Hi Amir, DigiCert has received the related initial inquiry via our Ombudsman program. As outlined in the DigiCert Ombudsman SOP in bug <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144>* 1950144 <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144>*, comment 55 <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144#c55>, this case is following the documented next steps. We will continue to provide updates to the submitter within the SLAs specified in the SOP. At this time, we have no further comment outside of the Ombudsman process, in order to preserve said confidentiality, and we thank the community for its patience while we continue to operate the Ombudsman program. DigiCert Ombudsman Team
On Wednesday, June 11, 2025 at 11:45:35 AM UTC-5 Amir Omidi wrote: > I have received the following email. I don't feel comfortable this sitting > in just my inbox. There were many other recipients CCed on this email too. > Seems to mainly be targeting active bugzilla members. Please note: > > > 1. I've done my best to remove names that may be sensitive here. > 2. I have no way of asserting if this information is correct, or not. > 3. My message here is for the sake of transparency. > 4. I do not know who the sender of this email is. > > > [Name 0] is correct in latest bug post; Digicert is not a trustworthy > organization. Individuals, companies, partners, resellers, and customers > should not rely on or trust them. > > This information is widely known within the industry; ask anyone. current > and former employees, partners, and customers are aware of these issues. > > The original CNAME incident affected millions of certificates, not just > tens of thousands. The fix was implemented under [Name 1]'s direction with > little prior notice. A decision was made by [Name 1], [Name 2], and > Digicert Legal to not disclose the mis-issuance of millions of certificates > to avoid potential loss of business and the need for revocations. Digicert > advised their customer to obtain a legal T.R.O. (Temporary Restraining > Order) related to this issue. > > [Name 1]'s resignation was planned; he was transitioned from full-time > employee to contractor immediately afterward, which appeared to be an > attempt to manage the fallout and assign blame. He remained a contractor > with a planned return once the CNAME incident was resolved. > > Employees within Digicert who became aware of the bug and fix raised > concerns and pushed for full disclosure. As a result, some of these > employees were terminated ([Name 3], [Name 4]). > > Any employees who were dismissed should have the legal right to speak > freely, without fear of violating NDAs, provided they do not disclose > proprietary or customer-specific information. They should be able to > confirm or deny the allegations if they choose. Additionally, a > representative from Alegeus could confirm if they initiated or assisted > with the TRO. > > Overall, Digicert cannot be trusted. Their pattern of misinformation, > denial, and misdirection has eroded confidence. Their conduct toward the > community, competitors, and internet users is unacceptable and should not > continue. > > Will Digicert add public comment? > > > > Please note that there is a reply to this message that contains a bit more > sensitive/PII information. If we think that this email is actionable, I can > follow-up with the reply after sanitizing it as well. > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1b6400d3-ca41-451e-8615-e8202d0f84e8n%40mozilla.org.
