Purpose of the EGI Software Vulnerability Group (SVG)

'To minimize the risk of security incidents due to software vulnerabilities'

What does the EGI Software Vulnerability Group (SVG) do?

The largest activity is the running of a procedure for the handling of reported software vulnerabilities which are relevant to the EGI infrastructure. This includes vulnerabilities announced by major providers, as well as vulnerabilities in software which is developed by collaborating projects and organisations used in the EGI infrastructure. This includes software used to enable the sharing of distributed resources.

SVG handles vulnerabilities according to the EGI Software Vulnerability Issue Handling Process and our issue handling summary contains a brief summary of this process.

Advisories are issued by SVG as part of this process. These are usually initially only sent to sites, and only published publicly at least 4 weeks after fixes are available to sites. 

The EGI SVG collaborates with other partners to identify vulnerabilities and share information on vulnerabilities, in particular OSG

All those involved in the selection and deployment of software are strongly encouraged to be aware of software security aspects, be aware that software deployed should be under security maintenance and configured in a secure manner. We provide a Software Security Checklist to help with this.

Developers are strongly encouraged to write secure code, we provide some information and links on Secure Coding 

SVG also provides consultation on software vulnerabilities to the CSIRT team and other EGI groups.

Some information on Why do we need an an SVG?

What if you find a software vulnerability?

If you discover or become aware of a software vulnerability which is relevant to EGI,

Report it to report-vulnerability (at) egi.eu

This should be done whether it is a publicly announced vulnerability or a vulnerability you have discovered or become aware of.

This ensures SVG is aware of them, and able to assess the impact.

If it has not been announced publicly: --

DO NOT discuss on a mailing list - especially one with an open subscription policy or public archive

DO NOT post information on a web page

DO NOT publicise in any way - e.g. to the media

It is also important that you do not discuss publicly announced vulnerabilities' relevance to and impact on EGI publicly.

Security Incidents

If a vulnerability has been exploited, it is an incident, and is NOT handled by the EGI Software Vulnerability Group.

You should then follow the EGI CSIRT Incident Handling Procedure

Several people are in both the EGI Incident Response Task Force as well as the Software Vulnerability group, so sending to either will probably get forwarded quickly to the right people.