MRSP 2.9: Issues #252 and #266 - Incident Reporting

Skip to first unread message

Ben Wilson

Jul 11, 2023, 11:04:20 AM7/11/23


We are proposing to revise Mozilla Root Store Policy (MRSP) Section 2.4 (Incidents) to address GitHub Issue # 252 and Issue # 266.

Issue #252 - Requirements for Reporting CA Security Incidents

As noted in Issue #252, more guidance is needed for reporting security incidents to Mozilla. I am drafting a wiki page that will outline what is a reportable security incident and what a security incident report should contain. Thus, MRSP section 2.4 will be amended to read something to the effect, " 'Reportable Security Incident' means any security event, breach, or compromise that has the potential to significantly impact the confidentiality, integrity, or availability of CA infrastructure, CA systems, or the trustworthiness of issued certificatesA Reportable Security Incident MUST be reported with a security incident report in Bugzilla [link to Bugzilla security incident report template] as soon as possible and no later than __ hours, as described in [wiki page]. Additionally, other important security incidents and compromises of a CA operator's internal systems SHOULD be reported."

Issue #266 – Update reference to

Also, Issue #266 will be addressed by pointing to the CCADB's incident report requirements.  The following language in MRSP section 2.4 will be amended to read, "CA Operators must report incidents to Mozilla in the form of an Incident Report that follows guidance provided on the CCADB website -"

I look forward to your comments and suggestions regarding security incident reporting.



Matt Palmer

Jul 12, 2023, 2:03:20 AM7/12/23
On Tue, Jul 11, 2023 at 09:04:06AM -0600, Ben Wilson wrote:
> effect, " 'Reportable Security Incident' means any security event, breach,
> or compromise that has the potential to significantly impact the
> confidentiality, integrity, or availability of CA infrastructure, CA

I'd suggest removing the word "significantly", because that's entirely open
to interpretation, and history has shown that CAs aren't shy about
interpreting things in a manner most favourable to their interests. I don't
see any real problem with requiring CAs to report *everything* with the
potential to impact CIA of CA-related things, because even minor hiccups can
become major, and they can also be a learning experience for everyone --
which is the same reason why most safety-critical industries require the
reporting of near-misses, not just actual incidents.

- Matt

Roman Fischer

Jul 12, 2023, 2:43:08 AM7/12/23
Dear Matt,

The way towards something like full disclosure is a difficult one to walk. I was working in the airline industry for a couple of years and experienced firsthand what it means to establish and nurture a "no blame" culture that truly motivates people to talk about mistakes, drifts towards unsafe behaviour and such. It's a long process and all participants need to want to support it.

I think that the current process of disclosing incidents publicly on Bugzilla does not help build a "full disclosure - no blame" culture. So CA's (and all the other participants in the ecosystem) will continue to try and limit the possible negative impact of what they have to disclose.

From my point of view, it makes no big difference if the word "significant" is there or not. As long as the culture is "blame and shame", all participants will think more than twice before posting a Bugzilla.

Kind regards
You received this message because you are subscribed to the Google Groups "" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Ben Wilson

Jul 26, 2023, 8:24:11 PM7/26/23

We have created a draft wiki page to explain vulnerability disclosure being proposed for v. 2.9 of the MRSP.  See

We did not want to confuse this security vulnerability reporting process with the existing Incident Reporting process (

So, the proposed language is as follows:

"Additionally, and not in lieu of the requirement to publicly report incidents as outlined above, a CA Operator MUST disclose a serious vulnerability or security incident in Bugzilla as a secure bug [link] in accordance with guidance found on the Vulnerability Disclosure wiki page [link to]."

Also, in the MRSP where we refer to or link to Security Incident bugs, we have changed the language to refer to a Vulnerability Disclosure "filed as a secure bug in Bugzilla".

Please review this proposed addition and the draft wiki page and let us know of any comments or concerns.

Ben and Kathleen

Reply all
Reply to author
0 new messages