> On Wed, Oct 19, 2016 at 10:59 AM, Robin Alden <ro...@comodo.com> wrote:
> >
> > Comodo was informed by security researchers Florian Heinz and Martin Kluge
> > that on 23rd September 2016 they had been able to obtain a server
> > authentication certificate [1] from Comodo for a domain which they did not
> > own or control.
> >
> > The researchers shared their discovery with Comodo and this assisted Comodo
> > to ensure that no further such certificates were issued.


As pointed out in https://bugzilla.mozilla.org/show_bug.cgi?id=1311713 , it 
does seem like there's a rather large gap here between notification and report 
- from 23 Sept to Oct 19.

While it's entirely reasonable that Comodo wanted to ensure that, before 
disclosing any incident, that systems were properly protected - and, indeed, 
it's fairly typical in other disclosure circles to ensure vendors have time to 
remediate - could you explain a bit more about how that time was spent?
dev-security-policy mailing list

Reply via email to