Dear Wayne, Your suggestion is almost exactly what was discussed in the Swiss parliament a few weeks ago. There was a discussion if operators of Swiss Critical Infrastructure should be required by law to report -exploitable vulnerabilities- (in that discussion even zero day vulnerabilities that the operator became aware of were included) within a short time after discovery to our national cyber security agency. In the end parliament decided to NOT go that way because the danger of disclosing such high risk information would increase the danger of malicious actors being able to exploit it would outweigh the benefit of disclosure.
If we definitely want -vulnerabilities- to be disclosed, then I would strongly suggest to allow disclosure -after- the vulnerability has been fixed. Kind regards Roman From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> On Behalf Of Wayne Thayer Sent: Donnerstag, 28. September 2023 18:49 To: dev-secur...@mozilla.org <dev-security-policy@mozilla.org> Subject: Re: Improvements to Vulnerability Disclosure wiki page Hi Ben, Hypothetically, if a CVSS v3 9.8 Linux kernel zero-day is announced, and a CA is running that version of the kernel on a Certificate System, are they required to report it as a Security Vulnerability? I don't think that's the intent, but I only reach that conclusion because the examples provided omit this scenario. Adding this scenario to the examples would be a targeted improvement, but I think the root of my confusion is the use of the generic term Security Vulnerability when you mean something more specific. Assuming that I understand your intent, a more comprehensive fix would be to invent a term like "Exploitable Vulnerability", meaning a serious vulnerability that has been discovered in the CA's environment and that could be reasonably exploited by an attacker to create a security incident due to the lack of sufficient mitigations. Thanks, Wayne On Wed, Sep 27, 2023 at 10:47 AM Ben Wilson <bwil...@mozilla.com<mailto:bwil...@mozilla.com>> wrote: All, As mentioned in a previous email, I am soliciting feedback regarding the Vulnerability Disclosure wiki page<https://wiki.mozilla.org/CA/Vulnerability_Disclosure>. If you have any specific suggestions that we can use to enhance clarity or to make the page more complete, please don't hesitate to share them, either here or directly with me. Your feedback is instrumental in our commitment to maintain a safe and secure online environment. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org>" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org<mailto:dev-security-policy+unsubscr...@mozilla.org>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWhCfgKCOiH75pgtw1AQcNaKWjq%3Dq832p-pQbp5KrfyQ%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWhCfgKCOiH75pgtw1AQcNaKWjq%3Dq832p-pQbp5KrfyQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org>" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org<mailto:dev-security-policy+unsubscr...@mozilla.org>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk8r%2BV6CttugBhoe79k9XxvuKAXA7PDZD7avNCxthrcuCQ%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk8r%2BV6CttugBhoe79k9XxvuKAXA7PDZD7avNCxthrcuCQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB0562B0255A2EE1E451997078FAC0A%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM.