim or Final Decision. Timeliness of Votes ------------------- 5) After its initial proposal, the candidate must not be moved to the Interim Decision phase for at least 2 weeks. 6) The CVE Editor must determine that further discussion of the candidate will not affect the decision with respect to the candidate, *or* it is in the best interests of CVE to make a decision. 7) If a voting member casts a REVIEWING vote, then the Editor may delay an Interim or Final Decision for at least 2 weeks after the vote was cast. After the 2 week time period, the Editor may extend the delay, or disregard the REVIEWING vote and move the candidate to Interim Decision. The Editor must notify the Board member before the phase change occurs. Voting and Content Decisions ---------------------------- 8) The Candidate Numbering Authority (CNA) and the CVE Editor are responsible for interpreting whether a REJECT vote is contradictory to reviewed content decisions, and they must make the voter aware of the contradiction. 9) The candidate must not be affected by any content decisions (CD's) that have not been sufficiently reviewed by the Editorial Board. If it is, then it must not be moved to Interim or Final Decision until the associated content decisions have been reviewed by the Board. The CVE Editor must define a separate process for determining when content decisions have been sufficiently reviewed. Additional Guidance for Voters ------------------------------ 1) A voting member should only ACCEPT a candidate if: - they believe that the related problem really exists - they believe that the problem is not a duplicate of existing candidates or entries 2) A voting member is encouraged, but not required, to review the candidate with respect to reviewed content decisions. It is the responsibility of the CVE Editor to ensure that all candidates satisfy reviewed content decisions before they are accepted as official CVE entries. 3) A voting member should vote on candidates according to reviewed content decisions, instead of their own personal preferences. Informally, a voting member should not REJECT a candidate if all of the following apply: - the candidate is not a duplicate of other candidates/entries - it satisfies all reviewed content decisions (CD's) - it satisfies CVE's vulnerability/exposure definition Examples: if a voter doesn't believe a candidate should be included in CVE because they wouldn't include it in their own database, but a reviewed inclusion CD specifically allows it, then the voter should not vote to REJECT. Or, if the voter prefers to use a level of abstraction that is contrary to reviewed abstraction CD's, the voter should not vote to REJECT or RECAST. A voter may use an ABSTAIN or NOOP vote instead. On the other hand, if a voter disagrees with the inclusion or abstraction of a candidate, and there are no CD's which affect the candidate (or, the CD has not been sufficiently reviewed by the Board), then the voter may vote to REJECT or RECAST accordingly. 4) A voting member should not vote for a candidate that is related to a security problem in a competitor's product, unless the competitor has acknowledged that the problem exists. The CVE Editor must identify and resolve circumstances in which voting occurs for strictly competitive reasons. 5) A voting member may indicate that their REVIEWING vote does not have to delay the acceptance of the candidate. Dissenting Opinions ------------------- Some Editorial Board members believe that voters should be formally prevented from voting on vulnerabilities in competitors' products. However, in some cases, this restriction could significantly limit the number of voters who could vote on some candidates. In addition, it is uncertain as to how "competitors" are defined. In summer of 1999, Editorial Board members advocated that other Board members in the CVE Editor's organization should not vote. In several Board meetings during 2000, however, members who expressed an opinion agreed that this restriction should be lifted, provided the votes occurred independently of the CVE Editor. This includes some members who had originally objected to this approach in 1999. Content Decision History ------------------------ The following URL's provide supporting context for the evolution of this content decision. They include Editorial Board meeting summaries and discussion threads on the Editorial Board mailing list. Background information on the voting process is athttp://cve.mitre.org/docs/docs2000/naming_process.html董事会会议摘要：http://cve.mitre.org/board/archives/2000-08/msg00013.htmlhttp://cve.mitre.org/board/archives/2000-07/msg00000.htmlhttp://cve.mitre.org/board/archives/2000-03/msg00007.htmlhttp://cve.mitre.org/board/archives/1999-08/msg00036.html讨论线程：http://cve.mitre.org/board/archives/2000-06/msg00022.htmlhttp://cve.mitre.org/board/archives/1999-06/msg00003.html