CSIRT View

This describes the EGI Software Vulnerability Group issue handling process from the EGI Computer Security Incident Report Team EGI-CSIRT point of view.

Some members of the SVG Risk Assessment Team RAT are from the CSIRT Team.

CSIRT Team may report a vulnerability

CSIRT members may find a security problem that is due to a vulnerability in the EGI Middleware. In this case they may report the vulnerability, in which case they become Reporters

If the CSIRT Inicent Response Task Force (IRTF) is handling an incident, and the incident is due to a software vulnerability in the Grid Middleware, it should be reported to the SVG. A vulnerability that has caused an incident is likely to be classed as 'Critical' or at least 'High' risk. This will allow the appropriate interaction with the Grid Middleware software providers to take place.

The CSIRT Team will be informed of Critical Vulnerabilities

If a vulnerability is assessed by the SVG RAT as Critical, CSIRT will be informed. It will be handled accoding to the EGI Critical Vulnerability Handling process - which is a joint SVG/CSIRT process (Currently in work)

The CSIRT Team will be informed when advisories are issued

The EGI SVG will inform CSIRT when an advisory is issued. It will be copied to CSIRT.

The CSIRT Team will be informed of issues which will not be fixed

If an issue will not be fixed, for whatever reason, CSIRT will be informed with details of the problem and why it will not be fixed. This information will probably take the form of an advisory.

CSIRT Team may consult the RAT

The CSIRT team may see the RAT as a resource and may consult as appropriate.

There are ongoing discussion on how SVG and CSIRT co-operate on vulnerabilities which do not involve Grid Middleware, e.g. issues with operating systems which have been made public.

| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |