I don't believe that Wayne was suggesting that *currently* exploitable vulnerabilities be disclosed -- responsible disclosure is critical. I think he was making a distinction between theoretical vulnerabilities (e.g. a machine was discovered to have a version of openssl vulnerable to Heart bleed) and vulnerabilities which could have been actively exploited (e.g. a machine *with a TLS server* was found to be using a bad version of openssl).
The point is that there are many CVEs which cause CAs to update software out of a abundance of caution, but that software would have only been exploitable if an adversary had already penetrated three or four other layers of CA security. Should every such situation be disclosed as a "security vulnerability"? Or, as I believe Wayne was proposing, should such situations be ignored as routine software updates because the vulnerabilities were not actually exploitable. Aaron On Thu, Sep 28, 2023, 21:59 Roman Fischer <[email protected]> wrote: > Dear Wayne, > > > > Your suggestion is almost exactly what was discussed in the Swiss > parliament a few weeks ago. There was a discussion if operators of Swiss > Critical Infrastructure should be required by law to report -exploitable > vulnerabilities- (in that discussion even zero day vulnerabilities that the > operator became aware of were included) within a short time after discovery > to our national cyber security agency. In the end parliament decided to NOT > go that way because the danger of disclosing such high risk information > would increase the danger of malicious actors being able to exploit it > would outweigh the benefit of disclosure. > > > > If we definitely want -vulnerabilities- to be disclosed, then I would > strongly suggest to allow disclosure -after- the vulnerability has been > fixed. > > > > Kind regards > Roman > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Wayne Thayer > *Sent:* Donnerstag, 28. September 2023 18:49 > *To:* [email protected] <[email protected]> > *Subject:* Re: Improvements to Vulnerability Disclosure wiki page > > > > Hi Ben, > > > > Hypothetically, if a CVSS v3 9.8 Linux kernel zero-day is announced, and a > CA is running that version of the kernel on a Certificate System, are they > required to report it as a Security Vulnerability? I don't think that's the > intent, but I only reach that conclusion because the examples provided omit > this scenario. Adding this scenario to the examples would be a targeted > improvement, but I think the root of my confusion is the use of the generic > term Security Vulnerability when you mean something more specific. Assuming > that I understand your intent, a more comprehensive fix would be to invent > a term like "Exploitable Vulnerability", meaning a serious vulnerability > that has been discovered in the CA's environment and that could be > reasonably exploited by an attacker to create a security incident due to > the lack of sufficient mitigations. > > > > Thanks, > > > > Wayne > > > > On Wed, Sep 27, 2023 at 10:47 AM Ben Wilson <[email protected]> wrote: > > All, > > As mentioned in a previous email, I am soliciting feedback regarding the > Vulnerability > Disclosure wiki page > <https://wiki.mozilla.org/CA/Vulnerability_Disclosure>. If you have any > specific suggestions that we can use to enhance clarity or to make the page > more complete, please don't hesitate to share them, either here or directly > with me. Your feedback is instrumental in our commitment to maintain a safe > and secure online environment. > > Thanks, > > Ben > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWhCfgKCOiH75pgtw1AQcNaKWjq%3Dq832p-pQbp5KrfyQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWhCfgKCOiH75pgtw1AQcNaKWjq%3Dq832p-pQbp5KrfyQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk8r%2BV6CttugBhoe79k9XxvuKAXA7PDZD7avNCxthrcuCQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk8r%2BV6CttugBhoe79k9XxvuKAXA7PDZD7avNCxthrcuCQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB0562B0255A2EE1E451997078FAC0A%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB0562B0255A2EE1E451997078FAC0A%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErdYiwXCQtOaEGO14EOsPweAdHUTNR1MQkhcY0zH_GxP5A%40mail.gmail.com.
