Issue #252 - Requirements for Reporting CA Security Incidents
As noted in Issue #252, more guidance is needed for reporting security incidents to Mozilla. I am drafting a wiki page that will outline what is a reportable security incident and what a security incident report should contain. Thus, MRSP section 2.4 will be amended to read something to the effect, " 'Reportable Security Incident' means any security event, breach, or compromise that has the potential to significantly impact the confidentiality, integrity, or availability of CA infrastructure, CA systems, or the trustworthiness of issued certificates. A Reportable Security Incident MUST be reported with a security incident report in Bugzilla [link to Bugzilla security incident report template] as soon as possible and no later than __ hours, as described in [wiki page]. Additionally, other important security incidents and compromises of a CA operator's internal systems SHOULD be reported."
Also, Issue #266 will be addressed by pointing to the CCADB's incident report requirements. The following language in MRSP section 2.4 will be amended to read, "CA Operators must report incidents to Mozilla in the form of an Incident Report that follows guidance provided on the CCADB website - https://www.ccadb.org/cas/incident-report."
I look forward to your comments and suggestions regarding security incident reporting.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB05627473060C050F4B0EB20CFA36A%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM.