On Saturday, November 23, 2019 at 3:28:10 PM UTC-8, Matt Palmer wrote: > [aside: this is how incident reports should be done, IMHO] > > On Fri, Nov 22, 2019 at 07:23:27PM -0800, Apple CA via dev-security-policy > wrote: > > We did not have an accurate understanding of how the vulnerability scanner > > worked. Our understanding of its capabilities lead us to believe it was > > scanning and detecting vulnerabilities in EJBCA. > > There's a reasonable chance that other CAs may have a similar situation, so > I think it's worth digging deeper into the root causes here. Can you expand > on how this misunderstanding regarding the vulnerability scanner came to > pass? What was the information on which you were relying when you came to > the understanding of the vulnerability scanner's capabilities? Were you > misled by the vendor marketing or technical documentation, or was it an > Apple-internal assessment that came to an inaccurate conclution? Or > "other"? > > - Matt
Thank you for your questions. Due to the Thanksgiving holiday in the US, we expect to reply to your questions as early as the week of 02 December. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy