On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Additional issue #2: The information at https://pki.goog/ about how to
> report misissuance directs visitors to a generic reporting page for
> code vulnerabilities, which (by their nature) tends to require reaction
> times measured in days/weeks rather than the 1 day maximum specified
> in Google's CPS.

(To be clear, I am responding only as an individual, neither as Mozilla
peer or Google employee, although I recognize you will likely disregard my
remarks regardless.)

In the past, such comments have generally been seen as offtopic/accusatory,
because they are inherently absent of evidence of any malfeasance. Indeed,
your very comment seems to suggest that Google is not adhering to its
CP/CPS, but without evidence, and such implication comes not based on any
action that Google has taken, but based on your view of what 'others' do or
the 'class' of bugs.

I highlight this because we (the community) see the occasional remark like
this; most commonly, it's directed at organizations in particular
countries, on the basis that we shouldn't trust "them" because they're in
one of "those countries". However, the Mozilla policy is structured to
provide objective criteria and assessments of that.

In this case, I do not believe you are being accurate or fair to present it
as an "issue"; you are implying that Google will not adhere to its CP/CPS,
but without evidence. The nature of incident reporting via this method may
indeed be risky, but it's neither forbidden nor intrinsically wrong. If you
look at many members in the Mozilla program, you will see far less
specificity as to a problem report and the acceptable means of reporting

So while it's useful for you to draw attention to this, it's without
evidence or basis for you to suggest that this is an "issue", per se - that
is, it seemingly in no way conflicts with Mozilla policy or industry
dev-security-policy mailing list

Reply via email to