| Status | Final |
|---|---|
| Version | 3.5.0 |
| Approved | 2024-07-02 |
| Effective | 2024-07-02 |
-
Board Overview and Member Responsibilities
1.1 CVE Program Board Overview
1.4 Minimum Board Member Responsibilities
-
Board Membership and Operations
2.1 Selection of Full Board Members
2.2 Selection of CNA Liaison Members
2.3 Selection of Organizational Liaison Members
2.5 Resignation from the Board
2.6 Change in Member’s Affiliation
2.7 Board Member Professional Conduct Guidance
2.8 Removing Full Board Members
2.9 CNA Liaison Removal or Resignation
2.10 Organizational Liaison Removal or Resignation
2.11 Recognition of Former Members
2.12 Term Limits
2.13 Voting Mechanics
2.15 Board Meetings
2.16 Working Groups
2.17 Charter Exceptions
The CVE Program Board is essential for ensuring CVE meets the vulnerability identification needs of the global cybersecurity and technology community. The Board’s primary responsibilities are to work with each other and the community to oversee the program, provide strategic direction, and advocate for the CVE Program.
Board members represent numerous global cybersecurity-related organizations, including commercial security tool vendors, academia, research institutions, government departments and agencies, other prominent security experts, and end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and the strategic direction of CVE.
Board members are not limited to, but traditionally fit into one or more of the following categories:
- Technical Implementers provide input and guidance regarding the creation, design, review, maintenance, and application of CVE List records (CVE Records). This may include individuals who integrate CVE Records into products, such as content and development engineers working for product vendors, and others who consume CVE Records.
- Subject Matter Experts (SMEs) represent a significant constituency related to, or affected by, CVE, and are domain experts in the vulnerability management and reporting field. These members may include individuals from product vendors who represent the needs of their company, such as Product Security Incident Response Team (PSIRT) members, or product managers and product strategists who represent customers.
- Advocates actively support or promote CVE in a highly visible fashion. These individuals are respected leaders within the security community who help bring credibility to CVE and give it a wider reach outside of the security community.
The CVE Board is primarily comprised of individuals, not the organization where they are currently employed. A full Board member’s change in employment or affiliations does not affect their membership on the Board, and they will remain a member of the Board, if they so choose.
Full members of the Board have voting privileges and are not subject to term limits.
A single seat on the Board is reserved for a CNA Liaison who represents the CNA community, and ensures CNAs are updated with various status and activity-related information. The liaison is a voting member of the Board, with a one-year term, and can serve more than one consecutive term if the CNA community desires. This position is a two-way conduit for CNAs to bring things to and from the Board in a more official and structured way.
An Organizational Liaison position allows for tighter partnerships with targeted organizations. This type of role provides the Board with greater flexibility for how external organizations work with the Board and CVE program governance. There can be one or more organization(s) designated to have a liaison relationship with the Board at any one time. Each Organization with a Liaison position will have a single seat on the Board reserved for the Organizational Liaison representing them. This allows the Board representation from specific organizations as needed.
This is a term-limited seat that must be reconfirmed by the Secretariat when the term set expires. The default term, unless specified by the Board during the establishment of the organization’s liaison role, is one year. The Secretariat assures the Organization wishes to continue the Board relationship and that the designated individual is the proper person to fill the role for the organization for the upcoming term. The Organization’s liaison is a voting member of the Board and can serve more than one consecutive term if the Organization desires. This position is a two-way conduit for the Organization to bring things to and from the Board in an official and structured way.
The MITRE Corporation (MITRE) initially established the Board in 1999, and currently serves as the CVE Board Moderator and CVE Program Secretariat (a.k.a Secretariat). The Secretariat provides programmatic support to the Board and its Working Groups, to include:
- Maintaining the structure of the Board through an approved Board Charter (Charter), management of Board mailing lists and Board meetings, to include meeting moderation, logistics of Board membership, and overseeing additional Board activities, such as voting and other coordinating logistics.
