The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:RAT Issue Handling Templates"
Jump to navigation
Jump to search
| (8 intermediate revisions by 2 users not shown) | |||
| Line 8: | Line 8: | ||
== When issue is reported == | == When issue is reported == | ||
Acknowledge the reporter - template ReporterAfterReport | |||
<pre> | <pre> | ||
Vulnerability Concerning <title> EGI RT # | Vulnerability Concerning <title> EGI RT # | ||
Dear <Name>, | Dear <Name>, | ||
Thank you for reporting the potential vulnerability <ticket No> concerning <title of issue> | Thank you for reporting the potential vulnerability <ticket No> concerning <title of issue> to the EGI Software Vulnerability Group. | ||
to the EGI Software Vulnerability Group. | |||
<any questions etc concerning this issue> | |||
We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take | We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of this information. | ||
note of this information. We will follow the approved EGI Software Vulnerability issue | We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: | ||
handling process which can be downloaded from: | |||
https://documents.egi.eu/public/ShowDocument?docid= | https://documents.egi.eu/public/ShowDocument?docid=3145 | ||
The process | The process may be summarised as follows:- | ||
Anyone may report a vulnerability, by e-mail to report-vulnerability@egi.eu | Anyone may report a vulnerability, by e-mail to report-vulnerability@egi.eu | ||
| Line 30: | Line 31: | ||
Please use this method in future if you did not do so in this case. | Please use this method in future if you did not do so in this case. | ||
The RAT, possibly along with the developers of the software involved, investigate the issue. | |||
You may be invited to participate in this investigation. | |||
If the issue is not found to be valid, or not relevant to EGI, we will tell you why. | |||
If the issue is not found to be valid, we will tell you why. | |||
If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue | If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue in one of four Risk Categories - | ||
in one of four Risk Categories - Critical, High, Moderate or Low. | Critical, High, Moderate or Low. | ||
If the issue has not been fixed, a target date for resolution is then set according to the Risk category. | |||
The information usually is passed to the relevant developers and software distributors who should try to | |||
ensure the problem is eliminated in time for the target date. | |||
We aim to do this within 4 working days. | We aim to do this within 4 working days. | ||
If an advisory is issued and you are the first to report this to us your name will be included in the advisory, | |||
unless you tell us you do not wish it to be included. You should receive a copy of any advisory issued. | |||
More information can be found on the EGI Software Vulnerability Group Wiki at | More information can be found on the EGI Software Vulnerability Group Wiki at | ||
https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary | https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary | ||
< | Regards, | ||
The EGI Software Vulnerability Group | |||
</pre> | |||
Simple template for when we are alerted to a vulnerability that has been e.g. announced publicly | |||
<pre> | |||
Vulnerability Concerning <title> EGI RT # | |||
Dear <Name>, | |||
Thank you for alerting the EGI SVG to the vulnerability EGI RT # concerning <title of issue >. | |||
We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of | |||
this information. | |||
As this has been announced publicly, we will carry out a risk assessment, jointly with the EGI IRTF. | |||
The EGI IRTF will decide on the appropriate action, if any. If it is 'High' or 'Critical' in the | |||
EGI environment then an advisory is likely to be issued and updates in the infrastructure monitored. | |||
Regards, | Regards, | ||
The EGI Software Vulnerability Group | The EGI Software Vulnerability Group | ||
</pre> | </pre> | ||
Contact software | Contact the software developers - for SLA or other collaborating people who we know - template SoftwareDevelopersAfterReport | ||
<pre> | <pre> | ||
A possible software vulnerability has been reported in <X software>. | |||
<1 or 2 sentence description of problem reported> | |||
The information is being forwarded to you OR information can be viewed at: | The information is being forwarded to you OR information can be viewed at: | ||
https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> | https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> | ||
Please could you help us investigate and/or tell us which developers we should contact to investigate this? | Please could you help us investigate and/or tell us which developers we should contact to investigate this? | ||
---------------------------------------------------------------------- | |||
We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: | We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: | ||
https://documents.egi.eu/public/ShowDocument?docid= | https://documents.egi.eu/public/ShowDocument?docid=3145 | ||
The process can be summarised as follows:- | The process can be summarised as follows:- | ||
| Line 90: | Line 104: | ||
The RAT, along with the developers of the software involved, investigate the issue. | The RAT, along with the developers of the software involved, investigate the issue. | ||
