Hi Ben, Hypothetically, if a CVSS v3 9.8 Linux kernel zero-day is announced, and a CA is running that version of the kernel on a Certificate System, are they required to report it as a Security Vulnerability? I don't think that's the intent, but I only reach that conclusion because the examples provided omit this scenario. Adding this scenario to the examples would be a targeted improvement, but I think the root of my confusion is the use of the generic term Security Vulnerability when you mean something more specific. Assuming that I understand your intent, a more comprehensive fix would be to invent a term like "Exploitable Vulnerability", meaning a serious vulnerability that has been discovered in the CA's environment and that could be reasonably exploited by an attacker to create a security incident due to the lack of sufficient mitigations.
Thanks, Wayne On Wed, Sep 27, 2023 at 10:47 AM Ben Wilson <bwil...@mozilla.com> wrote: > All, > As mentioned in a previous email, I am soliciting feedback regarding the > Vulnerability > Disclosure wiki page > <https://wiki.mozilla.org/CA/Vulnerability_Disclosure>. If you have any > specific suggestions that we can use to enhance clarity or to make the page > more complete, please don't hesitate to share them, either here or directly > with me. Your feedback is instrumental in our commitment to maintain a safe > and secure online environment. > Thanks, > Ben > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWhCfgKCOiH75pgtw1AQcNaKWjq%3Dq832p-pQbp5KrfyQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWhCfgKCOiH75pgtw1AQcNaKWjq%3Dq832p-pQbp5KrfyQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk8r%2BV6CttugBhoe79k9XxvuKAXA7PDZD7avNCxthrcuCQ%40mail.gmail.com.