> On Wed, Oct 19, 2016 at 10:59 AM, Robin Alden <ro...@comodo.com> wrote: > > > SUMMARY: > > > > Comodo was informed by security researchers Florian Heinz and Martin Kluge > > that on 23rd September 2016 they had been able to obtain a server > > authentication certificate [1] from Comodo for a domain which they did not > > own or control. > > > > The researchers shared their discovery with Comodo and this assisted Comodo > > to ensure that no further such certificates were issued.
Robin, As pointed out in https://bugzilla.mozilla.org/show_bug.cgi?id=1311713 , it does seem like there's a rather large gap here between notification and report - from 23 Sept to Oct 19. While it's entirely reasonable that Comodo wanted to ensure that, before disclosing any incident, that systems were properly protected - and, indeed, it's fairly typical in other disclosure circles to ensure vendors have time to remediate - could you explain a bit more about how that time was spent? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy