On 10/02/2017 05:42, Ryan Sleevi wrote:

On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy
<mailto:dev-security-policy@lists.mozilla.org>> wrote:

    Additional issue #2: The information at https://pki.goog/ about how to
    report misissuance directs visitors to a generic reporting page for
    code vulnerabilities, which (by their nature) tends to require reaction
    times measured in days/weeks rather than the 1 day maximum specified
    in Google's CPS.

(To be clear, I am responding only as an individual, neither as Mozilla
peer or Google employee, although I recognize you will likely disregard
my remarks regardless.)

In the past, such comments have generally been seen as
offtopic/accusatory, because they are inherently absent of evidence of
any malfeasance. Indeed, your very comment seems to suggest that Google
is not adhering to its CP/CPS, but without evidence, and such
implication comes not based on any action that Google has taken, but
based on your view of what 'others' do or the 'class' of bugs.

I highlight this because we (the community) see the occasional remark
like this; most commonly, it's directed at organizations in particular
countries, on the basis that we shouldn't trust "them" because they're
in one of "those countries". However, the Mozilla policy is structured
to provide objective criteria and assessments of that.

In this case, I do not believe you are being accurate or fair to present
it as an "issue"; you are implying that Google will not adhere to its
CP/CPS, but without evidence. The nature of incident reporting via this
method may indeed be risky, but it's neither forbidden nor intrinsically
wrong. If you look at many members in the Mozilla program, you will see
far less specificity as to a problem report and the acceptable means of
reporting this.

For clarity, I was pointing out that GTS seems to have chosen a method
likely to fail if an when actually needed, due to the typical dynamics
of large human organizations.  Presumably an organization of such
magnitude is likely to have contact points more dedicated to
time-sensitive action-required messages than the contact point they chose.

So while it's useful for you to draw attention to this, it's without
evidence or basis for you to suggest that this is an "issue", per se -
that is, it seemingly in no way conflicts with Mozilla policy or
industry practice.

I find that it is an issue, but not an absolute cause for rejection.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to