Difference between revisions of "SVG:RAT Issue Handling Templates contd"
(2 intermediate revisions by the same user not shown) | |||
Line 36: | Line 36: | ||
For arranging resolution - Send to S/W provider, developer(s), | For arranging resolution - Send to S/W provider, developer(s), | ||
EGI and | EGI/UMD and other contacts as appropriate (contacts may be revised) | ||
<pre> | <pre> | ||
Result of Risk Assessment for EGI RT issue <n> concerning <xxx> | Result of Risk Assessment for EGI RT issue <n> concerning <xxx> | ||
Line 58: | Line 45: | ||
------------------------------------------------------ | ------------------------------------------------------ | ||
Dear | |||
Dear <Software Developers>, <UMD people if appropriate> | |||
< | |||
The Software Vulnerability Concerning <xxx> has be assessed as <RISK> risk. Hence a target date for resolution | The Software Vulnerability Concerning <xxx> has be assessed as <RISK> risk. Hence a target date for resolution | ||
Line 80: | Line 62: | ||
The advisory will be located at | The advisory will be located at | ||
https://wiki.egi.eu/wiki/SVG:Advisory-SVG- | https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-<rt number> | ||
Please ensure that your release notes refer to this advisory. | Please ensure that your release notes refer to this advisory. | ||
Line 96: | Line 78: | ||
</pre> | </pre> | ||
For | For software which is not produced by our collaborators, but we need to ask them to fix, a bespoke mail will probably be needed. This is expected to be quite rare. | ||
Line 156: | Line 102: | ||
</pre> | </pre> | ||
== Advisory Template == | == Advisory Template == |
Latest revision as of 15:20, 28 April 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
RAT Issue Handling Templates contd
After investigation
After the investigation has concluded, assuming the issue is valid request a risk assessment to the RAT
Include RAT Alert - request Risk Assessment for EGI RT <number> Send 'High' importance Dear RAT members, Please take a look at the vulnerability EGI RT <number> concerning <xxx> and give your opinion on the risk. It is in the EGI request Tracker at https://rt.egi.eu/rt/Ticket/Display.html?id=<ID for this case> Guidelines on SVG's risk categories are at: https://wiki.egi.eu/wiki/SVG:Notes_On_Risk Please discuss the risk in the SVG-RAT list - this keeps the information on the discussion between ourselves - a summary and conclusions will be placed in the tracker. It is useful to consider whether the Risk is different for different types of deployment. For example, if the Risk is different on a server or elsewhere. Thank you, <RAT member sending message>
After Risk Assessment
For arranging resolution - Send to S/W provider, developer(s), EGI/UMD and other contacts as appropriate (contacts may be revised)
Result of Risk Assessment for EGI RT issue <n> concerning <xxx> ------------------------------------------------------ Dear <Software Developers>, <UMD people if appropriate> The Software Vulnerability Concerning <xxx> has be assessed as <RISK> risk. Hence a target date for resolution has been set to <n> <weeks/months> from now, to <date>. Please co-ordinate to ensure that this issue is resolved in the middleware available for installation in the EGI infrastructure by this date. Please ensure that you do not reveal information publicly which could be useful to an attacker. Information is available in the EGI RT at https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> You should be able to view this information. If you cannot or need further information then please ask. We will draft an advisory, and would appreciate your input to ensure it is complete and correct. The advisory will be located at https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-<rt number> Please ensure that your release notes refer to this advisory. Please also provide a link to your release notes for inclusion in the advisory (this may be done shortly before you release the software) and let us know when you are about to release the software so that we can release the advisory when you release your software. Regards, The EGI Software Vulnerability Group (SVG)
For software which is not produced by our collaborators, but we need to ask them to fix, a bespoke mail will probably be needed. This is expected to be quite rare.
Inform the Reporter of the outcome
Dear <name>, Re- Vulnerability issue concerning xxx The EGI Software Vulnerability Group Risk Assessment Team has considered this issue and it has been assessed as <RISK> risk. An advisory will be released no later than <put target date here>. You should receive a copy of the advisory. Or The EGI Software Vulnerability Group Risk Assessment Team has considered this issue and <appropriate other findings and action or not> Regards, The EGI Software Vulnerability Group
Advisory Template
Use the General Advisory Template
| RAT Issue Handling Instructions |
RAT Issue Handling Templates |
RAT Issue Handling Templates contd |
SVG-CSIRT Critical Notes |
Advisory Template |
| Issue Handling Summary |
Reporters |
SVG View |
Software Providers |
EGI MW Unit |
Deployment |
Notes on Risk |