Confirmed users
569
edits
CA/Vulnerability Disclosure: Difference between revisions
Jump to navigation
Jump to search
Added hyperlinks
(Original text w/o hyperlinks (first save)) |
(Added hyperlinks) |
||
| Line 15: | Line 15: | ||
=== How to Disclose a Reportable Vulnerability === | === How to Disclose a Reportable Vulnerability === | ||
The requirement to disclose a Reportable Vulnerability is separate and in addition to the requirement to provide a | The requirement to disclose a Reportable Vulnerability is separate and in addition to the requirement to provide a [https://www.ccadb.org/cas/incident-report public-facing Incident Report], as required by section 2.4 of Mozilla’s Root Store Policy. | ||
Reportable Vulnerabilities should be reported in Bugzilla: | Reportable Vulnerabilities should be reported in Bugzilla: | ||
| Line 26: | Line 26: | ||
Product: CA Program | Product: CA Program | ||
Component: CA Security Vulnerability | Component: CA Security Vulnerability | ||
| Line 63: | Line 64: | ||
* Ongoing remediation | * Ongoing remediation | ||
For additional guidance, see sources such as ENISA, CIS Security, CERT.EU, NIST, CISA.gov and ISO/IEC 27035-1:2023. | For additional guidance, see sources such as [https://www.enisa.europa.eu/topics/incident-response ENISA], [https://www.cisecurity.org/controls/incident-response-management CIS Security], [https://cert.europa.eu/ CERT.EU], [https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf NIST], [https://www.cisa.gov/topics/cybersecurity-best-practices/organizations-and-cyber-safety/cybersecurity-incident-response CISA.gov] and [https://www.iso.org/standard/78973.html ISO/IEC 27035-1:2023]. | ||
=== Determining Significance === | === Determining Significance === | ||
| Line 79: | Line 80: | ||
* escalation potential (assess the likelihood of further escalation, such as through the exploitation of additional vulnerabilities, lateral movement within the network, or the compromise of more critical systems or data). | * escalation potential (assess the likelihood of further escalation, such as through the exploitation of additional vulnerabilities, lateral movement within the network, or the compromise of more critical systems or data). | ||
Additional guidance can also be found in various publications from ENISA, NIST, the Canadian Centre for Cybersecurity, and academia. | Additional guidance can also be found in various publications from [https://www.enisa.europa.eu/publications/article19-incident-reporting-framework ENISA], [https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8286D.pdf NIST], [https://www.cyber.gc.ca/en/guidance/introduction-cyber-threat-environment the Canadian Centre for Cybersecurity], and [https://academic.oup.com/cybersecurity/article/9/1/tyad009/7160387 academia]. | ||
=== Reportable Vulnerability Disclosure Contents === | === Reportable Vulnerability Disclosure Contents === | ||
| Line 91: | Line 92: | ||
# Timeline - A date-and-time-stamped sequence of all relevant events, including events before the vulnerability/incident became known, such as when something changed or was introduced, the initial compromise, lateral movement (if applicable), and actions taken by the CA during and after the discovery of the vulnerability/incident. | # Timeline - A date-and-time-stamped sequence of all relevant events, including events before the vulnerability/incident became known, such as when something changed or was introduced, the initial compromise, lateral movement (if applicable), and actions taken by the CA during and after the discovery of the vulnerability/incident. | ||
# Type and Detailed Description, including the duration of the vulnerability/incident, identity of threat actors, nature of the compromise, and the specific systems, infrastructure, or processes affected. | # Type and Detailed Description, including the duration of the vulnerability/incident, identity of threat actors, nature of the compromise, and the specific systems, infrastructure, or processes affected. | ||
# Root Cause(s) - Identify the root cause(s) or contributing factors that led to the vulnerability/incident and how they were not previously discovered. Note that the description of root cause(s) does not need to be duplicated here if it can be fully provided in the public-facing Incident Report. | # Root Cause(s) - Identify the root cause(s) or contributing factors that led to the vulnerability/incident and how they were not previously discovered. Note that the description of root cause(s) does not need to be duplicated here if it can be fully provided in the [https://www.ccadb.org/cas/incident-report public-facing Incident Report]. | ||
==== 3. Severity / Impact Assessment ==== | ==== 3. Severity / Impact Assessment ==== | ||
| Line 104: | Line 105: | ||
# Summarize the immediate actions taken to contain and mitigate the effects of the vulnerability/incident, including isolation of affected systems, removal of unauthorized access, application of patches, updates, or configuration changes, and restoration of services; | # Summarize the immediate actions taken to contain and mitigate the effects of the vulnerability/incident, including isolation of affected systems, removal of unauthorized access, application of patches, updates, or configuration changes, and restoration of services; | ||
The following information does not need to be duplicated in the Reportable Vulnerability bug if it can be fully provided in the public-facing Incident Report: | The following information does not need to be duplicated in the Reportable Vulnerability bug if it can be fully provided in the [https://www.ccadb.org/cas/incident-report public-facing Incident Report]: | ||
# Summarize the steps taken to address the root cause(s) and to strengthen security controls to prevent a similar vulnerability/incident in the future; | # Summarize the steps taken to address the root cause(s) and to strengthen security controls to prevent a similar vulnerability/incident in the future; | ||
| Line 111: | Line 112: | ||
==== 5. CA Remediation Measures ==== | ==== 5. CA Remediation Measures ==== | ||
The following information does not need to be duplicated in the Reportable Vulnerability bug if it can be fully provided in the public-facing Incident Report: | The following information does not need to be duplicated in the Reportable Vulnerability bug if it can be fully provided in the [https://www.ccadb.org/cas/incident-report public-facing Incident Report]: | ||
# Outline the remediation plan and actions taken to address the incident or identified vulnerabilities, weaknesses, or gaps in security controls; | # Outline the remediation plan and actions taken to address the incident or identified vulnerabilities, weaknesses, or gaps in security controls; | ||
# Specify the remediation steps you are taking to resolve the situation and ensure that a similar incident will not occur in the future. Include a timeline for completing each remediation step, its current status of implementation, and the date that each step will be completed; and | # Specify the remediation steps you are taking to resolve the situation and ensure that a similar incident will not occur in the future. Include a timeline for completing each remediation step, its current status of implementation, and the date that each step will be completed; and | ||