Confirmed users, Administrators
5,526
edits
CA/Bug Triage: Difference between revisions
Added section about the CA Security Vulnerability component
(→Compliance Problems and Incidents: Added "audit-finding") |
(Added section about the CA Security Vulnerability component) |
||
| Line 51: | Line 51: | ||
* [audit-failure] failure to perform an audit, failure to upload audits, etc. | * [audit-failure] failure to perform an audit, failure to upload audits, etc. | ||
* [audit-finding] see https://www.ccadb.org/cas/incident-report#audit-incident-reports | * [audit-finding] see https://www.ccadb.org/cas/incident-report#audit-incident-reports | ||
== Vulnerability and Security Incident Reporting == | |||
To report a vulnerability or security incident pertaining to a CA in Mozilla's Program: | |||
* https://bugzilla.mozilla.org/enter_bug.cgi?bug_type=task&component=CA%20Security%20Vulnerability&groups=ca-program-security&product=CA%20Program | |||
Additionally, and not in lieu of the requirement to publicly report incidents as outlined in section [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#24-incidents 2.4 of Mozilla's Root Store Policy], a CA Operator MUST disclose a serious vulnerability or security incident in Bugzilla as a [https://bugzilla.mozilla.org/enter_bug.cgi?bug_type=task&component=CA%20Security%20Vulnerability&groups=ca-program-security&product=CA%20Program secure bug] in accordance with guidance found on the [[CA/Vulnerability_Disclosure|Vulnerability Disclosure wiki page]]. | |||
= Root Inclusion/Change requests and EV Treatment Enablement Requests= | = Root Inclusion/Change requests and EV Treatment Enablement Requests= | ||