CDR Updates and future plans to make the repository public

[cmullaly-mitre]

All:

Thank you for your patience as we continue to build CDR. After about 6 months on GitHub, we believe that we are close to the end of primary development, and now we are focusing more on processing submissions.

We are now accepting requests to join the repository; anybody interested can email [email protected].

Why CDR is not public yet

In #58, we were asked about why we have not yet made CDR fully public. This is because:

(1) We want to better clarify expectations for participants to minimize disruption and confusion. For example: as some people may have witnessed back in February, a CDR participant made a series of comments on multiple submissions that included: violation of code of conduct; asking other submitters to make changes that would lower the quality of submissions; deleting comments, thus hurting transparency; etc. The February incident made us realize that CDR is not yet ready for a larger influx of people who might be intentionally or inadvertently disruptive.

(2) We want to ensure fairness for all participants - especially submitters - so that individuals with a high rate of activity and/or disruptive behaviors do not adversely affect our ability to support others in CDR. We plan to develop a Fairness Policy and will share it with CDR participants once it is ready. We will also update our Code of Conduct and related documents to identify criteria for when to prevent individuals from CDR participation (e.g. for repeated trolling or CoC violations) or to reduce our priorities. If anybody has insights or can point us to other projects that manage these kinds of issues, please let us know.

(3) We want to better explain the expected process so that it is less confusing to participants. CDR's stages and phases (https://github.com/CWE-CAPEC/CWE-Content-Development-Repository/blob/main/documentation/submission-phases.md) have been laid out but still need some simplification.

(4) We want to further beta-test the CDR process throughout the entire submission lifecycle. Many parts of the process have not been fully exercised and need further development, such as: (a) how to handle when a submitter no longer wants to participate; (b) handling cases that would involve multiple submissions and a variety of participants (as is happening with prompt injection #58 #29); and (c) better reporting and tracking.

(5) There are many other improvements that we could make that are not blockers for making CDR public but will still be useful - such as helping people write better submissions or clarifying quality criteria, or further automating our work.

When to make CDR public

We believe that for now, the current request for GitHub usernames for the private repository is not a significant barrier. If somebody is sincerely interested in supporting CWE content development within CDR, then we assume that they are willing to put in the work to email us with their GitHub username.

We want CDR participation to significantly impact CWE 4.15, which is planned for release in June or July this year. To that end, we will be focused heavily on moving submissions through the full process. This will also help us identify and iron out any significant process gaps that remain.

Ideally, we would be able to fully open CDR at the same time.

Please let us know your thoughts in the comments below.

Thank you!

The CWE Team

[kurtseifried]

First a clarifying question:

(1) We want to better clarify expectations for participants to minimize disruption and confusion. For example: as some people may have witnessed back in February, a CDR participant made a series of comments on multiple submissions that included: violation of code of conduct; asking other submitters to make changes that would lower the quality of submissions; deleting comments, thus hurting transparency; etc. The February incident made us realize that CDR is not yet ready for a larger influx of people who might be intentionally or inadvertently disruptive.

Is this referring to me?

[cmullaly-mitre]

It is not necessary to mention the participant by name. Traces of that person's actions are in various responses to deleted comments. Our point is that any participant, present or future, should be following expected processes, but we also need to make our processes more robust in the cases of disruptive or confusing behavior that adversely affects other CDR participants.