← Sectigo cases
Bugzilla #1869056
CCADB Compliance
Sectigo: Inadequate vulnerability scanning and patching
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo reported deficiencies in their internal vulnerability scanning and patching processes, which resulted in over 400 unresolved vulnerabilities with a CVSS score of 7.0 or higher. The issue arose when agent-based scanning stopped functioning from May 15, 2023, until it was discovered during an ETSI audit in October 2023. The company has since implemented a remediation plan and completed necessary patching, with all critical vulnerabilities resolved by late November 2023. They have also updated their internal processes to prevent similar issues in the future.
Chronology
- Agent-based scanning stopped working without detection.
- Vulnerabilities revealed during ETSI audit.
- Agent-based scanning re-enabled.
- Remaining vulnerabilities deemed false positives.
- All critical vulnerabilities resolved.
Participants
Martijn Katerbarg
Amir Aamidi
Ben Wilson
External References
Similar Local Cases
Sectigo: Late CCADB update after CPS update
Sectigo: CCADB failed ALV - Ensured Root CA
TWCA: Intermediate CA Certificate Missing from Audit Reports
Sectigo / Web.com: inconsistent disclosure of externally-operated intermediate
Sectigo: CCADB failed ALV - Network Solutions Certificate Authority
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB
Amazon Trust Services: Overdue audit statements for intermediate certificates
eMudhra: Failure to Respond to May 2022 Survey