Difference between revisions of "SVG:RAT Issue Handling Instructions"
Line 17: | Line 17: | ||
* Enter into the Request Tracker - If the issue was not reported via the tracker, including adding a cc to the reporter in the tracker. | * Enter into the Request Tracker - If the issue was not reported via the tracker, including adding a cc to the reporter in the tracker. | ||
* If the issue is public and/or it concerns the operating system or software which comes with the operating system, and the | * If the issue is public and/or it concerns the operating system or software which comes with the operating system, and the csirt group as admin cc. | ||
csirt group as admin cc. | |||
* Acknowlege the Reporter - Let the reporter know that a real person is aware that the vulnerability has been reported - template ReporterAfterReport cc the Rat. | * Acknowlege the Reporter - Let the reporter know that a real person is aware that the vulnerability has been reported - template ReporterAfterReport cc the Rat. |
Revision as of 17:52, 7 December 2010
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
RAT Issue Handling Instructions
This page is intended for RAT members to provide a summary of what to do when a software vulnerability has been reported. It is intended as a practical summary, to help the RAT carry out the process. Note that this is a first draft, and will probably change/improve as we follow the process.
The full process is described in the Software Vulnerability Isssue handling process document
Also note that common sense may be used - as not all issues are straight forward. The most important thing to remember is not to release information publicly that may be useful to an attacker. This is intended to help the RAT handle standard vulnerability bugs in the middleware distributed by the EGI UMD (or IGE).
Issue Handling Templates are available to help the RAT inform appropriate people Note that contact details i.e. e-mail addresses for the various software providers will be forwarded to the RAT and updated when necessary.
When a new issue is reported
The RAT member on duty should:
- Enter into the Request Tracker - If the issue was not reported via the tracker, including adding a cc to the reporter in the tracker.
- If the issue is public and/or it concerns the operating system or software which comes with the operating system, and the csirt group as admin cc.
- Acknowlege the Reporter - Let the reporter know that a real person is aware that the vulnerability has been reported - template ReporterAfterReport cc the Rat.
For issues concerning Grid middleware, or other software which comes with the middleware distributions,
- Contact sofware provider and/or developers (according to instructions/contacts for particular software provider) - template SoftwareProviderAfterReport
- Add developer(s) as adminCC in the Request Tracker - so they can fully participate
For issues concerning the operating system or software which comes with the operating system, csirt members will contact the providers if necessare.
- Alert the RAT - template RATAfterReport.
This should be done as soon as possible.
Investigate Issue
Some RAT members with appropriate knowlege and experience, along with the software provider and developers should investigate the issue, establish whether it is real, and what the effects of an exploit might be.
Information should be placed in the Request Tracker, either directly or as a reply to an e-mail from the tracker concerning the issue.
Risk Assessment
If the issue is valid request a risk assessment to the RAT - template RATRequestRiskAssessment
RAT members should then look at this issue if they are able to, and provide their opinion of the Risk.
The Risk category is established by vote, each RAT members opinion of the Risk Category (Critical, High, Moderate or Low) is treated as their Vote. Apart from the case of 'Critical' issues - RAT members should have a least 24 hours to respond. The minimum number of RAT members who should normally look at the issue to establish the risk is 3 - although in most cases it is hoped that more will respond. If any member considers the issue to be critical - all RAT members who are at work should give priority to looking at the issue - and give their opinion on the risk.
Set Target Date
After the risk category is established, the risk is set in the request tracker, and the target date is set.
- critical 3 days (a special process is carried out TBW)
- High 6 weeks
- Moderate 4 months
- Low 1 year
Inform the reporter of the issue of the outcome - template ReporterAfterRisk
Informing relevant people
Inform appropriate developers, software provider, packaging people, and EGI middleware unit - template FixingAlertAfterRisk
Add the software provider, packaging people, EGI middleware unit people as adminCC to the item
Details are available in the ListOfContacts.
The SVG RAT aims to get to this point within 4 working days.
Draft Advisory
The advisory should be drafted - it should alert the sites as to the problem the vulnerability may cause - but not provide information to allow an attacker to exploit the problem.
Template AdvisoryTemplateGeneral
The advisory should be agreed between the software providers, probably including the developers and the RAT.
Be willing to help
While it is not an SVG RAT activity to fix vulnerabilities - RAT members should be willing to give advice where appropriate if developers need it.
Release Advisory
The advisory should be released on the target date or when the problem is fixed.
(exact location TBD.)
The advisory should also be sent to the EGI CSIRT Team, Site security contacts, and NGI security contacts. (See contact information.)
Close issue
The issue is normally closed:
- If problem is found to be invalid
- When the problem is fixed in the software available to the EGI infrastructure and an advisory
has been issued.
- If a decision has been made not to fix - in this case an advisory will be issued
- If the issue turns out to be operational - and not a software problem. An advisory will be sent out in conjuction with CSIRT.
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary |
Reporters |
SVG View |
Software Providers |
EGI MW Unit |
Deployment |
Notes on Risk |