Improvements to Vulnerability Disclosure wiki page

[Ben Wilson]

All,

As mentioned in a previous email, I am soliciting feedback regarding the Vulnerability Disclosure wiki page. If you have any specific suggestions that we can use to enhance clarity or to make the page more complete, please don't hesitate to share them, either here or directly with me. Your feedback is instrumental in our commitment to maintain a safe and secure online environment.

Thanks,

Ben

[Wayne Thayer]

Hi Ben,

Hypothetically, if a CVSS v3 9.8 Linux kernel zero-day is announced, and a CA is running that version of the kernel on a Certificate System, are they required to report it as a Security Vulnerability? I don't think that's the intent, but I only reach that conclusion because the examples provided omit this scenario. Adding this scenario to the examples would be a targeted improvement, but I think the root of my confusion is the use of the generic term Security Vulnerability when you mean something more specific. Assuming that I understand your intent, a more comprehensive fix would be to invent a term like "Exploitable Vulnerability", meaning a serious vulnerability that has been discovered in the CA's environment and that could be reasonably exploited by an attacker to create a security incident due to the lack of sufficient mitigations.

Thanks,

Wayne

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWhCfgKCOiH75pgtw1AQcNaKWjq%3Dq832p-pQbp5KrfyQ%40mail.gmail.com.

[Roman Fischer]

Dear Wayne,

 

Your suggestion is almost exactly what was discussed in the Swiss parliament a few weeks ago. There was a discussion if operators of Swiss Critical Infrastructure should be required by law to report -exploitable vulnerabilities- (in that discussion even zero day vulnerabilities that the operator became aware of were included) within a short time after discovery to our national cyber security agency. In the end parliament decided to NOT go that way because the danger of disclosing such high risk information would increase the danger of malicious actors being able to exploit it would outweigh the benefit of disclosure.

 

If we definitely want -vulnerabilities- to be disclosed, then I would strongly suggest to allow disclosure -after- the vulnerability has been fixed.

 

Kind regards
Roman

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk8r%2BV6CttugBhoe79k9XxvuKAXA7PDZD7avNCxthrcuCQ%40mail.gmail.com.

[Aaron Gable]

I don't believe that Wayne was suggesting that *currently* exploitable vulnerabilities be disclosed -- responsible disclosure is critical. I think he was making a distinction between theoretical vulnerabilities (e.g. a machine was discovered to have a version of openssl vulnerable to Heart bleed) and vulnerabilities which could have been actively exploited (e.g. a machine *with a TLS server* was found to be using a bad version of openssl).

The point is that there are many CVEs which cause CAs to update software out of a abundance of caution, but that software would have only been exploitable if an adversary had already penetrated three or four other layers of CA security. Should every such situation be disclosed as a "security vulnerability"? Or, as I believe Wayne was proposing, should such situations be ignored as routine software updates because the vulnerabilities were not actually exploitable.

Aaron

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB0562B0255A2EE1E451997078FAC0A%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM.

[Ben Wilson]

All,

For your review and comment, today I reorganized the security incident and vulnerability disclosure report's expected contents and added a markdown template that can be used in Bugzilla.

Ben 

[Roman Fischer]

Dear Ben,

 

Thanks for the effort you put into this and especially to align the markdown template to the regular incident reporting template as much as possible.

 

Regarding the “Contact Information”: What is Mozilla’s expectation here? An e-mail address (personal or group mailbox), phone number (plus timezone so that people aren’t called in the middle of “their” night)? Or… ?

 

As for the other details in such a report: They look plausible and I guess they are the result of previous incidents and details that were missing in the initial communication.

 

Kind regards
Roman

 

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Ben Wilson
Sent: Mittwoch, 22. November 2023 20:35
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: Improvements to Vulnerability Disclosure wiki page

 

All,

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabbqDu6N7yPnU9uL0RZQXPiMquHh-1FxTmPbQSeOj8T5w%40mail.gmail.com.

[Ben Wilson]

Thanks, Roman

I have added "Email Address / Group Distribution List" as a clarification. However, additional contact information such as a phone number might be needed in exceptional cases, but we can request that if needed.

Ben