Confirmed users
569
edits
CA/Vulnerability Disclosure: Difference between revisions
Jump to navigation
Jump to search
→How to Disclose a Reportable Vulnerability: Added paragraph re: confidentiality
(→Markdown Template: Clarified contact information) |
(→How to Disclose a Reportable Vulnerability: Added paragraph re: confidentiality) |
||
| Line 33: | Line 33: | ||
[[File:CA-Security-Bug.png|300px]] | [[File:CA-Security-Bug.png|300px]] | ||
Don't check the Security box that says, "Many users could be harmed by this security problem: ...." That checkbox is for a different security review process. | |||
All CA security disclosures will be treated with strict confidentiality. The information provided will remain private and secure throughout the investigation and resolution process. Once the incident is resolved, a new, separate, and public bug report should be created by the CA operator. Such public report shall contain only sanitized information that has been reviewed and approved by the CA operator to ensure that no confidential details are disclosed. But make sure that you report security incidents to other root stores as well. Note that Mozilla may share information with other root store representatives and add them to the cc: list with access to review and comment on such disclosures made in Bugzilla. (People cc:'ed in the bug have access to view the bug, so review the cc: list to ensure that no unintended people are in that list.) | |||
=== Types of Vulnerabilities/Incidents to be disclosed === | === Types of Vulnerabilities/Incidents to be disclosed === | ||