Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera.
但 Google 光是透過 Certificate Transparency 認為問題不僅於此 (於是認為 Symantec 的稽核不確實)，通報了其他主要的 Root Certificate 管理單位：
However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.
而 Symantec 再次稽核，這次就大爆炸，光是他們查出來的就有 164 個 SSL certificate 橫跨 76 個網域被簽出，並且有 2458 的不存在的 domain 被簽出：
Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.
Symantec 這次提供的報告包括了比較完整的資料，爆發的品牌包括了 Symantec 所有的產品：Verisign、Thawte、GeoTrust、Equifax (GeoTrust 下) 以及 RapidSSL。
由於沒辦法砍，所以 Google 直接下了幾個通牒，第一個是從 2016 六月開始所有簽出的 SSL certificate 都必須發紀錄到 Certificate Transparency (目前規範中只有 EV SSL certificate 有要求)，否則之後的簽出的 SSL certificate 不保證會動：
It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.
After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products.
再來是對報告要求補上為什麼稽核機制沒有偵測到，以及「每一次」為什麼沒有按照 Baseline Requirements (一般 SSL certificate 的規範) 以及 EV Guidelines (EV SSL Certificate 的規範) 的詳細資訊：
More immediately, we are requesting of Symantec that they further update their public incident report with:
- A post-mortem analysis that details why they did not detect the additional certificates that we found.
- Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
同時要求第三方稽核確認這次事件，而僅非 Symantec 自己稽核：
Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.
而且也清楚要求第三方稽核確認包括：簽的 public key 沒有任何時間點可以被 Symantec 員工取得 private key、Symantec 員工無法使用該項測試工具簽自己擁有 private key 的 SSL certificate、再次確認 Symantec 的稽核紀錄是無法被更改與刪除的。
The third-party security audit must assess:
- The veracity of Symantec’s claims that at no time private keys were exposed to Symantec employees by the tool.
- That Symantec employees could not use the tool in question to obtain certificates for which the employee controlled the private key.
- That Symantec’s audit logging mechanism is reasonably protected from modification, deletion, or tampering, as described in Section 5.4.4 of their CPS.
We may take further action as additional information becomes available to us.
可以發現語氣非常硬，要不是 Symantec 的市占率這麼高，Google 大概也不會這麼費工...