Closed Bug 2009046 Opened 2 months ago Closed 18 days ago

Chunghwa Telecom: Delayed disclosure to Bug 2008799 GTLSCA Audit Incident Report #3 - Missing vulnerability scan

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tmkuo, Assigned: tmkuo)

Details

(Whiteboard: [ca-compliance] [policy-failure] [disclosure-failure])

Preliminary Incident Report

Summary

  • Incident description: The annual audit report of GTLSCA was obtained on 2025/12/13, and we become aware of an audit finding (see Bug 2008799) not disclosed in public incident report on 2026/1/6.
  • Relevant policies: CCADB Policy 5.2 Audit Statement Content
  1. All incidents disclosed by the CA Owner, or reported by a third party, and all findings reported by an auditor, that, at any time during the audit period, occurred, were open in Bugzilla, or were reported to a Root Store Operator; and ...

When are reports expected?
Within 72 hours of a CA Owner becoming aware of an incident (i.e., the “initial incident disclosure”) or an audit finding not previously disclosed in an Incident Report

  • Source of incident disclosure: Third Party Reported
Assignee: nobody → tmkuo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [policy-failure] [disclosure-failure]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A006506
  • Incident description: The annual audit report of GTLSCA was obtained on 2025/12/13, and we become aware of an audit finding (see Bug 2008799) not disclosed in public incident report on 2026/1/6. This case is categorized as a compliance/process “Delayed Disclosure” incident, rather than a security incident or mis‑issuance. During the 2025 WebTrust audit, the auditor issued a finding related to missing vulnerability scan due to inadequate validation of the scanning methodology and scope performed by the third‑party cybersecurity service provider led to certain website hosts being excluded from the vulnerability scans. Under CCADB Policy, Qualifications identified during audits are considered “findings,” and such an audit finding must be disclosed to Bugzilla within 72 hours. Disclosure of this audit finding was not completed within the required timeframe of the CCADB, resulting in a delayed disclosure incident. The issue was ultimately reported by a third party, prompting GTLSCA team to recognize the oversight and initiate corrective disclosure.
  • Timeline summary:
    • Non-compliance start date: 2025-11-21
    • Non-compliance identified date: 2026‑01‑06
    • Non-compliance end date: 2026-01-19
  • Relevant policies: CCADB Policy 5.2 Audit Statement Content

All incidents disclosed by the CA Owner, or reported by a third party, and all findings reported by an auditor, that, at any time during the audit period, occurred, were open in Bugzilla, or were reported to a Root Store Operator; and ...

When are reports expected?
Within 72 hours of a CA Owner becoming aware of an incident (i.e., the “initial incident disclosure”) or an audit finding not previously disclosed in an Incident Report

  • Source of incident disclosure: Third Party Reported

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic:
    (a) CCADB Policy 5.2 requires disclosure of incidents and audit findings occurring or identified during the audit period.
    (b) Delayed disclosure affects Root Program expectations for transparency and maturity of governance.
    (c) Due to insufficient familiarity with CCADB Policy 5.2 requirements, the GTLSCA team did not recognize that the audit finding required a mandatory disclosure. As a result, the required 72‑hour disclosure window was missed.
  • Was issuance stopped in response to this incident, and why or why not?: As there were no certificates misissued, issuance was not stopped. However, this CA has already stopped issuing TLS certificates in early March 2025.
  • Analysis:
  • Additional considerations:

Timeline

All times are UTC+8.

2025-11-18

  • 17:00-18:00 GTLSCA Auditing Close Meeting.

2025-11-20

  • 14:00-15:00 Internal meeting discussing the finding received and planning for the improvement Plan. (GTLSCA Team and Root CA Team)

2025-11-21

  • 17:00 The required 72‑hour disclosure window was missed [start of the non-compliance]

2025‑12‑13: Official Audit report (including findings) received.

2026-01-05

  • 23:52 Notified by the Third Party about the deficiency in timely disclosure.

2026‑01‑06

  • 09:20 GTLSCA team recognize the oversight and initiate corrective disclosure. [Identify of the non-compliance]

2026-01-07

  • 04:03 Preliminary Incident Report for Bug 2008799 posted on Bugzilla.
    ** Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #3 - Missing vulnerability scan

2026-01-08

  • 05:46 Preliminary Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla.

