Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Issue Handling Summary"

From EGIWiki
Jump to navigation Jump to search
(Deprecate page)
Tag: Replaced
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{svg-header}}
{{svg-header}}
 
{{DeprecatedAndMovedTo|new_location=https://confluence.egi.eu/display/EGIBG/Issue+Handling+Summary}}
This page contains a very basic summary of the approved [https://documents.egi.eu/document/2538  EGI Software Vulnerability Issue Handling Process ]
 
== Reporting an issue ==
 
Anyone may report an issue - by e-mail to
 
'''report-vulnerability (at) egi.eu '''
 
== Investigation of an issue ==
 
If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG members, reporter, others, as is relevant.)
 
The relevance and effect in EGI are determined.
 
== Risk Assessment ==
 
A Risk Assesment is then carried out by the RAT for all valid issues which are relevant to EGI, where the issue is placed in 1 of 4 risk categories
 
* Critical
* High
* Moderate
* Low
 
[[ SVG:Notes On Risk |Notes On Risk ]]
 
== Target Date Set ==
 
If the issue had not been fixed, the target date for resolution is set to a fixed value for each risk category
* Critical - special procedure according to circumstances
* High - 6 weeks
* Moderate - 4 months
* Low - 1 year
 
This allows the prioritization of fixing of issues, according to how serious they are. This is mainly relevant to software produced by members of EGI and those collaborating with EGI.
 
== Fixing the problem ==
 
It is then up to the developers and software distributers to ensure the vulnerability is eliminated from the software available to the EGI infrastructure in time for the Target Date.
 
== Advisory issued ==
 
An advisoriy is produced when the vulnerability is eliminated or on the target date, whichever is the sooner. This is known as 'responsible disclosure'
 
== Various views and responsibilities in issue handling process ==
 
From here we link to more information on the EGI Vulnerability Issue handling from various points of view.
 
(Note these are currently being updated (10th Feb 2016).
 
The [[SVG:Reporters View | Reporters View]]  summarises the process and responsibilities from the Reporters point of view.
 
The [[SVG:SVG View | SVG View]] summarises the process and responsibilities from the SVG point of view.
 
The  [[ SVG:Software Providers View | Software Providers View ]] summarises the process and responsibilities from the Software Providers point of view.
 
The [[SVG:EGI MW Unit View | EGI MW Unit View]] summarises the process and responsibilities from the EGI Middleware Unit's view.
 
The [[ SVG:CSIRT View | CSIRT View ]] summarises the process and responsibilities from the CSIRT view.
 
The [[ SVG:Deployment View | Deployment View ]] summarises the process and responsibilities of the NGIs and Sites deploying the Middleware in the EGI infrastructure.
 
Some [[ SVG:Notes On Risk | Notes On Risk ]] are also available
 
The approved issue handling
* [https://documents.egi.eu/document/2538  EGI Software Vulnerability Issue Handling Process ]  describes the process in detail. This has been updated and was approved by the EGI Operations Management Board on 17th December 2015.
 
 
{{svg-issue-views}}

Latest revision as of 14:23, 21 October 2021