> -----Original Message----- > From: Ryan Sleevi > Sent: 21 October 2016 16:06 > > As pointed out in https://bugzilla.mozilla.org/show_bug.cgi?id=1311713 , it > does seem like there's a rather large gap here between notification and report > - from 23 Sept to Oct 19. > > While it's entirely reasonable that Comodo wanted to ensure that, before > disclosing any incident, that systems were properly protected - and, indeed, > it's fairly typical in other disclosure circles to ensure vendors have time to > remediate - could you explain a bit more about how that time was spent? > _______________________________________________
Hi Ryan, The security researchers contacted us on 23rd September and intimated that they had a disclosure to make. There were some negotiations over the terms on which the information would be shared and released and we obtained the report from them on the 28th September. We stopped using the OCR system on 28th September. On 4th October we received a draft article from the security researchers which there were planning to send to heise.de. On 15th October we had the first complete draft of our own report and it was approved and published on 19th October. I apologize for the tardy production and release of our report. Referring to the release of our report rather than our internal response to the report we received, there were too many fingers in this particular pie and that made for a slow release of information. Regards Robin Alden Comodo
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy