Casper Dik has left the CVE Editorial Board

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Casper Dik has left the CVE Editorial Board

Joe Sain

Casper Dik of Oracle has left the Editorial Board. We are working with Oracle to determine whether they wish to nominate a candidate to assume Casper’s seat on the Board.

 

Casper Joined the Board in April 2000 as a senior staff engineer at Sun Microsystems. He was instrumental in the early days of CVE in selecting candidates, exploring how software vendors could use CVE to benefit their customers and the CVE community, and helping to lay the groundwork for the growth and acceptance of CVE. He participated in many Board meetings and was an active participant in Board discussions.

 

Thank you, Casper, for your contributions over the years.

 

The CVE Team

 

Reply | Threaded
Open this post in threaded view
|

question re: old orgs nominating a new person

jericho
Wait...

When did the precedent start that an existing org has the right to replace
someone like this? Wasn't the board elected on PERSONAL merit all these
years?

Just because a person/org has been on the board for sixteen years, doesn't
mean they provide any value.

To wit, I deeply respect Casper Dik, I always have. I corresponded with
him frequently over a decade ago regarding Sun vulnerabilities, am a fan
of his work, and know he has great insight into our industry. That said,
in sixteen years, he has posted to the board list *twice* (compared to
Landfield 68 times, Seifried 47 times, Scott 14 times... and two of them
have bee on the board for under two years). For whatever reason, Casper
did not commit to the board and opt to provide his exceptional experience
and insight to this endeavor over all those years, and as an industry, we
are worse for it.

Oracle, as a company, does not embody the goals and mindset of a CNA at
all. They have explicitly *countered* many of the things we strive for,
primarily around vulnerability clarity in tracking and abstraction, and
continue to fight that to this day. As an organization, Oracle is not fit
to be a CNA, despite it being terribly convenient for MITRE.

Remove Casper from the picture, which you just did, and Oracle is no
different than any other random company that wishes to have a presence on
this board. In fact, they are actually LESS suited to than a newcomer that
may be more open to the industry goals CVE is designed for.

If there is some policy about existing CNAs automagically getting a spot
on the board, please cite that public reference so I can kick myself for
not noticing and arguing it sooner.

.b



On Fri, 29 Apr 2016, Sain, Joe wrote:

: Casper Dik of Oracle has left the Editorial Board. We are working with Oracle to determine whether they wish to nominate a candidate to assume Casper's seat on the Board.
:
: Casper Joined the Board in April 2000 as a senior staff engineer at Sun Microsystems. He was instrumental in the early days of CVE in selecting candidates, exploring how software vendors could use CVE to benefit their customers and the CVE community, and helping to lay the groundwork for the growth and acceptance of CVE. He participated in many Board meetings and was an active participant in Board discussions.
:
: Thank you, Casper, for your contributions over the years.
:
: The CVE Team
:
:
Reply | Threaded
Open this post in threaded view
|

Re: question re: old orgs nominating a new person

Casper.Dik
>Wait...
>
>When did the precedent start that an existing org has the right to replace
>someone like this? Wasn't the board elected on PERSONAL merit all these
>years?
>
>Just because a person/org has been on the board for sixteen years, doesn't
>mean they provide any value.
>
>To wit, I deeply respect Casper Dik, I always have. I corresponded with
>him frequently over a decade ago regarding Sun vulnerabilities, am a fan
>of his work, and know he has great insight into our industry. That said,
>in sixteen years, he has posted to the board list *twice* (compared to
>Landfield 68 times, Seifried 47 times, Scott 14 times... and two of them
>have bee on the board for under two years). For whatever reason, Casper
>did not commit to the board and opt to provide his exceptional experience
>and insight to this endeavor over all those years, and as an industry, we
>are worse for it.

The reason that I wanted to resign was because I didn't contribute; I
think I asked for this several years ago, IIRC, also because my role at Oracle
did not and hasn't for quite some time the proper role for a CVE board
member.

>Oracle, as a company, does not embody the goals and mindset of a CNA at
>all. They have explicitly *countered* many of the things we strive for,
>primarily around vulnerability clarity in tracking and abstraction, and
>continue to fight that to this day. As an organization, Oracle is not fit
>to be a CNA, despite it being terribly convenient for MITRE.

>Remove Casper from the picture, which you just did, and Oracle is no
>different than any other random company that wishes to have a presence on
>this board. In fact, they are actually LESS suited to than a newcomer that
>may be more open to the industry goals CVE is designed for.
>
>If there is some policy about existing CNAs automagically getting a spot
>on the board, please cite that public reference so I can kick myself for
>not noticing and arguing it sooner.

Joe told me that the CVE board would like to keep a company as large as
Oracle on board; so I looked around and found some people who work better
as CVE members but I only did that because I was asked to do so.

It is also clear that Sun Microsystems had quite a different policy for
communicating about security problems; Oracle does not allow any such
discussions or communication such as "this problem does not affect
Solaris".

However, this is only a small part of my job and the take over was by and
large a positive effect for our organization so I did not feel I should
leave Oracle.

We can hope that the people in charge at Oracle see the light.  There are
a lot of smart people as Oracle; politics, however, can't be changed by
being smart.

Casper