EGI CSIRT Information Disclosure Policy (draft)
| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination
The principle of the disclosure policy is to maximize the security of the EGI infrastructure, and not to release information that compromises the security of other systems.
Note that CSIRT has a 'traffic light' system for information distribution *https://wiki.egi.eu/wiki/EGI_CSIRT:TLP*
The EGI Software vulnerability issue handling process is available from https://documents.egi.eu/public/ShowDocument?docid=47 and has been approved by the EGI PMB and OMB.
CSIRT Members
For information learnt as a result of membership of the CSIRT team, CSIRT members MUST adhere to this policy.
For information on vulnerabilities in software found in the EGI UMD and the IGE, or any other software covered by a Service Level Agreement between software providers and EGI, CSIRT members MUST adhere to this policy.
For other information CSIRT strongly requests that members of the CSIRT team adhere to this policy, unless there is a good reason not to.
If a member finds a vulnerability
If a member of the CSIRT team find a vulnerability, it should be reported to the appropriate software provider via an established mechanism for that software.
For vulnerabilities in the EGI UMD and the IGE or other software subject to an SLA between EGI and the software provider, vulnerabilities must be reported by e-mail to report-vulnerability (at) egi.eu.
Other vulnerabilities may be reported by this mechanism.
Non-disclosure
The CSIRT team will not publically disclose information on vulnerabilities that is not already public, when no available software updates are available to resolve the vulnerability.
This includes:
- The existence of vulnerabilities, with the exception below in the absence of response from software providers.
- Any exploit that a CSIRT member has written or become aware of. This includes exploits which are not already public even if the existence of a vulnerability is public.
- Information or technical details that may help an attacker exploit the vulnerability or write an exploit.