All, We have created a draft wiki page to explain vulnerability disclosure being proposed for v. 2.9 of the MRSP. See https://wiki.mozilla.org/CA/Vulnerability_Disclosure. <https://wiki.mozilla.org/CA/Vulnerability_Disclosure>
We did not want to confuse this security vulnerability reporting process with the existing Incident Reporting process ( https://www.ccadb.org/cas/incident-report). So, the proposed language is as follows: "Additionally, and not in lieu of the requirement to publicly report incidents as outlined above, a CA Operator MUST disclose a serious vulnerability or security incident in Bugzilla as a secure bug [link] in accordance with guidance found on the Vulnerability Disclosure wiki page [link to https://wiki.mozilla.org/CA/Vulnerability_Disclosure]."; Also, in the MRSP where we refer to or link to Security Incident bugs, we have changed the language to refer to a Vulnerability Disclosure "filed as a secure bug in Bugzilla". Here is how those proposed changes appear in Github: https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:pkipolicy:67bbeb820dc2dce3cb54b4d54b9326dc75e1d79d Please review this proposed addition and the draft wiki page and let us know of any comments or concerns. Thanks, Ben and Kathleen On Wed, Jul 12, 2023 at 12:43 AM Roman Fischer <roman.fisc...@swisssign.com> wrote: > Dear Matt, > > The way towards something like full disclosure is a difficult one to walk. > I was working in the airline industry for a couple of years and experienced > firsthand what it means to establish and nurture a "no blame" culture that > truly motivates people to talk about mistakes, drifts towards unsafe > behaviour and such. It's a long process and all participants need to want > to support it. > > I think that the current process of disclosing incidents publicly on > Bugzilla does not help build a "full disclosure - no blame" culture. So > CA's (and all the other participants in the ecosystem) will continue to try > and limit the possible negative impact of what they have to disclose. > > From my point of view, it makes no big difference if the word > "significant" is there or not. As long as the culture is "blame and shame", > all participants will think more than twice before posting a Bugzilla. > > Kind regards > Roman > > -----Original Message----- > From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> > On Behalf Of Matt Palmer > Sent: Mittwoch, 12. Juli 2023 08:03 > To: dev-security-policy@mozilla.org > Subject: Re: MRSP 2.9: Issues #252 and #266 - Incident Reporting > > On Tue, Jul 11, 2023 at 09:04:06AM -0600, Ben Wilson wrote: > > effect, " 'Reportable Security Incident' means any security event, > > breach, or compromise that has the potential to significantly impact > > the confidentiality, integrity, or availability of CA infrastructure, > > CA > > I'd suggest removing the word "significantly", because that's entirely > open to interpretation, and history has shown that CAs aren't shy about > interpreting things in a manner most favourable to their interests. I > don't see any real problem with requiring CAs to report *everything* with > the potential to impact CIA of CA-related things, because even minor > hiccups can become major, and they can also be a learning experience for > everyone -- which is the same reason why most safety-critical industries > require the reporting of near-misses, not just actual incidents. > > - Matt > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZK5CExtS3j0cKC5t%40hezmatt.org > . > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB05627473060C050F4B0EB20CFA36A%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaac29x2CdtfKoYdnMVtcOTwoz%3D%3DPAunuddXQGbM2fcmCg%40mail.gmail.com.
