On Mon, Aug 19, 2019 at 10:26 AM Mathew Hodson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> If these situations were common, it could create a chilling effect on
> problem reporting that would hurt the WebPKI ecosystem. Are specific
> procedures and handling of contact information in these situations
> covered by the BRs or Mozilla policy?

No, there are not.

This is not an uncommon practice within the broader realm of Security
Incident Reporting / Disclosure, and has been the subject of much
discussion and debate for 30+ years of computer security. You can find
plenty of information about lawsuits intended to chill vulnerability
disclosure. This is not a problem that can or will be solved within the BRs
or Mozilla Policy.

In general, anyone disclosing vulnerabilities should expect their
information may be released. That's par for the course here. Different
jurisdictions may have different protections, but reporters are encouraged
to disclose directly with the CA. Root Store Operators may be willing to
intermediate (e.g. disclosing to Mozilla's security reporting), but I'm
also not aware of any strong guarantees Mozilla makes with respect to
protecting the information of folks who report security issues, especially
in the potential incident of (misguided, frivolous) lawsuits.
dev-security-policy mailing list

Reply via email to