> In many regards, certificate authorities are audited comprehensively against industry-specific audit standards. Certificate authorities also routinely get hacked. Despite this, not a single certificate authority runs a bug bounty program, and of the major CAs, only GlobalSign and Let’s Encrypt even offer a security.txt to help disclose issues. Only an annual penetration is generally required of CAs.
These feel like the wrong metrics: the attackers who compromise CAs don't generally overlap in skillsets with people who engage in bug bounty programs, and (AFAIK) `security.txt` has had no significant adoption in the broader community.
Seems like you are saying that bug bounty researchers focus more on application security issues and not other types of security, which is certainly true, but [some % of] breaches occur via appsec issues and they’re what bit e-Tugra here.
These feel like the wrong metrics: the attackers who compromise CAs don't generally overlap in skillsets with people who engage in bug bounty programs, and (AFAIK) `security.txt` has had no significant adoption in the broader community.