Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Issue Handling Summary"

From EGIWiki
Jump to navigation Jump to search
Line 21: Line 21:
* Moderate  
* Moderate  
* Low
* Low
[[ SVG:Notes on Risk |Notes on Risk ]]


== Target Date Set ==
== Target Date Set ==

Revision as of 14:23, 19 April 2011

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Issue Handling Summary


This page contains a very basic summary of the EGI Software Vulnerability Issue handling process

Reporting an issue

Anyone may report an issue - by e-mail to

report-vulnerability (at) egi.eu

Investigation of an issue

After reporting, the issue is investigated by the Risk Assessment Team (RAT) and the software provider. This should establish whether the issue is real and what the potential effects of an exploit might be.

Risk Assessment

A Risk Assesment is then carried out by the RAT for all valid issues, where the issue is placed in 1 of 4 risk categories

  • Critical
  • High
  • Moderate
  • Low

Notes on Risk

Target Date Set

The target date for resolution is set to a fixed value for each risk category

  • Critical - 3 days
  • High - 6 weeks
  • Moderate - 4 months
  • Low - 1 year

This allows the prioritization of fixing of issues, according to how serious they are.

Fixing the problem

It is then up to the developers and software distributers to ensure the vulnerability is eliminated from the software available to the EGI infrastructure in time for the Target Date.

Advisory issued

An advisoriy is produced when the vulnerability is eliminated or on the target date, whichever is the sooner. This is known as 'responsible disclosure'

Various views and responsibilities in issue handling process

From here we link to more information on the EGI Vulnerability Issue handling from various points of view.

The Reporters View summarises the process and responsibilities from the Reporters point of view.

The SVG View summarises the process and responsibilities from the SVG point of view.

The Software Providers View summarises the process and responsibilities from the Software Providers point of view.

The EGI MW Unit View summarises the process and responsibilities from the EGI Middleware Unit's view.

The CSIRT View summarises the process and responsibilities from the CSIRT view.

The Deployment View summarises the process and responsibilities of the NGIs and Sites deploying the Middleware in the EGI infrastructure.

Some Notes On Risk are also available

The approved issue handling process document describes the process in detail


| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |