On Monday, 19 August 2019 17:26:06 UTC+3, Mathew Hodson wrote: [...] > If these situations were common, it could create a chilling effect on > problem reporting that would hurt the WebPKI ecosystem. Are specific > procedures and handling of contact information in these situations > covered by the BRs or Mozilla policy?
>From my experience if something is already covered by legislation there >doesn't need to be a separate procedure for "complying with the law". Since that researcher is an EU citizen from Netherlands, the GDPR applies for his personal contact data and both Sectigo's and that "angry" company's actions are (possible) GDPR violations. Was there explicit consent given to Sectigo to forward his contact details to that company? Is that "angry" company even aware of the GDPR? (GDPR, article 6 and 7) _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy