Jakob, Please see https://groups.google.com/d/msg/mozilla.dev.security.policy/Q9whve-HJfM/lpwKQXOfAgAJ , which was already provided previously. It includes details regarding T-Systems areas of non-compliance that were 1) Demonstrably not identified by the auditor 2) Covered by existing audit criteria 3) Sharing the similar root cause as this incident
Even if we accept a notion that an auditor would not have been looking for those issues at that time (despite the clear auditable criteria that existed), the examination of root cause reveals a common pattern shared with this incident, and a pattern where the auditor would have been responsible for the review of the changes as part of the certification scheme. T-Systems has still not provided a satisfactory response to the questions raised by Gerv and Wayne in response to the past incident ( https://bugzilla.mozilla.org/show_bug.cgi?id=1391074 ), which, while separable from the concerns of TUVIT, should have factored into any such considerations - such as Gerv's prescient expectation of exactly this issue in https://bugzilla.mozilla.org/show_bug.cgi?id=1391074#c22 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
