← Microsoft Corporation cases
Bugzilla #1906028
CCADB Compliance
Microsoft PKI Services: Vulnerability Management Exception Tracking
RESOLVED
FIXED
Microsoft Corporation
AI Summary
The Microsoft PKI Services team faced challenges in documenting vulnerability mitigation plans and timelines during an audit period. A qualified opinion from auditors highlighted deficiencies in their process, particularly regarding the 96-hour remediation timeline for critical vulnerabilities. The team acknowledged the need for improved documentation and tooling to track exceptions effectively. They have since completed the action item to document mitigation plans and expanded their vulnerability tracking dashboard to enhance compliance. The case is now resolved.
Chronology
- Auditor provided draft audit reports with qualified opinion.
- Bugzilla case opened.
- Final action item completed.
Participants
u654666@disabled.tld
bwilson@mozilla.com
External References
Similar Local Cases
Microsoft PKI Services: Incomplete Logical Access Review Audit Evidence
Microsoft PKI Services: Failure to report Bugzilla 2026452 within 72 hrs
Microsoft PKI Services: Failure to update action item status within 3 days
IdenTrust: Missing Thumbprints for Intermediate CA certificates In Some Annual Audit Reports
Google Trust Services: New hire onboarding deviation from written procedure
CFCA: Delayed reporting of intermediate CA certificate
DigiCert: Issues with CCADB entries
Netlock: Delayed reply from CPR sent to contact listed in section 1.5.2 of CP/S