Confirmed users
377
edits
CA/Vulnerability Disclosure: Difference between revisions
Jump to navigation
Jump to search
→Types of Vulnerabilities/Incidents to be disclosed: Added explanation about serious vulnerabilities
m (→Markdown Template: Minor edits) |
(→Types of Vulnerabilities/Incidents to be disclosed: Added explanation about serious vulnerabilities) |
||
| Line 39: | Line 39: | ||
Vulnerabilities/incidents that may “significantly impact the confidentiality, integrity, or availability” of a CA's internal systems, regardless of direct impact on certificate issuance, must be reported if they pose ongoing risk to the overall integrity and security of CA operations. This includes significant impact not just to issuing systems, but also to network and server security, internal software, and the availability and reliability of certificate status services, such as CRLs and OCSP. The determination of “significance” is made by the CA Operator based on industry best practices and the guidance below, particularly that guidance found under the heading “'''[[CA/Vulnerability_Disclosure#Determining_Significance|Determining Significance]]'''”. | Vulnerabilities/incidents that may “significantly impact the confidentiality, integrity, or availability” of a CA's internal systems, regardless of direct impact on certificate issuance, must be reported if they pose ongoing risk to the overall integrity and security of CA operations. This includes significant impact not just to issuing systems, but also to network and server security, internal software, and the availability and reliability of certificate status services, such as CRLs and OCSP. The determination of “significance” is made by the CA Operator based on industry best practices and the guidance below, particularly that guidance found under the heading “'''[[CA/Vulnerability_Disclosure#Determining_Significance|Determining Significance]]'''”. | ||
'''Security Incidents include the following: | '''Serious vulnerabilities''' include critical software and web application vulnerabilities, faulty APIs that could lead to data breaches, zero-day exploits, and malware infections. | ||
'''Security Incidents''' include the following: | |||
* Successful unauthorized accesses, acquisitions, disclosures, or thefts of sensitive data or CA equipment involving the CA's systems, infrastructure, networks, applications, or sensitive information (private keys, user credentials, or personally identifiable information). | * Successful unauthorized accesses, acquisitions, disclosures, or thefts of sensitive data or CA equipment involving the CA's systems, infrastructure, networks, applications, or sensitive information (private keys, user credentials, or personally identifiable information). | ||
* | * Ransomware attacks, or other data integrity issues that irrecoverably damage or compromise sensitive CA data. | ||
* Confirmed advanced persistent threats that attempt to compromise the CA's infrastructure, systems, or the reliability or validity of certificates. | * Confirmed advanced persistent threats that attempt to compromise the CA's infrastructure, systems, or the reliability or validity of certificates. | ||