Difference between revisions of "SVG:Issue Handling Summary"
(Created page with 'This page is a very basic summary of the EGI Software Vulnerability Issue handling process == Reporting an issue == Anyone may report an issue - by e-mail to '''report-vulnera…') |
|||
Line 1: | Line 1: | ||
This page | {{svg-header}} | ||
This page contains a very basic summary of the EGI Software Vulnerability Issue handling process | |||
== Reporting an issue == | == Reporting an issue == | ||
Line 13: | Line 15: | ||
== Risk Assessment == | == Risk Assessment == | ||
A Risk Assesment is then carried out by the RAT for all valid issues, where the issue is placed in 1 of 4 risk categories | A Risk Assesment is then carried out by the RAT for all valid issues, where the issue is placed in 1 of 4 risk categories | ||
* Critical | |||
* High | |||
* Moderate | |||
* Low | |||
== Target Date Set == | == Target Date Set == | ||
Line 35: | Line 41: | ||
== Details for various views and responsibilities in issue handling process == | == Details for various views and responsibilities in issue handling process == | ||
(TBW - with links etc) |
Revision as of 14:34, 7 October 2010
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Issue Handling Summary
This page contains a very basic summary of the EGI Software Vulnerability Issue handling process
Reporting an issue
Anyone may report an issue - by e-mail to
report-vulnerability (at) egi.eu
Investigation of an issue
After reporting, the issue is investigated by the Risk Assessment Team (RAT) and the software provider. This should establish whether the issue is real and what the potential effects of an exploit might be.
Risk Assessment
A Risk Assesment is then carried out by the RAT for all valid issues, where the issue is placed in 1 of 4 risk categories
- Critical
- High
- Moderate
- Low
Target Date Set
The target date for resolution is set to a fixed value for each risk category
- Critical - 3 days
- High - 6 weeks
- Moderate - 4 months
- Low - 1 year
This allows the prioritization of fixing of issues, according to how serious they are.
Fixing the problem
It is then up to the developers and software distributers to ensure the vulnerability is eliminated from the software available to the EGI infrastructure in time for the Target Date.
Advisory issued
An advisoriy is produced when the vulnerability is eliminated or on the target date, whichever is the sooner. This is known as 'responsible disclosure'
Details for various views and responsibilities in issue handling process
(TBW - with links etc)