- Intellectual Property (IP) Protection: As the support for the CVE Program, the Secretariat is responsible for protecting IP contributed and transferred to CVE, while ensuring CVE is publicly available and free for use in accordance with the CVE Terms of Use.
- Other: The Secretariat also provides strategic, technical, and programmatic expertise to the Board and other CVE Program participants.
Emeritus members are formerly active Board members who made significant contributions to CVE. The decision as to what are significant contributions is made via consensus of the Board. Emeritus members are non-voting members and may be consulted for their expertise.
The CVE Board has the reasonable expectation that all Board members are engaged and actively participate in the CVE Program. Board members are responsible for collaborating effectively with each other, and the community, relative to all aspects of CVE governance, operation, and future direction.
Members’ primary responsibilities are to actively promote CVE goals and adoption and participate in decision-making processes through established Board mechanisms. Additional forms of participation include Board calls, Board email list discussions, Working Groups, Working Group list discussions, and Board votes.
Board members are volunteers. Therefore, members do not have to participate in every Working Group or every list discussion. However, participation should be enough such that all Board members have confidence in each other that everyone is doing their part to drive the program forward in a positive direction. In this regard, should a Board member lose the confidence of a majority of other Board members, a removal action may be taken. Prior to this step, individual Board members may contact the member of concern directly or may choose to voice their concerns through the Secretariat, so that issues are effectively communicated to the member of concern, and an understanding of the situation is developed to arrive at a fair outcome. Whether done by individual Board members or the Secretariat, the entire Board will be briefed on the situation so that each Board member may form their own opinion about the member of concern.
Voting is particularly important for the CVE Board because it is how the Board makes decisions about the strategic direction of the program, and how the program will be governed and operated. Therefore, Board members have a responsibility to participate by voting as often possible. Votes to abstain count toward participation and toward a quorum. Members may vote to abstain as they choose, and for any issue being voted on.
A single organization may have multiple full members on the CVE Board. In these cases, only a single vote is allowed from the organization for issues that require a Board vote. This prevents a single organization from having undue influence on the outcome of a vote. See section 2.10, Voting Mechanics, for more information.
Mergers and acquisitions (M&A) may affect Board membership. If two or more organizations with members on the Board merge, the merged organizations are considered a single organization. Therefore, as a single organization with more than one Board member, only one of the Board members may vote unless an exception is granted by the Board (2.13 Charter Exceptions).
Similar to M&A, when Board members change organizations and become employed or affiliated with an organization that has current Board membership, they must share their single vote with the other Board members represented by their organization once the change occurs.
No Board member is allowed to nominate candidate Board members from the organization where they are currently employed or affiliated.
The CVE Program Secretariat is responsible for protecting intellectual property (IP) contributed and transferred to CVE, while making sure IP is publicly available and free for use in accordance with the CVE Terms of Use.
Board members are not compensated by the CVE Program.
There is no cap on the number of members who may join the Board, though this practice may be revisited if the Board size increases to the point that it negatively impacts the ability of the Board to make decisions or act. It is up to the Board to determine when action must be taken to resize the Board.
Prospective full Board members (prospects) are those people, either at-large (i.e., independent), or representing an organization in industry, academia, or government, who have potential to add value to CVE. Prospects may be identified by anyone; however, a prospect must be nominated by a full Board member.
The information required to effectively evaluate a prospect is collected by the nominating Board member, using the Board Member nomination form (Word 32K). Once completed, the form is distributed to all Board members, using the Board’s private mailing list. Either the nominating Board member or the Secretariat distributes the completed form. In cases when the Secretariat distributes the completed form, the Secretariat will identify the nominating Board member.
Prospect information includes, but is not limited to, biographical information that details the prospect’s skills and experience in the security community and CVE specifically, and the prospect’s expected value to the CVE Program. The prospect should provide a narrative as to why they want to be a member of the Board. The statement should include their background with CVE and describe their potential value to the CVE Program.
When a new prospective full Board member is nominated, an interview is conducted during an agreed-to Board call. After the interview, the Secretariat establishes the start and end of the voting period in a posting to the private Board mailing list. Board members are provided at least two weeks to review and vote on a new Board member prospect. If a nominee does not gain approval, they may be re-nominated after a 12-month waiting period.