2026-01-17

  • 23:54 Full Incident Report for Bug 2008799 posted on Bugzilla.

2026-01-19

  • Full Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla. [end of the non-compliance]

Related Incidents

Bug Date Description
2008260 2026-01-01 Delayed audit disclosure.
2009134 2026-01-08 Reporting delayed when handling incident bug.
2009043 2026-01-08 Delayed disclosure to Audit Incident Report.
2009045 2026-01-08 Delayed disclosure to Audit Incident Report.
2009048 2026-01-08 Delayed disclosure to Audit Incident Report.
2010525 2026-01-15 Reporting delayed when handling incident bug.

Root Cause Analysis

Contributing Factor 1: Insufficient Understanding of CCADB Policy 5.2 (Primary Root Cause)

  • Description: The team did not fully understand that CCADB Policy 5.2 requires mandatory disclosure of audit findings within 72 hours.
    This lack of awareness caused the team to treat the finding as an internal audit item rather than a reportable incident.
  • Timeline:
    2025-11-18: GTLSCA Auditing Close Meeting.
    2025-11-20: Internal meeting discussing the finding received and planning for the improvement Plan. (GTLSCA Team and Root CA Team)
    2025-11-21: The required 72‑hour disclosure window was missed
    2025‑12‑13: Official Audit report (including findings) received.
    2026-01-05: Notified by the Third Party about the deficiency in timely disclosure.
    2026‑01‑06: GTLSCA team recognize the oversight and initiate corrective disclosure.
    2026-01-07: Preliminary Incident Report for Bug 2008799 posted on Bugzilla.
    ** GTLSCA Audit Incident Report #3 - Missing vulnerability scan
    2026-01-08: Preliminary Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla.
    2026-01-17: Full Incident Report for Bug 2008799 posted on Bugzilla.
    2026-01-19: Full Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla.
  • Detection: Notified by the Third Party.
  • Interaction with other factors:
    lacked:
    (a) a mandatory gate to evaluate whether an audit finding triggers CCADB/Bugzilla reporting.
    (b) a mechanism to start the 72‑hour disclosure timer. This process gap resulted in the audit finding never entering the disclosure pipeline.
  • Root Cause Analysis methodology used:

Contributing Factor 2: Delayed Reporting Was Triggered Only After Third‑Party Notification

  • Description: The fact that disclosure occurred only after a third‑party reminder indicates insufficient internal monitoring of audit findings
  • Timeline:
    2025-11-18: GTLSCA Auditing Close Meeting.
    2025-11-20: Internal meeting discussing the finding received and planning for the improvement Plan. (GTLSCA Team and Root CA Team)
    2025-11-21: The required 72‑hour disclosure window was missed
    2025‑12‑13: Official Audit report (including findings) received.
    2026-01-05: Notified by the Third Party about the deficiency in timely disclosure.
    2026‑01‑06: GTLSCA team recognize the oversight and initiate corrective disclosure.
    2026-01-08: Preliminary Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla.
  • Detection: Notified by the Third Party.
  • Interaction with other factors:
    All team members involved in audits must clearly understand:
    (a) What is considered an audit finding?
    (b) When are reports expected?
    (c) the 72‑hour disclosure rule and its implications
  • Root Cause Analysis methodology used:

