On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Additional issue #2: The information at https://pki.goog/ about how to > report misissuance directs visitors to a generic reporting page for > code vulnerabilities, which (by their nature) tends to require reaction > times measured in days/weeks rather than the 1 day maximum specified > in Google's CPS. >
(To be clear, I am responding only as an individual, neither as Mozilla peer or Google employee, although I recognize you will likely disregard my remarks regardless.) In the past, such comments have generally been seen as offtopic/accusatory, because they are inherently absent of evidence of any malfeasance. Indeed, your very comment seems to suggest that Google is not adhering to its CP/CPS, but without evidence, and such implication comes not based on any action that Google has taken, but based on your view of what 'others' do or the 'class' of bugs. I highlight this because we (the community) see the occasional remark like this; most commonly, it's directed at organizations in particular countries, on the basis that we shouldn't trust "them" because they're in one of "those countries". However, the Mozilla policy is structured to provide objective criteria and assessments of that. In this case, I do not believe you are being accurate or fair to present it as an "issue"; you are implying that Google will not adhere to its CP/CPS, but without evidence. The nature of incident reporting via this method may indeed be risky, but it's neither forbidden nor intrinsically wrong. If you look at many members in the Mozilla program, you will see far less specificity as to a problem report and the acceptable means of reporting this. So while it's useful for you to draw attention to this, it's without evidence or basis for you to suggest that this is an "issue", per se - that is, it seemingly in no way conflicts with Mozilla policy or industry practice. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
