Confirm, administrator
5,526
edits
Changes
Added section about the CA Security Vulnerability component
* [audit-failure] failure to perform an audit, failure to upload audits, etc.
* [audit-finding] see https://www.ccadb.org/cas/incident-report#audit-incident-reports
== Vulnerability and Security Incident Reporting ==
To report a vulnerability or security incident pertaining to a CA in Mozilla's Program:
* https://bugzilla.mozilla.org/enter_bug.cgi?bug_type=task&component=CA%20Security%20Vulnerability&groups=ca-program-security&product=CA%20Program
Additionally, and not in lieu of the requirement to publicly report incidents as outlined in section [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#24-incidents 2.4 of Mozilla's Root Store Policy], a CA Operator MUST disclose a serious vulnerability or security incident in Bugzilla as a [https://bugzilla.mozilla.org/enter_bug.cgi?bug_type=task&component=CA%20Security%20Vulnerability&groups=ca-program-security&product=CA%20Program secure bug] in accordance with guidance found on the [[CA/Vulnerability_Disclosure|Vulnerability Disclosure wiki page]].
= Root Inclusion/Change requests and EV Treatment Enablement Requests=