Lessons Learned

  • What went well: N/A
  • What didn’t go well:
    (a) Every audit finding must undergo a CCADB disclosure applicability check, audit findings must not be handled solely as internal corrective actions; each finding requires a structured evaluation for CCADB/Bugzilla reporting.
    (b) Disclosure responsibility must be centralized under the Root CA compliance function to improve clarity, prevents fragmented responsibility, and reduces risk of missed obligations.
  • Where we got lucky:
  • Additional:
    (a) CCADB Policy 5.2 requirements must be formalized and mandatory for All Relevant roles in GTLSCA team. All team members involved in audits must clearly understand the 72‑hour disclosure rule and its implications.
    (b) Dependence on manual tracking or external reminders is not reliable; automated notifications and dashboards are needed.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Initiate corrective disclosure Mitigate Root Cause # 1 Full Incident Report for Bug 2008799 posted on Bugzilla. 2026-01-18 Completed
Mandatory CCADB Policy 5.2 Training (including the 72‑hour disclosure rule) Prevent Root Cause # 1 Training materials published; attendance records; annual refresh plan. 2026-01-23 Ongoing
Add a CCADB Disclosure Decision Gate to the Audit Workflow (within 24 hours of receiving findings) Prevent Root Cause # 1 & 2 Updated workflow; new checklist; sample run documented. 2026-02-04 Ongoing
Deploy an Audit‑Finding Monitoring Dashboard Prevent Root Cause # 1 & 2 Dashboard online; automated sync of findings and disclosure status. 2026-02-06 Ongoing

Appendix

N/A

Updated, fixed typo.

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A006506
  • Incident description: The annual audit report of GTLSCA was obtained on 2025/12/13, and we become aware of an audit finding (see Bug 2008799) not disclosed in public incident report on 2026/1/6. This case is categorized as a compliance/process “Delayed Disclosure” incident, rather than a security incident or mis‑issuance. During the 2025 WebTrust audit, the auditor issued a finding related to missing vulnerability scan due to inadequate validation of the scanning methodology and scope performed by the third‑party cybersecurity service provider led to certain website hosts being excluded from the vulnerability scans. Under CCADB Policy, Qualifications identified during audits are considered “findings,” and such an audit finding must be disclosed to Bugzilla within 72 hours. Disclosure of this audit finding was not completed within the required timeframe of the CCADB, resulting in a delayed disclosure incident. The issue was ultimately reported by a third party, prompting GTLSCA team to recognize the oversight and initiate corrective disclosure.
  • Timeline summary:
    • Non-compliance start date: 2025-11-21
    • Non-compliance identified date: 2026‑01‑06
    • Non-compliance end date: 2026-01-19
  • Relevant policies: CCADB Policy 5.2 Audit Statement Content

All incidents disclosed by the CA Owner, or reported by a third party, and all findings reported by an auditor, that, at any time during the audit period, occurred, were open in Bugzilla, or were reported to a Root Store Operator; and ...

When are reports expected?
Within 72 hours of a CA Owner becoming aware of an incident (i.e., the “initial incident disclosure”) or an audit finding not previously disclosed in an Incident Report

  • Source of incident disclosure: Third Party Reported

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic:
    (a) CCADB Policy 5.2 requires disclosure of incidents and audit findings occurring or identified during the audit period.
    (b) Delayed disclosure affects Root Program expectations for transparency and maturity of governance.
    (c) Due to insufficient familiarity with CCADB Policy 5.2 requirements, the GTLSCA team did not recognize that the audit finding required a mandatory disclosure. As a result, the required 72‑hour disclosure window was missed.
  • Was issuance stopped in response to this incident, and why or why not?: As there were no certificates misissued, issuance was not stopped. However, this CA has already stopped issuing TLS certificates in early March 2025.
  • Analysis:
  • Additional considerations:

Timeline

All times are UTC+8.

2025-11-18

  • 17:00-18:00 GTLSCA Auditing Close Meeting.

2025-11-20

  • 14:00-15:00 Internal meeting discussing the finding received and planning for the improvement Plan. (GTLSCA Team and Root CA Team)

2025-11-21

  • 17:00 The required 72‑hour disclosure window was missed [start of the non-compliance]

2025‑12‑13: Official Audit report (including findings) received.

2026-01-05

  • 23:52 Notified by the Third Party about the deficiency in timely disclosure.

2026‑01‑06

  • 09:20 GTLSCA team recognize the oversight and initiate corrective disclosure. [Identify of the non-compliance]

2026-01-07

  • 04:03 Preliminary Incident Report for Bug 2008799 posted on Bugzilla.
    ** Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #3 - Missing vulnerability scan

2026-01-08

  • 05:46 Preliminary Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla.

2026-01-17

  • 23:54 Full Incident Report for Bug 2008799 posted on Bugzilla.

