CA/Vulnerability Disclosure: Difference between revisions

Jump to navigation Jump to search

CA/Vulnerability Disclosure (view source)

Revision as of 22:36, 22 April 2025

67 bytes removed ,  22 April 2025
m
→‎How to Disclose a Reportable Vulnerability: Rephrased instructions
(→‎How to Disclose a Reportable Vulnerability: Added paragraph re: confidentiality)
 
Line 33: Line 33:
[[File:CA-Security-Bug.png|300px]]
[[File:CA-Security-Bug.png|300px]]


Don't check the Security box that says, "Many users could be harmed by this security problem: ...." That checkbox is for a different security review process.
Don't check the other Security boxes, as they are for different security review processes.


All CA security disclosures will be treated with strict confidentiality. The information provided will remain private and secure throughout the investigation and resolution process. Once the incident is resolved, a new, separate, and public bug report should be created by the CA operator. Such public report shall contain only sanitized information that has been reviewed and approved by the CA operator to ensure that no confidential details are disclosed. But make sure that you report security incidents to other root stores as well. Note that Mozilla may share information with other root store representatives and add them to the cc: list with access to review and comment on such disclosures made in Bugzilla. (People cc:'ed in the bug have access to view the bug, so review the cc: list to ensure that no unintended people are in that list.)
All CA security disclosures will be treated with strict confidentiality. The information provided will remain private and secure throughout the investigation and resolution process. Once the incident is resolved, a new, separate, and public bug report should be created by the CA operator. Such public report shall contain only sanitized information that has been reviewed and approved by the CA operator to ensure that no confidential details are disclosed. But make sure that you report security incidents to other root stores as well. Note that Mozilla may share information with other root store representatives and add them to the cc: list with access to review and comment on such disclosures made in Bugzilla. (People cc:'ed in the bug have access to view the bug, so review the cc: list to ensure that no unintended people are in that list.)
Bwilson
Confirmed users
569

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1253879"

Navigation menu