On 2025-03-21, Let's Encrypt identified an instance where we failed to document an existing compensating control for a detected Critical Vulnerability which was not remediated within 96 hours of detection. This is a violation of Network and Certificate System Security Requirements, Version 1.7, Section 4 which states,
...
f. Document the factual basis for the CA’s determination that the vulnerability does not require remediation becausei. the CA disagrees with the NVD rating, ii. the identification is a false positive, iii. the exploit of the vulnerability is prevented by compensating controls or an absence of threats; or iv. other similar reasons.
We have posted our preliminary incident report to Bugzilla here: 1955721 - Let's Encrypt: Failure to Document Analysis of Detected Vulnerabilities
Please follow that bug for updates.