WebPKI Observatory — Operational Risk
The WebPKI has experienced 1,428 documented security and compliance incidents across 54 certificate authorities, with misissuance accounting for 566 events and governance failures for 419. Only 22% of incidents are discovered through CA self-reporting, while 20% come from external researchers and 17% from automated scanning tools, revealing serious gaps in internal detection capabilities. Root programs directly discover just 4% of incidents despite their oversight role, while 147 incidents involved policy violations and 114 involved disclosure failures that suggest deeper operational culture problems.