Confirmed users
569
edits
CA/Vulnerability Disclosure: Difference between revisions
Jump to navigation
Jump to search
m
CA/Vulnerability Disclosure (view source)
Revision as of 18:47, 12 September 2023
, 12 September 2023→Types of Vulnerabilities/Incidents to be disclosed: Rephrased to Security Incidents based on comment received
(→How to Disclose a Reportable Vulnerability: Edits to sentence for consistency with MRSP 2.4.1) |
m (→Types of Vulnerabilities/Incidents to be disclosed: Rephrased to Security Incidents based on comment received) |
||
| Line 33: | Line 33: | ||
=== Types of Vulnerabilities/Incidents to be disclosed === | === Types of Vulnerabilities/Incidents to be disclosed === | ||
Vulnerabilities/incidents that may “significantly impact the confidentiality, integrity, or availability” of a CA's internal systems, regardless of direct impact on certificate issuance, must be reported if they pose ongoing risk to the overall integrity and security of CA operations. This includes significant impact not just to issuing systems, but also to network and server security, internal software, and the availability and reliability of certificate status services, such as CRLs and OCSP. The determination of “significance” is made by the CA Operator based on industry best practices and the guidance below, particularly that guidance found under the heading | Vulnerabilities/incidents that may “significantly impact the confidentiality, integrity, or availability” of a CA's internal systems, regardless of direct impact on certificate issuance, must be reported if they pose ongoing risk to the overall integrity and security of CA operations. This includes significant impact not just to issuing systems, but also to network and server security, internal software, and the availability and reliability of certificate status services, such as CRLs and OCSP. The determination of “significance” is made by the CA Operator based on industry best practices and the guidance below, particularly that guidance found under the heading “'''[[CA/Vulnerability_Disclosure#Determining_Significance|Determining Significance]]'''”. | ||
''' | '''Security Incidents include the following:''' | ||
* Successful unauthorized accesses, acquisitions, disclosures, or thefts of sensitive data or CA equipment involving the CA's systems, infrastructure, networks, applications, or sensitive information (private keys, user credentials, or personally identifiable information). | * Successful unauthorized accesses, acquisitions, disclosures, or thefts of sensitive data or CA equipment involving the CA's systems, infrastructure, networks, applications, or sensitive information (private keys, user credentials, or personally identifiable information). | ||