Jeremy Rowley posted the following comments in a separate thread:

One suggestion on incident reports is to define "regularly update" as some
> period of time as non-responses can result in additional incident reports.
> Maybe something along the lines of "the greater of every 7 days, the time
> period specified in the next update field by Mozilla, or the time period
> for the next update as agreed upon with Mozilla". I'd also change "the
> corresponding bug is resolved by a Mozilla representative" to "the
> corresponding bug is marked as resolved in bugzilla by a Mozilla
> representative" since the CA is resolving the actual bug, and Mozilla is
> managing its perception on the bug's status.

While I agree with the intent, I do fear that something this strict in
policy creates the wrong incentives (e.g. bots that auto-comment bugs with
no real updates, and others that create new incidents after 7 days and one
second). I'd be okay with adding something like "CAs SHOULD update status
weekly and MUST provide status updates at least every 30 days unless
otherwise agreed by a Mozilla representative."

The addition of "marked as resolved" makes sense to me.

On Tue, Apr 23, 2019 at 4:15 PM Wayne Thayer <> wrote:

> On Tue, Apr 16, 2019 at 12:02 PM Wayne Thayer <> wrote:
>> I've drafted a specific proposal for everyone's consideration:
> Having received no new comments on this proposal, I'll consider this issue
> closed and plan to include it in policy version 2.7.
> - Wayne
dev-security-policy mailing list

Reply via email to