Let us give feedback which seems not answered fully in previous comments so that it will be a more understandable and satisfactory desired feedback on this bug discussion.
We would like to answer Ryan's questions in comment 12:
(Here, the first question in Ryan's comment 12 has not been answered completely due to a copy-paste error in my text editor.
What's the defined period? -> The period is at most in a week)
The feedback we've received from Ryan, it's important to explore how other CAs respond in similar situations and find a best solution based on others feedback. When we focused on this bug, we tried to find similar situations from different CAs.
With the occurrence of the event, there is a lack of BR and similar compliance monitoring and controls. As seen in this bug, software and application changes made as a result of our controls and their CPS reflections are not reflected timely. Here, although we have deprecated the domain name verification method (126.96.36.199.6) in question, its reflection in the CPS has been delayed mistakenly. This process needs to be completed together with all its reflections in a process that needs to happen.
Before the bug appeared, internal audits for compliance within our own system, such as BR and EV, were reviewed at scheduled periods i.e. annually. Review dates were planned and reviewed compliance documents were approved by management reviews at scheduled meetings. If an update was required due to a change in BR other compliance documents, an action was triggered by taking the initiative by the information security management team. And these actions include technical changes, software updates and documentation updates (for example, updating the CP/CPS).
As Ryan stated, we had a lack of regular follow-up of existing bugs or events in other lists before the bug appears. As we stated in Comment 14, although our procedures and guidelines seem sufficient. In order to improve further and overcome the deficiencies encountered in practice and to ensure cross-checks; we are increasing the number in our group responsible for compliance and audit operations and increasing the level of skills and experience and we are very successful so far.
Specific to this bug, in addition to the answer to the 7th item in the Incident Report in Comment 11:
In case improvement and change needs that will arise from other CA cases or discussions, we will ensure that the improvement processes trigger the new process specified in Comment 11. In this context, this created process will be a part of both compliance monitoring and self-improvement processes. We have updated the relevant improvement and compliance follow-up procedures and instructions for these described changes.