On Mon, Aug 19, 2019 at 10:26 AM Mathew Hodson via dev-security-policy < [email protected]> wrote:
> If these situations were common, it could create a chilling effect on > problem reporting that would hurt the WebPKI ecosystem. Are specific > procedures and handling of contact information in these situations > covered by the BRs or Mozilla policy? > No, there are not. This is not an uncommon practice within the broader realm of Security Incident Reporting / Disclosure, and has been the subject of much discussion and debate for 30+ years of computer security. You can find plenty of information about lawsuits intended to chill vulnerability disclosure. This is not a problem that can or will be solved within the BRs or Mozilla Policy. In general, anyone disclosing vulnerabilities should expect their information may be released. That's par for the course here. Different jurisdictions may have different protections, but reporters are encouraged to disclose directly with the CA. Root Store Operators may be willing to intermediate (e.g. disclosing to Mozilla's security reporting), but I'm also not aware of any strong guarantees Mozilla makes with respect to protecting the information of folks who report security issues, especially in the potential incident of (misguided, frivolous) lawsuits. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
