Hello @AppDefects , 

Thank you for bringing this to our attention. We will have our security team review this information. 

Need to take as a grain of salt of these types of scans, they typically don't mean a whole lot.

Go scan dhs.gov, whitehouse.gov, etc.

Bottom line, I don't think we need to spend time and money on meeting these scans. Of course the overall security measures need to be in place, but no necessarily spending effort chasing some academic security standards.

JMHO,

If that site provides a reliable assessment this is certainly an embarrassment for (ISC)2.

Assuming the community site is still being 'developed' --- like I said in another post, it's like they employed the waterfall model, but re-ordered the phases --- perhaps we'll see this attended to shortly.

(I seem to be feeling over-optimistic today --- could have been something I ate... )

Lithium communities at other companies (Checkpoint, Cisco, Spotify, Sprint, Dell) get similar grades.  It seems like the "AppSec" vulnerability and its response belong to Lithium, not (ISC)².  

(ISC)²'s risk is most likely reputational damage from a supplier breach.  Their mitigation is to minimize non-public information shared with suppliers and to include a "supplier breach" scenario in their Incident Response playbook so that they are prepared to quickly respond.  

My guess/hope is that (ISC)² is only sharing first/last name, email and a list of certificates held (to be turned into badges). If true, @Chuxing is on the right track regarding the severity and appropriate response.

I do suggest that if one believes there to exploit potential, the community is not the best place to start the conversation.  Instead, one ought to follow responsible disclosure practices.  That is, privately report the issue and a reasonable deadline to the company before you go public.