2026-01-19

  • Full Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla. [end of the non-compliance]

Related Incidents

Bug Date Description
2008260 2026-01-01 Delayed audit disclosure.
2009134 2026-01-08 Reporting delayed when handling incident bug.
2009043 2026-01-08 Delayed disclosure to Audit Incident Report.
2009045 2026-01-08 Delayed disclosure to Audit Incident Report.
2009048 2026-01-08 Delayed disclosure to Audit Incident Report.
2010525 2026-01-15 Reporting delayed when handling incident bug.

Root Cause Analysis

Contributing Factor 1: Insufficient Understanding of CCADB Policy 5.2 (Primary Root Cause)

  • Description: The team did not fully understand that CCADB Policy 5.2 requires mandatory disclosure of audit findings within 72 hours.
    This lack of awareness caused the team to treat the finding as an internal audit item rather than a reportable incident.
  • Timeline:
    2025-11-18: GTLSCA Auditing Close Meeting.
    2025-11-20: Internal meeting discussing the finding received and planning for the improvement Plan. (GTLSCA Team and Root CA Team)
    2025-11-21: The required 72‑hour disclosure window was missed
    2025‑12‑13: Official Audit report (including findings) received.
    2026-01-05: Notified by the Third Party about the deficiency in timely disclosure.
    2026‑01‑06: GTLSCA team recognize the oversight and initiate corrective disclosure.
    2026-01-07: Preliminary Incident Report for Bug 2008799 posted on Bugzilla.
    ** GTLSCA Audit Incident Report #3 - Missing vulnerability scan
    2026-01-08: Preliminary Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla.
    2026-01-17: Full Incident Report for Bug 2008799 posted on Bugzilla.
    2026-01-19: Full Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla.
  • Detection: Notified by the Third Party.
  • Interaction with other factors:
    lacked:
    (a) a mandatory gate to evaluate whether an audit finding triggers CCADB/Bugzilla reporting.
    (b) a mechanism to start the 72‑hour disclosure timer. This process gap resulted in the audit finding never entering the disclosure pipeline.
  • Root Cause Analysis methodology used:

Contributing Factor 2: Delayed Reporting Was Triggered Only After Third‑Party Notification

  • Description: The fact that disclosure occurred only after a third‑party reminder indicates insufficient internal monitoring of audit findings
  • Timeline:
    2025-11-18: GTLSCA Auditing Close Meeting.
    2025-11-20: Internal meeting discussing the finding received and planning for the improvement Plan. (GTLSCA Team and Root CA Team)
    2025-11-21: The required 72‑hour disclosure window was missed
    2025‑12‑13: Official Audit report (including findings) received.
    2026-01-05: Notified by the Third Party about the deficiency in timely disclosure.
    2026‑01‑06: GTLSCA team recognize the oversight and initiate corrective disclosure.
    2026-01-08: Preliminary Incident Report for delayed disclosure to Bug 2008799 posted on Bugzilla.
  • Detection: Notified by the Third Party.
  • Interaction with other factors:
    All team members involved in audits must clearly understand:
    (a) What is considered an audit finding?
    (b) When are reports expected?
    (c) the 72‑hour disclosure rule and its implications
  • Root Cause Analysis methodology used:

Lessons Learned

  • What went well: N/A
  • What didn’t go well:
    (a) Every audit finding must undergo a CCADB disclosure applicability check, audit findings must not be handled solely as internal corrective actions; each finding requires a structured evaluation for CCADB/Bugzilla reporting.
    (b) Disclosure responsibility must be centralized under the Root CA compliance function to improve clarity, prevents fragmented responsibility, and reduces risk of missed obligations.
  • Where we got lucky:
  • Additional:
    (a) CCADB Policy 5.2 requirements must be formalized and mandatory for All Relevant roles in GTLSCA team. All team members involved in audits must clearly understand the 72‑hour disclosure rule and its implications.
    (b) Dependence on manual tracking or external reminders is not reliable; automated notifications and dashboards are needed.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Initiate corrective disclosure Mitigate Root Cause # 1 Full Incident Report for Bug 2008799 posted on Bugzilla. 2026-01-17 Completed
Mandatory CCADB Policy 5.2 Training (including the 72‑hour disclosure rule) Prevent Root Cause # 1 Training materials published; attendance records; annual refresh plan. 2026-01-23 Ongoing
Add a CCADB Disclosure Decision Gate to the Audit Workflow (within 24 hours of receiving findings) Prevent Root Cause # 1 & 2 Updated workflow; new checklist; sample run documented. 2026-02-04 Ongoing
Deploy an Audit‑Finding Monitoring Dashboard Prevent Root Cause # 1 & 2 Dashboard online; automated sync of findings and disclosure status. 2026-02-06 Ongoing

Appendix

N/A

Chunghwa Telecom is monitoring this bug for comments and questions. We have no new information at the moment.

Action Items Update

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Initiate corrective disclosure Mitigate Root Cause # 1 Full Incident Report for Bug 2008799 posted on Bugzilla. 2026-01-17 Completed
Mandatory CCADB Policy 5.2 Training (including the 72‑hour disclosure rule) Prevent Root Cause # 1 Training materials published; attendance records; annual refresh plan. 2026-01-30 Completed
Add a CCADB Disclosure Decision Gate to the Audit Workflow (within 24 hours of receiving findings) Prevent Root Cause # 1 & 2 Updated workflow; new checklist; sample run documented. 2026-02-04 Ongoing
Deploy an Audit‑Finding Monitoring Dashboard Prevent Root Cause # 1 & 2 Dashboard online; automated sync of findings and disclosure status. 2026-02-06 Ongoing

Action Items Update

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Initiate corrective disclosure Mitigate Root Cause # 1 Full Incident Report for Bug 2008799 posted on Bugzilla. 2026-01-17 Completed
Mandatory CCADB Policy 5.2 Training (including the 72‑hour disclosure rule) Prevent Root Cause # 1 Training materials published; attendance records; annual refresh plan. 2026-01-30 Completed
Add a CCADB Disclosure Decision Gate to the Audit Workflow (within 24 hours of receiving findings) Prevent Root Cause # 1 & 2 Updated workflow; new checklist; sample run documented. 2026-02-06 Completed
Deploy an Audit‑Finding Monitoring Dashboard Prevent Root Cause # 1 & 2 Dashboard online; automated sync of findings and disclosure status. 2026-02-06 Completed

Report Closure Summary

  • Incident description: The annual audit report of GTLSCA was obtained on 2025/12/13, and we become aware of an audit finding Bug 2008799 not disclosed in public incident report on 2026/1/6

  • **Incident Root Cause(s):*1:Insufficient Understanding of CCADB Policy 5.2 : The team did not fully understand that CCADB Policy 5.2 & CCADB Incident Guidelines requires mandatory disclosure of audit findings within 72 hours.
    This lack of awareness caused the team to treat the finding as an internal audit item to correct them rather than a reportable incident.
    2.Delayed Reporting Was Triggered Only After Third Party Notification: The fact that disclosure occurred only after a third party reminder indicates insufficient internal monitoring of audit findings *

  • ** Remediation description:* Chunghwa Telecom Mandated CCADB Policy 5.2 Training (including the 72 hour disclosure rule) on January 23. Chunghwa Telecom added a CCADB Disclosure Decision Gate to the Audit Workflow (within 24 hours of receiving findings). Also Chunghwa Telecom deployed an Audit Finding Monitoring Dashboard*

  • Commitment summary: Chunghwa Telecom commits to ongoing maintenance of Audit Workflow and continued use and improvement of Audit Finding Monitoring Dashboard to ensure that the auditing finding of annual WebTrust for CA is disclosed as CCADB Policy.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-02-19.

Whiteboard: [ca-compliance] [policy-failure] [disclosure-failure] → [close on 2026-02-19] [ca-compliance] [policy-failure] [disclosure-failure]
Status: ASSIGNED → RESOLVED
Closed: 18 days ago
Resolution: --- → FIXED
Whiteboard: [close on 2026-02-19] [ca-compliance] [policy-failure] [disclosure-failure] → [ca-compliance] [policy-failure] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.