This is an elected position which CVE Numbering Authorities (CNAs) vote on annually. The Secretariat conducts the yearly nomination and voting process with all coordination and communications done through the CNA Mailing list. The Board is notified of the voting results at the successful completion of the process.
The Board can authorize establishing a Liaison relationship with a specific organization if the Board deems the relationship beneficial to the CVE Program. Once approved through a Board vote, it is the organization’s responsibility to determine who the individual Organizational Liaison will be. The Board strongly suggests the selected individual have a cybersecurity background and be well versed in CVE and related efforts.
When a Board prospect is approved by the Board, elected as the CNA Liaison, or added as an Organizational Liaison, the Secretariat announces the new Board member using the public Board mailing list, on the CVE website, in the CVE Announce e-newsletter, and appropriate CVE social media outlets, such as X & Mastodon. The announcement will include the new member’s name, role (if appropriate), organization affiliation, and biographical information of interest to the Program.
The new Board member is expected to immediately begin participating with the responsibilities of a CVE Board member.
Any Board member may resign at any time by giving notice in writing, such as by email, to the Secretariat. The Secretariat confirms with the Board member that the notice is legitimate. A resignation takes effect upon confirmation the notice is legitimate, or at a later time specified in the written notice. No formal acceptance of a resignation is necessary to make it effective.
In the event a full Board member or the CNA Liaison has a change in organizational affiliation, they must notify the Secretariat of the change. Once received, the Secretariat updates the CVE website to reflect the member’s change in affiliation.
If an individual serving as an Organizational Liaison changes roles significantly or leaves the Organization, the Secretariat must contact the Organization to either appoint a new individual to represent them or reconfirm the existing liaison still represents the Organization appropriately. If a new Organizational Liaison is appointed, the Secretariat updates the CVE website to reflect the new Organizational Liaison.
If a Board member’s parent organization does not want to be listed as affiliated with a Board member, the Secretariat will change the member’s affiliation to “Independent.” Organizational Liaisons must list the organization that they represent on the Board.
All Board members must follow the CVE Program Professional Code of Conduct.
Full Board members are considered for removal if:
The Board member does not respond to the annual poll from the Secretariat on whether they would like to continue to be a Board member.
The Board member asks to be removed.
- A current Board member nominates the member for forced removal, due to, e.g., lack of participation, lack of collegiality or professional conduct, or failure to follow Board conventions as established in this Charter. The process for forced removal is:
- A Board member nominates the member for removal through the private Board mailing list, finds another member to second the nomination, and provides the reason to the Secretariat via email.
- The Secretariat submits the removal nomination to the entire Board for deliberation and voting through the private Board mailing list.
- Board members have two weeks to vote and will receive a reminder from the Secretariat one week into the voting period through the private Board mailing list.
- For forced removal, at least half of the Board must cast a vote and two thirds of the votes cast must be in favor of the removal.
In the event a CNA Liaison either resigns or is removed, the Secretariat will ask for nominations on the CNA mailing list. The Board selects a CNA Liaison from the nominated pool to finish out the term of the departed Liaison. The selected CNA Liaison cannot be an existing Board member.
In the event an Organizational Liaison either resigns or is removed, the Secretariat will ask the organization to identify another individual to finish out the term of the departed Liaison.
In the event of serious personnel conflicts detrimental to the Board’s operations, the CVE Board must vote to replace the Liaison. If the vote passes, the Secretariat must ask the Organization to replace the designated individual. If the Organization refuses, the Board has the right to terminate the Liaison relationship.
When Members leave the Board, they are recognized in one of two ways:
- If the person qualifies for Emeritus status, then the member is identified as Emeritus.
- If the person does not qualify for Emeritus status, then the Board member is identified as a former Contributing member. Board members identified as Contributing Members have none of the participation opportunities granted to an Emeritus member.
