Hi Steve, Quick follow-up.
1) Your audit reports failed to identify what steps Symantec was taking to proactively resolve these issues. As further demonstrated by Issue Q, Symantec failed to remedy these issues. a) What steps, if any, did Symantec take upon receiving a qualified audit? b) Why did these steps fail? 2) What is materially different from Symantec's past attempts to remedy the issues (to Issue F and Issue Q) and any proposed response to the latest set of issues (Issue V, Issue X)? In particular, while Issue F is "problematic", it is more concerning that this reoccurred in Issue Q. Highlighting any changes Symantec took in response to these is useful, as would be highlighting the delta between Issue Q and the current audits, which speak to Issue V and Issue X. I encourage Symantec to reconsider what it considers appropriate to disclose, because this fundamentally affects the perceived trustworthiness of any Symantec proposals for remediation. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy