Difference between revisions of "SVG:RAT Issue Handling Instructions"
Line 25: | Line 25: | ||
This should be done as soon as possible. | This should be done as soon as possible. | ||
== Enter | == Enter appropriate people in tracker == | ||
Enter developers and software providers as adminCC in the Request Tracker after this is clearly established. | Enter developers and software providers as adminCC for this issue in the Request Tracker after this is clearly established. | ||
== Investigate Issue == | == Investigate Issue == | ||
Line 40: | Line 40: | ||
== Set Target Date == | |||
== Draft Advisory == | |||
Template not written yet. | |||
== Release Advisory == | |||
== Close issue == | |||
{{svg-issue-views}} | {{svg-issue-views}} |
Revision as of 17:53, 15 October 2010
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
RAT Issue Handling Instructions
This page is under construction. |
This page is intended for RAT members to provide a summary of what to do when a software vulnerability has been reported. It is intended as a practical summary, to help the RAT carry out the process. Note that this is a first draft, and will probably change/improve as we follow the process.
The full process is described in the Software Vulnerability Isssue handling process document
Also note that common sense may be used - as not all issues are straight forward. The most important thing to remember is not to release information publicly that may be useful to an attacker.
When a new issue is reported
The RAT member on duty should:
- Enter into the Request Tracker - If the issue was not reported via the tracker, including adding a cc to the reporter in the tracker.
- Acknowlege the Reporter - Let the reporter know that a real person is aware that the vulnerability has been reported - template ReporterAfterReport cc the Rat.
- Contact sofware provider - template SoftwareProviderAfterReport
- Contact developer(s) - if possible - template SoftwareDevelopersAfterReport
- Alert the RAT - template RATAfterReport.
This should be done as soon as possible.
Enter appropriate people in tracker
Enter developers and software providers as adminCC for this issue in the Request Tracker after this is clearly established.
Investigate Issue
Some RAT members with appropriate knowlege and experience, along with the software provider and developers should investigate the issue, establish whether it is real, and what the effects of an exploit might be.
Information should be placed in the Request Tracker, either directly or as a reply to an e-mail from the tracker concerning the issue.
Risk Assessment
If the issue is valid request a risk assessment - template RATRequestRiskAssessment
Set Target Date
Draft Advisory
Template not written yet.
Release Advisory
Close issue
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |