Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

EGI CSIRT Information Disclosure Policy (draft)

From EGIWiki
Revision as of 17:07, 19 November 2010 by Cornwall (talk | contribs) (Created page with '{{Egi-csirt-header}} The principle of the disclosure policy is to maximize the security of the EGI infrastructure, and not to release information that compromises the security…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination



The principle of the disclosure policy is to maximize the security of the EGI infrastructure, and not to release information that compromises the security of other systems.

Note that CSIRT has a 'traffic light' system for information distribution *https://wiki.egi.eu/wiki/EGI_CSIRT:TLP*

The EGI Software vulnerability issue handling process is available from https://documents.egi.eu/public/ShowDocument?docid=47 and has been approved by the EGI PMB and OMB.


CSIRT Members

For information learnt as a result of membership of the CSIRT team, CSIRT members MUST adhere to this policy.

For information on vulnerabilities in software found in the EGI UMD and the IGE, or any other software covered by a Service Level Agreement between software providers and EGI, CSIRT members MUST adhere to this policy.

For other information CSIRT strongly requests that members of the CSIRT team adhere to this policy, unless there is a good reason not to.

If a member finds a vulnerability

If a member of the CSIRT team find a vulnerability, it should be reported to the appropriate software provider via an established mechanism for that software.

For vulnerabilities in the EGI UMD and the IGE or other software subject to an SLA between EGI and the software provider, vulnerabilities must be reported by e-mail to report-vulnerability (at) egi.eu.

Other vulnerabilities may be reported by this mechanism.

Non-disclosure

The CSIRT team will not publically disclose information on vulnerabilities that is not already public, when no available software updates are available to resolve the vulnerability.

This includes:

  • The existence of vulnerabilities, with the exception below in the absence of response from software providers.
  • Any exploit that a CSIRT member has written or become aware of. This includes exploits which are not already public even if the existence of a vulnerability is public.
  • Information or technical details that may help an attacker exploit the vulnerability or write an exploit.
Retrieved from "https://wiki.egi.eu/w/index.php?title=EGI_CSIRT_Information_Disclosure_Policy_(draft)&oldid=5922"