[aside: this is how incident reports should be done, IMHO] On Fri, Nov 22, 2019 at 07:23:27PM -0800, Apple CA via dev-security-policy wrote: > We did not have an accurate understanding of how the vulnerability scanner > worked. Our understanding of its capabilities lead us to believe it was > scanning and detecting vulnerabilities in EJBCA.
There's a reasonable chance that other CAs may have a similar situation, so I think it's worth digging deeper into the root causes here. Can you expand on how this misunderstanding regarding the vulnerability scanner came to pass? What was the information on which you were relying when you came to the understanding of the vulnerability scanner's capabilities? Were you misled by the vendor marketing or technical documentation, or was it an Apple-internal assessment that came to an inaccurate conclution? Or "other"? - Matt _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy