Confirmed users
569
edits
CA/Vulnerability Disclosure: Difference between revisions
Jump to navigation
Jump to search
Multiple edits
(→Reportable Vulnerability Disclosure Contents: Changed subsection title) |
(Multiple edits) |
||
| Line 11: | Line 11: | ||
A CA Operator MUST initially notify Mozilla about a Reportable Vulnerability as soon as possible and no later than 24 hours of internal identification or notification by an external party. | A CA Operator MUST initially notify Mozilla about a Reportable Vulnerability as soon as possible and no later than 24 hours of internal identification or notification by an external party. | ||
Please be sure to read all material provided below for guidance in assessing and reporting serious vulnerabilities and security incidents | Please be sure to read all material provided below for guidance in assessing and reporting serious vulnerabilities and security incidents in Bugzilla. | ||
=== How to Disclose a Reportable Vulnerability === | === How to Disclose a Reportable Vulnerability === | ||
The requirement to disclose a Reportable Vulnerability is separate and in addition to the requirement to provide a [https://www.ccadb.org/cas/incident-report public-facing Incident Report], as required by section 2.4 of Mozilla’s Root Store Policy. | The requirement to disclose a Reportable Vulnerability is separate and in addition to the requirement to provide a [https://www.ccadb.org/cas/incident-report public-facing Incident Report] for non-compliances, as required by section 2.4 of Mozilla’s Root Store Policy. | ||
Reportable Vulnerabilities (serious vulnerabilities and security incidents) must be reported in Bugzilla: | Reportable Vulnerabilities (serious vulnerabilities and security incidents) must be reported in Bugzilla: | ||
| Line 98: | Line 98: | ||
# Root Cause(s) - Identify the root cause(s) or contributing factors that led to the vulnerability/incident and how they were not previously discovered. Note that the description of root cause(s) does not need to be duplicated here if it can be fully provided in the [https://www.ccadb.org/cas/incident-report public-facing Incident Report]. | # Root Cause(s) - Identify the root cause(s) or contributing factors that led to the vulnerability/incident and how they were not previously discovered. Note that the description of root cause(s) does not need to be duplicated here if it can be fully provided in the [https://www.ccadb.org/cas/incident-report public-facing Incident Report]. | ||
==== Severity / Impact Assessment ==== | ==== Severity/Impact Assessment ==== | ||
See '''"Determining Significance"''' above. | |||
Summarize the following: | Summarize the following: | ||
# the potential impact of the vulnerability/incident on the CA's operations, systems, certificate issuance, and the trustworthiness of certificates; | # the potential impact of the vulnerability/incident on the CA's operations, systems, certificate issuance, and the trustworthiness of certificates; | ||
# number and type(s) of certificates affected, if applicable; | # number and type(s) of certificates affected, if applicable; | ||
# the potential impact on | # the potential impact on subscribers, relying parties, and other stakeholders; and | ||
# the escalation potential. | # the escalation potential. | ||
==== Response and Mitigation ==== | ==== Response and Mitigation ==== | ||
# State recommended actions for Mozilla, such as adding a certificate to OneCRL, or distrusting a root certificate after a specified date. | # State recommended actions for Mozilla, such as adding a certificate to OneCRL, or distrusting a root certificate after a specified date. | ||
# Summarize the immediate actions taken to contain and mitigate the effects of the vulnerability/incident, including isolation of affected systems, removal of unauthorized access, application of patches, updates, or configuration changes, and restoration of services | # Summarize the immediate actions taken to contain and mitigate the effects of the vulnerability/incident, including isolation of affected systems, removal of unauthorized access, application of patches, updates, or configuration changes, and restoration of services. | ||
# Highlight any collaboration or assistance received from external parties, such as incident response teams, forensics, or law enforcement. | |||
# Detail any other action items being taken to mitigate the effects of the vulnerabilities/incident, including the type of action (e.g. patching, access control, training, etc.), the status of each action, and the date each action will be completed. | |||
==== CA Remediation Measures ==== | |||
The following information does not need to be duplicated in the Reportable Vulnerability bug if it can be fully provided in the [https://www.ccadb.org/cas/incident-report public-facing Incident Report]: | The following information does not need to be duplicated in the Reportable Vulnerability bug if it can be fully provided in the [https://www.ccadb.org/cas/incident-report public-facing Incident Report]: | ||
# Outline the remediation plan and summarize the actions to be taken to address the incident, root cause(s), or identified vulnerabilities, weaknesses, or gaps in security controls; | |||
# Specify the remediation action items that you are taking to resolve the current situation, to address the root cause(s), and to ensure that a similar incident will not occur in the future. Include a timeline for completing each remediation step, the type of action (e.g. governance review, enhanced alerting, training, documentation, etc.), its current status of implementation, and the date that each step will be completed; and | |||
# Provide details on any additional measures or enhancements implemented to improve the overall security posture of the CA. | |||
==== Contact Information ==== | |||
Provide contact information for the responsible individuals within the CA’s organization who can address any further inquiries or provide additional information related to the vulnerability/incident. | |||
== Markdown Template == | |||
<pre> | |||
## Vulnerabilty/Incident Disclosure Form | |||
### Concise Summary | |||
### Vulnerability/Incident Details | |||
#### Timeline | |||
All times are UTC. | |||
YYYY-MM-DD: | |||
- HH:MM Example | |||
- | |||
#### Type and Detailed Description | |||
Duration | |||
Identity of threat actors | |||
Nature of the compromise | |||
Specific systems, infrastructure, or processes affected | |||
#### Root Cause(s) | |||
### Severity/Impact Assessment | |||
#### Potential Impact on CA operations, systems, certificate trustworthiness | |||
#### Number and type(s) of certificates affected (if any) | |||
#### Potential impact on subscribers, relying parties, and others | |||
# Outline | #### Escalation Potential | ||
# | |||
# | ### Response and Mitigation | ||
#### Recommended Actions for Root Store(s) | |||
#### Immediate Actions Taken to Contain/Mitigate | |||
#### Collaboration with Forensics, CSIRTS, LEAs, etc. | |||
#### Mitigation Steps Being Taken | |||
| Action Item | Kind | Due Date | Status | | |||
| ----------- | ---- | -------- |-------- | | |||
| Example | Patching | 2024-01-19 | 50% complete | | |||
### Longer-Term Remediation Measures | |||
#### Outline/Summary of Remediation Plan | |||
#### Remediation Action Items | |||
| Action Item | Kind | Due Date | Status | | |||
| ----------- | ---- | -------- | -------- | | |||
| Example | Governance Review | 2024-01-19 | 50% complete | | |||
#### Additional Measures | |||
### Contact Information | |||
</pre> | |||