Re: Vulnurability Disclosure - How does it happen?

2024-05-30 Thread Wayne
To bring this discussion back up what is the required impact for disclosure? To move the discussion away from Chunghwa Telecom, there also was Lockbit ransomware deployed at Entrust in June '22 and at least 400GB+ data exfiltrated. We have not had a public report of what data relevant to CA ope

Re: Vulnurability Disclosure - How does it happen?

2024-05-25 Thread Li-Chun CHEN
Our company's CA system is independent of telecommunications system. There is no impact on Chunghwa Telecom's CA System related to that data breach news. Chunghwa Telecom will continue to strengthen the system & network security control of the CA system to ensure data security. Thank you. Li

Re: Vulnurability Disclosure - How does it happen?

2024-05-23 Thread 'Aaron Gable' via dev-security-policy@mozilla.org
Although it was not the result of a security breach or other directed attack, I can provide this bugzilla bug as an example of what an embargoed incident report followed by public disclosure has looked like in the past. Aaron On Thu, May 23,

Re: Vulnurability Disclosure - How does it happen?

2024-05-23 Thread 'Amir Omidi (aaomidi)' via dev-security-policy@mozilla.org
Thanks. I guess this question then is aimed at Chunghwa Telecom to let us know if what's been reported has had any impact on their CA systems. On Thursday, May 23, 2024 at 1:07:39 PM UTC-4 Ben Wilson wrote: > Amir, > To answer the last question first, Chunghwa Telecom did not disclose this > re

Re: Vulnurability Disclosure - How does it happen?

2024-05-23 Thread 'Ben Wilson' via dev-security-policy@mozilla.org
Amir, To answer the last question first, Chunghwa Telecom did not disclose this recent attack, but I don't think we have sufficient information from the article to determine the effects of the breach on the CA operations. So without more information, it might be premature to answer the question, "I

Re: Vulnurability Disclosure - How does it happen?

2024-05-23 Thread Mike Shaver
Historically at least, Mozilla secure bugs are kept closed only while publishing the information would itself be harmful to the security of Mozilla’s users or others on the web. Relevant patches are out, etc. We held fuzzing tools back for a year or so because another major browser had a hard time

Vulnurability Disclosure - How does it happen?

2024-05-23 Thread 'Amir Omidi (aaomidi)' via dev-security-policy@mozilla.org
Hey folks, I am bringing this up because of: https://www.darkreading.com/cyberattacks-data-breaches/taiwan-telco-breached-data-sold-on-dark-web (I've marked my questions in bold) I'm mainly basing this discussion around: https://wiki.mozilla.org/CA/Vulnerability_Disclosure. I want to understan