Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cveproject/quality-workgroup
https://github.com/cveproject/quality-workgroup
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/cveproject/quality-workgroup
- Owner: CVEProject
- Created: 2021-05-27T20:12:53.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-02-01T23:11:57.000Z (11 months ago)
- Last Synced: 2024-03-27T12:29:35.264Z (9 months ago)
- Language: HTML
- Size: 1.55 MB
- Stars: 5
- Watchers: 7
- Forks: 16
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Common Vulnerabilities and Exposures (CVE)
## Quality Working Group Charter
Version 1.0
(This version of the CVE QWG Charter was approved and effective *TBD*)
### 1. CVE Quality Working Group Overview
The CVE Quality Working Group (QWG) was established by the CVE Board for the purpose of enhancing the quality of CVE submissions to the CVE Program. The QWG was to provide a needed forum for CVE Quality to occur as needed. The QWG activities and discussions are focused on improving the CVE data quality while providing directional recommendations to the Board on enhancements to data formats, data submission issues, and general quality improvements for the CVE Program.
### 2. Working Group Membership
Any active, CVE authorized program member may participate on the QWG. This includes [Board members](https://cve.mitre.org/community/board/index.html), [CVE Numbering Authority (CNA)](https://cve.mitre.org/cve/cna.html) representatives, Authorized Data Publishers (ADP), and participants from the Secretariat’s organization.
There is no limit to the number of representatives a given CNA may have as members of the working group. The QWG is not open to participation from the public at large. On a case by case basis, the QWG can decide through consensus to allow a non-CVE program member to participate in the QWG. Their membership will be reviewed annually.### 3. Working Group Materials
QWG members shall have access to live and recorded meetings and other material generated by the QWG. Any materials supplied to or generated by the QWG are to be treated as [TLP: Amber](https://www.first.org/tlp/) materials (unless otherwise explicitly noted in those materials). Violating this trust is grounds for removal from the QWG.
### 4. Working Group Discussions
All discussions during meetings or via the QWG mailing list or other channels shall be subject to the [Chatham House Rule](https://en.wikipedia.org/wiki/Chatham_House_Rule#The_rule), with an exception when coordinating with other CVE sanctioned WGs and when communicating with members of the CVE Board.
### 5. Size of the QWG
There is no cap on the number of members an organization may have on the QWG, though this practice may be revisited if the size or membership mix increases to the point that it negatively impacts the ability of the QWG to make decisions or take action. With a recommendation from the QWG Chair(s), it is up to the Board and the Secretariat to determine when actions need to be taken to resize or restructure the QWG.
### 6. Professional Code of Conduct Guidance
Members of the QWG must agree to abide by the professional conduct guidance as described in the [CVE Program’s Professional Code of Conduct](https://cve.mitre.org/about/professional_code_of_conduct.html).
Complaints regarding inappropriate behavior are welcomed by QWG Chair(s) or another member of the CVE Board.### 7. Change in Member’s Affiliation
If a QWG member has a change in organizational affiliation that renders the member unable to meet the QWG membership qualifications, that member must notify the Secretariat of the change. Once known, the Secretariat will remove the unqualified member from the QWG mailing list and the departing member’s access to other CVE QWG resources (i.e., SharePoint).
### 8. Removing QWG Members
QWG members will be considered for removal if:
1. The QWG member asks to be removed.
2. A current QWG member nominates the person or organization for forced removal. Forced removal may be based on lack of collegiality or professional conduct or failure to follow conventions as established in this Charter.
Once the removal process is approved, the Secretariat will remove the identified member from the QWG mailing list and the departing member’s access to other CVE QWG resources (i.e., SharePoint).### 9. Consensus Determination
It should be understood that the development of rough consensus is extremely important in a strategic forum developing recommendations for the Board to act on. It is the responsibility of the QWG Chair(s) to facilitate the consensus process. Consensus in this case is defined by “the lack of sustained disagreement” on the issue being discussed.
Once consensus has been called by the Chair(s), the recommendations of the QWG will be submitted to the CVE Board in written form, indicating the result of the consensus and describing any difficult issues where consensus was difficult to achieve [1].
While most times consensus can be accurately determined on a working group call, there may be cases where consensus is split. In such a case, both points of view will be documented in the above and the CVE Board will make the final determination, by vote if necessary.
### 10. Working Group Meetings
QWG meetings are held routinely as required. The Secretariat, in conjunction with the QWG Chair(s), will establish the agenda for each meeting. QWG members are free to raise subjects during meetings that are not on the agenda for that particular meeting. The agenda, and any appropriate supporting documents, will be provided to the members prior to each meeting and should be reviewed in advance. Actions items carried over or identified during the previous meeting should be included in the agenda sent to QWG members.
### 11. Working Group Progress
QWG progress must be reported back to the Board on an ad hoc, Board requested, or routine basis-either through the Board meetings, or through the Board email lists, as appropriate. Activities coming out of the QWG are an extension of the Board activities. The QWG needs Board approval before making changes or decisions that can either adversely or favorably affect CVE. The QWG should notify the appropriate Board email list (public or private) whenever the WG requires this kind of change or decision.
The QWG will keep the Board apprised of what is occurring and decisions being made. The QWG will provide a periodic report-out to the Board list, ensuring any QWG decisions made are clearly identified as “recommendations” to the Board. All recommendations made need to include a consensus statement indicating the level of agreement of the QWG members, such as unanimous, majority or voted on with results included. The Board will then have an opportunity, for a timeframe specified in the report-out, to review the recommendations. If Board members have issues or questions, they are expected to ask for clarification and have the discussions needed to come to a consensus. In many cases, there may be no need for clarification or discussions. If no Board members respond within the specified timeframe, acceptance of the change, decision, or the recommendation(s) is considered approved. Silence begets acceptance.
### 12. QWG Charter Review
The QWG will review the Charter when a significant change or issue is identified. If it is determined a revision is necessary, the updated language will be incorporated into a draft for review by the QWG membership. **Any change to the Charter requires a voice vote on a regularly scheduled QWG call. Notice of the vote must be given two weeks in advance of the call to ensure that interested QWG members know to attend the vote**.
#### 12.1. Steps for Charter Review and Update
If a revision to the charter is called for, the following steps should be taken:
1. The QWG Charter document goes through a set of revisions. The number of revision cycles vary, based on the complexity of modifications needed.
2. When the edits received have been incorporated, and the proposed Charter appears near-final, the Secretariat will issue a final call for edits via email. The email will include a date by which the final edits need to be received by the Secretariat.
3. Once the final edits received are incorporated, a message is sent to the QWG mailing list detailing the specifics as to when the QWG will meet and the voice vote will occur.
4. The Secretariat will post the results of the vote to the Board and the QWG list.
5. If the new Charter updates are voted down, then it will be sent back to the QWG for discussions and further revisions.
6. If the vote indicates acceptance, the new Charter will immediately take effect and the Secretariat will update the CVE related resources to reflect the new QWG Charter.---
[1]: "The IETF RFC 7282 (https://tools.ietf.org/html/rfc7282) provides a good resource on how to conduct a useful consensus process. While the use of humming will not be a useful tool for the virtual nature of the QWG meetings, the other guidance in this RFC applies well to this scenario."