On Saturday, November 23, 2019 at 3:28:10 PM UTC-8, Matt Palmer wrote:
> [aside: this is how incident reports should be done, IMHO]
> On Fri, Nov 22, 2019 at 07:23:27PM -0800, Apple CA via dev-security-policy 
> wrote:
> > We did not have an accurate understanding of how the vulnerability scanner
> > worked.  Our understanding of its capabilities lead us to believe it was
> > scanning and detecting vulnerabilities in EJBCA.
> There's a reasonable chance that other CAs may have a similar situation, so
> I think it's worth digging deeper into the root causes here.  Can you expand
> on how this misunderstanding regarding the vulnerability scanner came to
> pass?  What was the information on which you were relying when you came to
> the understanding of the vulnerability scanner's capabilities?  Were you
> misled by the vendor marketing or technical documentation, or was it an
> Apple-internal assessment that came to an inaccurate conclution?  Or
> "other"?
> - Matt

Thank you for your questions.  Due to the Thanksgiving holiday in the US, we 
expect to reply to your questions as early as the week of 02 December.
dev-security-policy mailing list

Reply via email to