The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Issue Handling Summary"
| Line 1: | Line 1: | ||
{{svg-header}} | {{svg-header}} | ||
This page contains a very basic summary of the approved [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ] | This page contains a very basic summary of the approved [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ] This is currently evolving, with the addition of the Deployment Expert Group to help carry out vulnerability detection and handling due to the increased inhomogeneity of the infrastructure. | ||
== Reporting an issue == | == Reporting an issue == | ||
| Line 50: | Line 50: | ||
The EGI infrastructure has become less homogenous in recent years, and more and more software is not in-house and the SVG risk assessment team know less and less about the various software which is deployed. The [[ SVG:Software Security Checklist | Software Security Checklist ]] is designed to help those selecting and deploying software choose software which is secure and well maintained and deploy it in a secure manner. | The EGI infrastructure has become less homogenous in recent years, and more and more software is not in-house and the SVG risk assessment team know less and less about the various software which is deployed. The [[ SVG:Software Security Checklist | Software Security Checklist ]] is designed to help those selecting and deploying software choose software which is secure and well maintained and deploy it in a secure manner. | ||
Now we ask those who select and deploy software to help with the vulnerability handling of the software they choose, so we can maintain our high standards of software vulnerability handing in the increasing inhomogeneous environment. We therefore invite people to join the 'Deployment Expert Group' or DEG, to help us handle vulnerabilities in Software | Now we ask those who select and deploy software to help with the vulnerability handling of the software they choose, so we can maintain our high standards of software vulnerability handing in the increasing inhomogeneous environment. We therefore invite people to join the 'Deployment Expert Group' or DEG, to help us handle vulnerabilities in Software deployed across the evolving infrastructure. | ||
Revision as of 19:00, 12 May 2020
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Issue Handling Summary
This page contains a very basic summary of the approved EGI Software Vulnerability Issue Handling Process This is currently evolving, with the addition of the Deployment Expert Group to help carry out vulnerability detection and handling due to the increased inhomogeneity of the infrastructure.
Reporting an issue
Anyone may report an issue - by e-mail to
report-vulnerability (at) egi.eu
Investigation of an issue
If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG members, reporter, others, as is relevant.)
The relevance and effect in EGI are determined.
Risk Assessment
A Risk Assesment is then carried out by the RAT for all valid issues which are relevant to EGI, where the issue is placed in 1 of 4 risk categories
- Critical
- High
- Moderate
- Low
Target Date Set
If the issue had not been fixed, the target date for resolution is set to a fixed value for each risk category
- Critical - special procedure according to circumstances
- High - 6 weeks
- Moderate - 4 months
- Low - 1 year
This allows the prioritization of fixing of issues, according to how serious they are. This is mainly relevant to software produced by members of EGI and those collaborating with EGI.
Fixing the problem
It is then up to the developers and software distributers to ensure the vulnerability is eliminated from the software available to the EGI infrastructure in time for the Target Date.
Advisory issued
Advisory is issued by SVG
- When the vulnerability is fixed if EGI SVG is the main handler of vulnerabilities for this software, or software is in EGI Repository regardless of the risk. If the issue is not fixed by the target date, an advisory will normally be issued anyway, this is known as 'responsible disclosure'.
- If the issue is ‘Critical’ or ‘High’ in the EGI infrastructure
- If we think there is a good reason to issue an advisory to the sites.
The Deployment Expert Group
The EGI infrastructure has become less homogenous in recent years, and more and more software is not in-house and the SVG risk assessment team know less and less about the various software which is deployed. The Software Security Checklist is designed to help those selecting and deploying software choose software which is secure and well maintained and deploy it in a secure manner. Now we ask those who select and deploy software to help with the vulnerability handling of the software they choose, so we can maintain our high standards of software vulnerability handing in the increasing inhomogeneous environment. We therefore invite people to join the 'Deployment Expert Group' or DEG, to help us handle vulnerabilities in Software deployed across the evolving infrastructure.