On Thu, Aug 25, 2016 at 05:15:58PM -0700, Ryan Sleevi wrote: > On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: > > I'm after the specifics of the changes to WoSign's policies and procedures > > regarding *notification*, not quality control. What were WoSign's previous > > policies and procedures regarding notification (obviously there was > > something in place, since Google was notified), and what changes have been > > made to improve those policies to ensure that all root programs are notified > > in line with each program's requirements in the future? > > Clarification: In none of these incidents was Google notified proactively > by WoSign. Instead, Google received communication from internal or > external researchers regarding these issues, either prior to resolution or > much later after the fact, and subsequently contacted WoSign regarding > them.
Oh, wow. I totally misread the initial report. That's almost certainly much *worse*, then, because it's not simply a matter of some adjustments to an existing process to improve it, but likely the development and deployment of an entirely new process. - Matt -- The main advantages of Haynes and Chilton manuals are that they cost $15, where the factory manuals cost $100 and up, and that they will tell you how to use two hammers, a block of wood, and a meerkat to replace "special tool no. 2-112-A" -- Matt Roberds in asr. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy