Hi everyone,

In October 2023
<https://groups.google.com/a/ccadb.org/g/public/c/jYNpX4rGLvk/m/dJ_OcBiuAAAJ?utm_medium=email&utm_source=footer>,
the CCADB Steering Committee, with valuable feedback from this community,
updated the CCADB Incident Reporting Guidelines
<https://www.ccadb.org/cas/incident-report> (IRGs). While the resulting
updates have led to some reports becoming more useful and effective, Root
Store Operators have continued to stress the importance of high-quality
incident reports during CA/Browser Forum Face-to-Face updates and
elsewhere.

In the spirit of continuous improvement, the CCADB Steering Committee has
worked over the past few months to further enhance the effectiveness of the
IRGs.

*Objectives for this update to the IRGs include:*

   - Clarifying Root Store Operator expectations
   - Aligning report format and content with those expectations
   - Improving clarity regarding the difference between “preliminary" and
   “full" reports, and the timelines for disclosing these reports
   - Improving Root Cause Analysis
   - Tracking commitments made by CA Owners in response to incidents
   - Increasing accountability and generating more actionable insights
   - Improving consistency in report quality
   - Emphasizing continuous improvement and lessons learned
   - Encouraging familiarity with historical incident reports
   - Defining a standard process for closing reports
   - Aligning the incident reporting format with Steering Committee
   objectives planned for 2025+


The set of proposed updates are available here
<https://github.com/mozilla/www.ccadb.org/pull/186>.

*Beyond the above changes, we are considering making the following
recommendations:*

   - *To better encourage blamelessness*, when posting incident reports or
   responding to comments on incident reports for which they are affiliated,
   participants are encouraged to respond from a Bugzilla account associated
   with one of the CA e-mail aliases disclosed to the CCADB, rather than an
   individual contributor’s account. Some CAs already do this, and we’d like
   this to become a standard practice.
   - *To better respect a desire for individual privacy and potential risk
   of retaliation*, individuals participating in the incident reporting
   process should feel welcome to participate responsibly from an account that
   does not identify the individual posting or their organizational
   affiliation.


These proposals should not be considered “final”, but instead a “work
in-progress” that we hope to enhance through community contributions. We
welcome your feedback on these proposed updates and recommendations *by
January 15, 2025*. Please share your thoughts by replying to this email or,
preferably, by suggesting edits directly on GitHub.

Thanks,

Ryan (on behalf of the CCADB Steering Committee)

-- 
You received this message because you are subscribed to the Google Groups 
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to public+unsubscr...@ccadb.org.
To view this discussion visit 
https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O-mqHNSPrFDN21jbX9NhY8deg-9x_FVMJjXA0a8Gdfkrw%40mail.gmail.com.

Reply via email to