The Secretariat is responsible for determining the initial recognition status of a departing Board member. The Secretariat informs the Board of the status. If there is disagreement on the Board with the recognition status being proposed, the Board can call for a vote to determine whether the departing Board member is to be listed as Emeritus or as a Contributing member.
The Secretariat is responsible for updating the related CVE website pages to reflect the new status of the departed Board member.
There are no term limits placed on Board service for full members, excluding the CNA Liaison and any Organizational Liaisons, who serve a specific time-limited term. There is no limit on the number of one-year terms a CNA Liaison may serve if they are re-elected by the CNA community each year. There is no limit on the number of terms an Organizational Liaison may serve if they are reconfirmed as the Organizational representative on their Organization’s specified term basis.
All voting occurs in one or two ways, on the Board’s private mailing list through a full Board vote, or as a snap vote on a Board call where there is a documented quorum. The one exception pertains to the CNA Liaison position which is voted on through the CNA mailing list.
Snap votes can be used for deciding consensus on Board calls but cannot be used for approving policy documentation initial approvals or subsequent updates. A required quorum is defined as ‘one more than half the membership of the Board must be on the call’. Unanimous consent is required for passage of a snap vote.
Full Board votes occur on the CVE Board’s private mailing list.
Board members cast a single vote per issue. Any organization with multiple Board members must coordinate and cast a single unified vote per issue, unless an exception applies (2.13 Charter Exceptions). In the event an organization with two or more Board members casts more than one vote, the votes will not be considered. Board members from the same organization are expected to coordinate among their organizational colleagues to determine who is authorized to cast the vote.
Time frames for full Board votes to cast a vote may vary as circumstances require, but generally must be at least one-week long. Two weeks is the recommended time frame for most votes but is not required. The Board may determine that unique and urgent circumstances require a voting time frame of less than one-week. This determination can be made if a majority of Board members agree. In such cases, the Secretariat will document the unique circumstances and tally the votes for and against reducing the standard voting time frame.
Unless otherwise indicated in this Charter or by the Secretariat prior to a specific vote, a simple majority is needed to either accept or reject the item or issue being voted on. Votes from at least a simple majority of the eligible Board members are required for the overall vote to be declared valid. Board members may not change their votes once cast. Board members are encouraged to take as much time as necessary, within the prescribed voting time frame, to consider the issue being voted on prior to casting their vote. Once a majority decision is reached, the Board will direct the implementation of the results of the vote, even if the voting time frame has not concluded. However, the Secretariat will continue to accept votes from eligible Board members until the prescribed voting time frame has expired. Voting is a core responsibility of Board members. Votes will be accepted throughout the originally prescribed voting time frame so that Board members who were unable to vote prior to a majority being reached can still make their opinion known to the rest of the Board.
In the case of a vote being declared invalid, or in the case of a tie, the Secretariat will send the issue back to the Board for further deliberation.
Proxy voting is meant for short-term absences. In the event a voting Board member will be absent and unable to participate in a Board vote(s), that member is expected to coordinate with another member of the Board to cast a proxy vote on their behalf during the absence. Prior to the absence, the voting member must provide the following to the Board:
- The anticipated time frame of his/her absence
- The name of the Board member acting as the voting proxy
At the time of voting, the proxy voting member must identify when they are voting for him/herself and when they are proxy voting for the absent member. When the absent member returns, they must notify the Board they will be voting on their own behalf going forward.
If an organization has multiple voting members on the Board, and one or more members will be absent from a vote(s), the absent member(s) is expected to coordinate with and designate a proxy voter from their organization to cast the organization’s single vote. If all members from the same organization will be absent from a vote at the same time, the members are expected to coordinate with and designate a proxy voter from outside their organization to cast the organization’s single vote. In this case, each member must send a notification to the Board identifying the proxy member.
The Secretariat is responsible for documenting the name of an absent Board voting member and the designated proxy voter on a per vote basis.
