> On Wed, Oct 19, 2016 at 10:59 AM, Robin Alden <ro...@comodo.com> wrote:
> > SUMMARY:
> > Comodo was informed by security researchers Florian Heinz and Martin Kluge
> > that on 23rd September 2016 they had been able to obtain a server
> > authentication certificate  from Comodo for a domain which they did not
> > own or control.
> > The researchers shared their discovery with Comodo and this assisted Comodo
> > to ensure that no further such certificates were issued.
As pointed out in https://bugzilla.mozilla.org/show_bug.cgi?id=1311713 , it
does seem like there's a rather large gap here between notification and report
- from 23 Sept to Oct 19.
While it's entirely reasonable that Comodo wanted to ensure that, before
disclosing any incident, that systems were properly protected - and, indeed,
it's fairly typical in other disclosure circles to ensure vendors have time to
remediate - could you explain a bit more about how that time was spent?
dev-security-policy mailing list