Comodo followed the Vulnerability Disclosure Guidelines of the Common Computing Security Standards Forum (CCSS) by using an independent third-party as a medium for disclosure. The independent third party who notified VeriSign on behalf of Comodo does not wish for his identity to be revealed at this time. It would seem as if their customers should be notified to decide on a case by case basis if they are ok with the issue or if they want it fixed. By not notifying its customers, VeriSign seems to be selling people security while not totally secure itself. The pages you have accessed are merely public portals for our customers authenticated work to be performed."Ĭomodo CEO Melih Abdulhayoglu demonstrated the vulnerability to me in confidence. VeriSign responded, "We thank you for bringing this to our attention, but the information you have accessed is public information that can be found in a multitude of ways. “With millions of customer's financial transactions at stake, we wasted no time to help correct the problem even though it wasn't ours to begin with.” “When we uncovered this serious security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem,” explained Melih Abdulhayoglu, chief executive officer and founder of Comodo. Communicating through the independent third party, Comodo urged VeriSign to take immediate steps to correct and remediate the vulnerability and notify all their customers who may be affected by this vulnerability.
0 Comments
Leave a Reply. |