Policy documents are the foundation by which the CVE Program is run. Any modifications to these documents need to have transparent change control mechanisms and be approved by the CVE Board through a full Board vote. Examples of policy documents include the CVE Program Glossary, CVE CNA Rules, CVE Record Dispute Policy, EOL Assignment Policy, and the Inactive CNA Policy. While it is understood that additional policy documents are going to be developed, all documents recognized by the Board as a policy document cannot be changed and posted without a Board mailing list approval vote on the updates.
Board meetings are held periodically, with a goal of every two weeks or more frequently, as required. The Secretariat establishes the agenda for each meeting after obtaining input from the Board members. Board members are free to raise subjects during meetings that are not on the agenda for that particular meeting. The agenda, and any supporting documents, are provided to the Board members prior to each meeting, and should be reviewed in advance. Action items carried over or identified during the previous Board meeting should be included in the agenda sent to Board members.
A Board meeting commonly allows Secretariat staff members and others to attend for the purpose of providing status or taking notes. However, there are times when the Board members want to have a private discussion, called an Executive Session, with only official Board members involved. Executive Sessions are needed when discussing sensitive Board topics such as deliberations surrounding nominations, member removals, departing Board member status, or other areas that need to have a bit more anonymity to them. By default, no Board notes are allowed in an Executive Session. If notes are needed, Board participants must agree before starting the conversations. No attribution as to who said what or held a specific point of view is allowed outside the Executive Session. A Board member can call for an Executive Session for any reason they deem appropriate. If called during a scheduled Board meeting, non-Board members are required to immediately disconnect from the call or virtual meeting or leave the room if sharing with an official Board member. Failure to do so will result in a permanent ban from future Board meetings. Board members can also request an Executive session be scheduled by the Secretariat to be run by the Secretariat’s Board representative.
Working groups (WGs) are established and overseen by the Board. They are advisory in nature and intended to effectively address specific areas or issues of interest to the program. They are forums better suited for the detailed work necessary to achieve the objectives of the CVE Program. All WGs must have documented objectives and outcomes defined in their charter.
Any Board member may recommend a new WG, and establishment of a WG requires an approval vote of the full Board. The WG charter indicates the participation model. If the charter does not restrict participation, then the WG is considered open to participation from the public at large. WGs should use Secretariat-supplied email facilities.
WG progress must be reported back to the Board on an ad hoc, Board requested, or routine basis, either through the Board meetings, or through the Board email lists, as appropriate. Activities coming out of the WGs should be an extension of the Board activities. The WGs need Board approval before making changes or decisions that can either adversely or favorably affect CVE. The WG should notify the appropriate Board email list (public or private) whenever the WG requires this kind of change or decision.
The WGs need to keep the Board apprised of what they are doing and decisions they are making. The WGs need to provide a report-out to the Board list, ensuring any WG decisions made are clearly identified as “recommendations” to the Board. The Board then has an opportunity, for a time frame specified in the report-out, to review the recommendations. If Board members have issues or questions, they are expected to ask for clarification and have the discussions needed to come to a consensus. In many cases, there may be no need for clarification or discussions. If no Board members respond within the specified time frame, acceptance of the change, decision, or the recommendation(s) is considered approved. Silence begets acceptance.
When the purpose of a WG no longer exists, whether because it achieved its objectives or demonstrated that it cannot, it is either disbanded or paused. This is the case because CVE Program stakeholders are primarily volunteers, whose time is best spent working towards objectives that can realistically be achieved over a time frame.
Disbanding a WG is a permanent decision that is made by the Board.
Pausing a WG may be done because there are other activities that must be completed before a WG can reasonably be expected to accomplish its objectives. A pause is only initiated if, in the Board’s judgement, the WG cannot make progress toward objectives for at least six months until other activities are completed. The expectation is that the pause will end after the six-month time frame. If a WG is waiting on other activities to be completed and reasonably expects that to occur in fewer than six months, the WG chair(s) has the prerogative to adjust the WG meeting frequency until such related activities are complete.
All WGs have a chair(s). At any time, a WG chair may report to the Board, in writing, that the WG has served its useful purpose and is either no longer necessary or should temporarily discontinue work until other, related activities are completed. For WGs that have co-chairs, both must agree prior to reporting to the Board that the WG served its useful purpose and should be disbanded or paused. Should co-chairs disagree, the reasons for and against disbanding or pausing the WG shall be communicated in writing to the Board. The chair is encouraged to communicate with all members of the WG prior to reporting to the Board to best ensure there is not more that can be done by the WG to achieve its objectives. The chair(s) is encouraged to undertake a vote within the WG as to whether the WG should be disbanded or paused. This facilitates better understanding by the chair(s) and the Board as to how strongly WG participants agree with the judgement that the WG be disbanded or paused. Should a pause be recommended, the chair(s) will identify in writing the related activities that must be completed prior to the resumption of the WG.
The Board may at any time disband or pause a WG, for any reason, by majority vote of the Board. The Board will not conduct such a vote prior to discussing the reasons for disbanding or pausing the WG with the WG chair(s), and individual WG members (if necessary). In all cases, the Board makes the final determination to disband, pause, or continue a WG. Any result will be communicated to the chair(s) of the WG in a manner that best serves the interests of the CVE Program.
Should a WG be disbanded, the Board may ask the WG to accomplish close-out activities to ensure knowledge capture within the program. Activities may include archiving WG work products and decisions, assigning related activities to other WGs, completing final tasking, and any other activity that maximizes the value of the WG to the CVE Program. The Board may ask the WG to undertake similar activities in the event of a pause. The Secretariat may assist the WG with close-out activities upon request of either the Board or WG chair(s).
A disbanded WG may be reconstituted by the Board at any time, should circumstances dictate that course of action. However, disbanding a WG is undertaken with the expectation that the WG is no longer necessary and will not be reconstituted in the future.
In the event there is a needed or desired exception to the existing Board Charter, a Board member may bring the request for the exception up to the Board and request the Board vote on the requested exception. The request can be made either on the Board’s private mailing list or on a Board Member call. The Secretariat then conducts a vote on the proposed exception. This vote is handled using the regular Board voting process. If the vote passes, the exception is allowed.
After the vote, the Board considers if the exception should be addressed and updated in the Board Charter. Not all exceptions need to be addressed in the Charter.
The Board reviews the Charter when a significant change or issue is identified. If the Board determines that a revision is necessary, the updated language is incorporated into a draft for review by the Board. Any change to the Charter requires a vote.
All email communications concerning CVE Board Charter changes occur on the private CVE Board list.
If a revision to the charter is called for, the following steps are taken:
- The Charter may go through several revision/review cycles, based on the complexity of modifications needed.
- When the revised Charter appears near final, the Secretariat issues a final call for edits/comments via email. The email includes the due date for final edits/comments (sent to the Secretariat).
- Final edits are incorporated.
- Several days prior to the tentative start date of the voting period, the Secretariat sends a message to the Board list that contains:
- A clean copy of the proposed Charter for the Board to review
- A notice indicating the clean copy is the proposed Charter update
- A request for Board members to respond via email indicating whether they believe the proposed update is ready to be voted on
- The tentative date the vote is proposed to begin and end
- If the Board members indicate further Charter updates are necessary and provide reasonable justification, another revision cycle begins. In this case, the Secretariat sends a message to the Board indicating such.
- If the majority of respondents believe the Charter is ready for a vote, the Secretariat sends a message to the Board list with the date the vote is scheduled to begin and end, and any special instructions, as needed.
- On the day the vote begins, the Secretariat resends the updated Charter to the Board list, along with any special instructions, and request to vote.
- Board members who vote against the Charter are expected to provide a reason(s) why they are doing so as a part of their vote. This allows other Board members to understand the reason and will assist in improving a future version of the Charter in the event it is voted down by the Board.
- The Secretariat posts the results of the vote to the Board list.
- If the Board votes down the new Charter, then it will be sent back to the Board for discussions and further revisions.
- If the vote indicates the Board’s acceptance, the new Charter will immediately take effect and the Secretariat will update the related CVE website pages to reflect the new Charter.