Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
Our certificates are set to auto renew. There is no action needed.
SSL Certificate Is About To Expire - Medium-severity type vulnerabilities have been discovered by the Mrityunjay Singh.
Disclosed by vihanapp- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date about 1 year ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by vihanapp
*Subject: * Disclosure Request for Bug Report: "SSL Certificate Is About to Expire"
Dear Sir,
I hope this message finds you well. Recently, I submitted a bug report through Bugcrowd regarding an SSL certificate issue on NASA's website (nasa.gov). The details of the bug are as follows:
**Bug Title: **SSL Certificate Is About To Expire
Description:
One of the TLS/SSL certificates used by your server is about to expire. Once the certificate has expired, most web browsers will present end-users with a security warning, asking them to manually confirm the authenticity of your certificate chain. Software or automated systems may silently refuse to connect to the server.
This alert is not necessarily caused by the server (leaf) certificate, but may have been triggered by an intermediate certificate. Please refer to the certificate serial number in the alert details to identify the affected certificate.
Impact:
If an application server detects an expired certificate with a system it is communicating with, the application server may continue processing data as if nothing happened, or the connection may be abruptly terminated. This could lead to:
- End-user confusion and reduction in trust due to security warnings from web browsers.
- Potential disruptions in automated systems or software relying on a secure connection to the server.
Steps to Reproduce:
- Navigate to the website (nasa.gov).
- Check the SSL/TLS certificate details.
- Note the expiration date of the certificate and the serial number provided in the alert details.
Requested Action:
I kindly request that you review this report and take the necessary steps to address the issue. Additionally, I would like to request the disclosure of my report once the issue has been resolved. Publicly disclosing the report would contribute to the security and transparency of NASA’s web services and could serve as a valuable reference for the wider cybersecurity community.
Contact Information:
For any further information or clarification needed, please feel free to reach out to me through my Bugcrowd profile or via this email.
Thank you very much for your attention to this matter. I appreciate the efforts of your team to maintain and improve the security of NASA’s digital assets.
Best regards,
Mrityunjay Singh