Confirmed users
569
edits
CA/Vulnerability Disclosure: Difference between revisions
Jump to navigation
Jump to search
m
CA/Vulnerability Disclosure (view source)
Revision as of 18:36, 12 September 2023
, 12 September 2023→Purpose: Minor edits to last sentence in this section
m (→Reportable Vulnerability Disclosure Contents: Removed numbering) |
m (→Purpose: Minor edits to last sentence in this section) |
||
| Line 7: | Line 7: | ||
* Security-sensitive information that needs to be shared with Mozilla. | * Security-sensitive information that needs to be shared with Mozilla. | ||
Generally, a Security Vulnerability is a potential weak point that could lead to a security incident if exploited by an attacker, while a Security Incident is any event, breach, or occurrence that poses a threat to the confidentiality, integrity, or availability of a CA Operator’s information assets or computer systems. '''A Reportable Vulnerability is ''either'' a vulnerability ''or'' a security incident that has the potential of having a serious adverse effect on the trustworthiness of certificates.''' (Not every vulnerability or cybersecurity incident within a large organization's unrelated business departments needs to be reported. However, CA Operators still need to account for the risk that advanced persistent threats and lateral movements by attackers within the CA Operator's broader infrastructure might affect CA operations.) | Generally, a Security Vulnerability is a potential weak point that could lead to a security incident if exploited by an attacker, while a Security Incident is any event, breach, or occurrence that poses a threat to the confidentiality, integrity, or availability of a CA Operator’s information assets or computer systems. '''A Reportable Vulnerability is ''either'' a security vulnerability ''or'' a security incident that has the potential of having a serious adverse effect on the trustworthiness of certificates.''' (Not every vulnerability or cybersecurity incident within a large organization's unrelated business departments needs to be reported. However, CA Operators still need to account for the risk that advanced persistent threats and lateral movements by attackers within the CA Operator's broader infrastructure might affect CA operations.) | ||
A CA Operator MUST initially notify Mozilla about a Reportable Vulnerability as soon as possible and no later than 24 hours of internal identification or notification by an external party. | A CA Operator MUST initially notify Mozilla about a Reportable Vulnerability as soon as possible and no later than 24 hours of internal identification or notification by an external party. | ||
Please be sure to read all material provided below to guide you in assessing and reporting a serious vulnerability or security incident. | |||
=== How to Disclose a Reportable Vulnerability === | === How to Disclose a Reportable Vulnerability === | ||