On 10/02/2017 05:42, Ryan Sleevi wrote:
On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org>> wrote: Additional issue #2: The information at https://pki.goog/ about how to report misissuance directs visitors to a generic reporting page for code vulnerabilities, which (by their nature) tends to require reaction times measured in days/weeks rather than the 1 day maximum specified in Google's CPS. (To be clear, I am responding only as an individual, neither as Mozilla peer or Google employee, although I recognize you will likely disregard my remarks regardless.) In the past, such comments have generally been seen as offtopic/accusatory, because they are inherently absent of evidence of any malfeasance. Indeed, your very comment seems to suggest that Google is not adhering to its CP/CPS, but without evidence, and such implication comes not based on any action that Google has taken, but based on your view of what 'others' do or the 'class' of bugs. I highlight this because we (the community) see the occasional remark like this; most commonly, it's directed at organizations in particular countries, on the basis that we shouldn't trust "them" because they're in one of "those countries". However, the Mozilla policy is structured to provide objective criteria and assessments of that. In this case, I do not believe you are being accurate or fair to present it as an "issue"; you are implying that Google will not adhere to its CP/CPS, but without evidence. The nature of incident reporting via this method may indeed be risky, but it's neither forbidden nor intrinsically wrong. If you look at many members in the Mozilla program, you will see far less specificity as to a problem report and the acceptable means of reporting this.
For clarity, I was pointing out that GTS seems to have chosen a method likely to fail if an when actually needed, due to the typical dynamics of large human organizations. Presumably an organization of such magnitude is likely to have contact points more dedicated to time-sensitive action-required messages than the contact point they chose.
So while it's useful for you to draw attention to this, it's without evidence or basis for you to suggest that this is an "issue", per se - that is, it seemingly in no way conflicts with Mozilla policy or industry practice.
I find that it is an issue, but not an absolute cause for rejection. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy