[aside: this is how incident reports should be done, IMHO]

On Fri, Nov 22, 2019 at 07:23:27PM -0800, Apple CA via dev-security-policy 
> We did not have an accurate understanding of how the vulnerability scanner
> worked.  Our understanding of its capabilities lead us to believe it was
> scanning and detecting vulnerabilities in EJBCA.

There's a reasonable chance that other CAs may have a similar situation, so
I think it's worth digging deeper into the root causes here.  Can you expand
on how this misunderstanding regarding the vulnerability scanner came to
pass?  What was the information on which you were relying when you came to
the understanding of the vulnerability scanner's capabilities?  Were you
misled by the vendor marketing or technical documentation, or was it an
Apple-internal assessment that came to an inaccurate conclution?  Or

- Matt

dev-security-policy mailing list

Reply via email to