NETLOCK: Failure to acknowledge/respond to a Certificate Problem Report within 24 hours (CPR response-time violation)
This case concerns NETLOCK’s failure to acknowledge/respond to a Certificate Problem Report (CPR) within 24 hours, as required by the CA/B Forum Baseline Requirements. A CPR was submitted to NETLOCK’s CCADB-disclosed problem reporting address (compliance.info@netlock.hu) on 2026-06-10 23:48 UTC, referencing an OCSP error for a certificate NETLOCK issued. A follow-up was sent on 2026-06-16 to the same address (and CC’ing visszavonas@netlock.hu). The thread states NETLOCK did not acknowledge either CPR within the required 24 hours; an automated acknowledgment was received on 2026-06-24 (14 days after submission), and the first substantive response arrived on 2026-06-26 at approximately 08:57 UTC, asking which certificate was affected. The reporter also states that NETLOCK’s incident report for this bug was provided about 88 hours after the bug was opened and that this reporting delay is a compliance violation. The bug remains UNCONFIRMED and no resolution is recorded in the thread.
- A CPR was submitted to NETLOCK’s CCADB-disclosed problem reporting address referencing an OCSP error for a NETLOCK-issued certificate.
- A follow-up was sent to NETLOCK’s problem reporting address (and CC’d an additional disclosed address).
- An automated acknowledgment was received 14 days after the initial CPR submission.
- A first substantive response was received, asking which certificate was affected.
- Mozilla CA Program bug 2051459 was opened describing the CPR response-time failure.
- NETLOCK provided an incident report, while the reporter argued the disclosure timing was late and referenced a separate incident report for the CPR response-time failure.
- pagueophelia@gmail.com — Opened the bug with a preliminary incident report stating NETLOCK did not acknowledge/respond to the CPR within 24 hours and that the first substantive response arrived 16 days after submission.
- kaluha.roland@netlock.hu — Submitted a Full Incident Report that explicitly scoped out the CPR response-time failure, stating it was addressed in a separate Full Incident Report (2052541).
- pagueophelia@gmail.com — Argued NETLOCK’s incident report was provided about 88 hours after the bug was opened (missing a 72-hour window) and reiterated repeated CPR non-responsiveness, citing other bug IDs.