Difference between revisions of "SVG:Reporters View"
Line 7: | Line 7: | ||
== What to do if you find a Software Vulnerability in the EGI infrastructure == | == What to do if you find a Software Vulnerability in the EGI infrastructure == | ||
Vulnerabilities are handled according to the approved [https://documents.egi.eu/document/2538 EGI Software Vulnerability Issue Handling Procedure] | |||
If it has not been publicly announced:-- | |||
'''DO NOT''' discuss on a mailing list - especially one with an open subsription policy or public archive | '''DO NOT''' discuss on a mailing list - especially one with an open subsription policy or public archive | ||
Line 16: | Line 18: | ||
'''IMMEDIATELY Report it to report-vulnerability (at) egi.eu''' | '''IMMEDIATELY Report it to report-vulnerability (at) egi.eu''' | ||
This can also be used to alert the SVG to issues announced publicly which are likely to be relevant to the EGI infrastructure. | |||
== If you have accidentally released information publicly == | == If you have accidentally released information publicly == | ||
Line 27: | Line 31: | ||
== The reporter receives information == | == The reporter receives information == | ||
The SVG will let the reporter know the outcome of the investigation and risk assessment, including the risk category and Target Date for resolution. | The SVG will let the reporter know the outcome of the investigation and risk assessment, including the risk category and Target Date for resolution. The reporter will receive a copy of the advisory, if one is issued. | ||
{{svg-issue-views}} | {{svg-issue-views}} |
Revision as of 10:36, 29 April 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Reporters View
Reporters View and Responsibilities
This describes the reporters view and responsibilities.
What to do if you find a Software Vulnerability in the EGI infrastructure
Vulnerabilities are handled according to the approved EGI Software Vulnerability Issue Handling Procedure
If it has not been publicly announced:--
DO NOT discuss on a mailing list - especially one with an open subsription policy or public archive
DO NOT post information on a web page
DO NOT publicise in any way - e.g. to the media
IMMEDIATELY Report it to report-vulnerability (at) egi.eu
This can also be used to alert the SVG to issues announced publicly which are likely to be relevant to the EGI infrastructure.
If you have accidentally released information publicly
Let us know, and get it removed if possible, e.g. if you have put details on a public web page - please delete it.
Help and co-operate with the investigation
While there is no obligation to help with the investigation, it is often extremely helpful if the person who finds a vulnerability is able to assist with the investigation.
The reporter receives information
The SVG will let the reporter know the outcome of the investigation and risk assessment, including the risk category and Target Date for resolution. The reporter will receive a copy of the advisory, if one is issued.
| Issue Handling Summary |
Reporters |
SVG View |
Software Providers |
EGI MW Unit |
Deployment |
Notes on Risk |