From 12f93b352b4d490202864ab2e2a294ac79020e8b Mon Sep 17 00:00:00 2001
From: Sven Slootweg <admin@cryto.net>
Date: Tue, 13 Sep 2016 07:48:56 +0200
Subject: [PATCH] Add Let's Encrypt incidents

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 2cf0db9..f113f06 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,12 @@ This list is sorted alphabetically by the names of the Certificate Authorities.
 
 * __December 2015:__ The Kazakh government announces that it will require each citizen to install a custom Certificate Authority root, that will allow MITM attacks by the government. It's unclear what organization is tasked with maintaining the CA. ([source](http://www.slate.com/blogs/future_tense/2015/12/14/kazakhstan_wants_citizens_to_download_a_mandatory_national_security_certificate.html), [source](https://bugzilla.mozilla.org/show_bug.cgi?id=1229827))
 
+### Let's Encrypt
+
+* __December 7, 2015:__ A bug in Let's Encrypt's issuance software leads to potentially incorrect issuance of certificates to domains that disallow this through a [CAA DNS record](https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization). The issue is fixed in about 3 hours, and publicly disclosed (with fraudulent certificates revoked) within 15 hours. ([source](https://community.letsencrypt.org/t/caa-check-incident-december-7-2015/9633))
+* __May 16, 2016:__ A bug in Let's Encrypt's build tooling leads to an accidental disclosure of GitHub API keys, allowing anybody viewing Travis builds to push (malicious) code to the repository. Upon being reported, the key is invalidated, and the repository is audited for unauthorized changes (of which there turn out to be none). ([source](https://community.letsencrypt.org/t/github-api-key-leak-may-16-2016/16032))
+* __June 11, 2016:__ A bug in Let's Encrypt's mass-mailing software leads to an accidental disclosure of subscriber e-mail addresses while sending out an e-mail concerning updates to the Subscriber Agreement - every recipient receives the actual message, plus the e-mail addresses of all those before them. After 7618 e-mails, the e-mail script was terminated, and the bug was fixed. ([source](https://community.letsencrypt.org/t/email-address-disclosures-june-11-2016/17025))
+
 ### National Informatics Centre (India)
 
 * __July 8, 2014:__ Google announces that it has detected fraudulently certificates for various Google domains, issued by the National Informatics Centre of India. The certificates were likely used for an MITM attack. ([source](https://security.googleblog.com/2014/07/maintaining-digital-certificate-security.html))