If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue into one of four Risk Categories - Critical, High, Moderate or Low. | If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue into | ||
one of four Risk Categories - Critical, High, Moderate or Low. | |||
A target date for resolution is then set according to the Risk category. | A target date for resolution is then set according to the Risk category. | ||
| Line 96: | Line 111: | ||
We aim to do this within 4 working days. | We aim to do this within 4 working days. | ||
The information is then passed to the developers and software | The information is then passed to the developers and software distributors who should ensure the | ||
problem is eliminated in time for the target date. | problem is eliminated in time for the target date. | ||
An advisory should be issued when the problem is fixed, or on the Target date, whichever is the sooner. | |||
More information can be found on the EGI Software Vulnerability Group Wiki at | More information can be found on the EGI Software Vulnerability Group Wiki at | ||
| Line 111: | Line 126: | ||
The EGI Software Vulnerability Group (SVG) | The EGI Software Vulnerability Group (SVG) | ||
</pre> | </pre> | ||
For 3rd parties, who we know less well. Note this is an example, there may be a clear way of reporting | |||
provided on the software provider's web page. We should still say reporting on behalf of SVG, with some | |||
appropriate sentences and links. | |||
<pre> | <pre> | ||
Dear Sir or Madam, | |||
Dear | |||
I am e-mailing you on behalf of the European Grid Infrastructure (EGI) Software Vulnerability Group (SVG). | |||
A possible vulnerability in <software> has been reported to us. | |||
in | |||
(Any Relevant information) | |||
( Please would you give me the e-mail address for <package> security support? | |||
For obvious reasons I do not want to risk exposing this information inappropriately. | |||
the | |||
The EGI http://www.egi.eu/ Software Vulnerability group | |||
http://www.egi.eu/policy/groups/Software_Vulnerability_Group_SVG.html runs a process for handling software | |||
vulnerabilities reported. While our work is primarily designed to handle vulnerabilities in Grid Middleware, | |||
other vulnerabilities found in software used in the EGI infrastructure may also be reported to us and we pass | |||
the information on to the software suppliers, as well as considering the risk to the EGI infrastructure. | |||
Thank you, | Thank you, | ||
<name> on behalf of | |||
The EGI Software Vulnerability Group (SVG) | |||
</pre> | |||
Alert the rest of the RAT - in case they have not seen the notification - template RATAfterReport | |||
Alert the rest of the RAT - in case they have not seen the notification - | |||
<pre> | <pre> | ||
RAT Alert - New Vulnerability EGI RT no. | RAT Alert - New Vulnerability EGI RT no. | ||
Dear RAT members, | Dear RAT members, | ||
| Line 185: | Line 173: | ||
Please take a look at this issue, and consider whether you can volunteer to help | Please take a look at this issue, and consider whether you can volunteer to help | ||
with the investigation. | with the investigation. | ||
(add any other relevant info) | (add any other relevant info) | ||
Latest revision as of 19:57, 27 August 2019
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
RAT Issue Handling Templates
In all cases - contact information e-mailed to RAT members separately.
This page is included to help RAT members, and to keep the process (although of course not the specific vulnerabilities) transparent.
When issue is reported
Acknowledge the reporter - template ReporterAfterReport
Vulnerability Concerning <title> EGI RT # Dear <Name>, Thank you for reporting the potential vulnerability <ticket No> concerning <title of issue> to the EGI Software Vulnerability Group. <any questions etc concerning this issue> We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of this information. We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: https://documents.egi.eu/public/ShowDocument?docid=3145 The process may be summarised as follows:- Anyone may report a vulnerability, by e-mail to report-vulnerability@egi.eu Please use this method in future if you did not do so in this case. The RAT, possibly along with the developers of the software involved, investigate the issue. You may be invited to participate in this investigation. If the issue is not found to be valid, or not relevant to EGI, we will tell you why. If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue in one of four Risk Categories - Critical, High, Moderate or Low. If the issue has not been fixed, a target date for resolution is then set according to the Risk category. The information usually is passed to the relevant developers and software distributors who should try to ensure the problem is eliminated in time for the target date. We aim to do this within 4 working days. If an advisory is issued and you are the first to report this to us your name will be included in the advisory, unless you tell us you do not wish it to be included. You should receive a copy of any advisory issued. More information can be found on the EGI Software Vulnerability Group Wiki at https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary Regards, The EGI Software Vulnerability Group
Simple template for when we are alerted to a vulnerability that has been e.g. announced publicly
Vulnerability Concerning <title> EGI RT # Dear <Name>, Thank you for alerting the EGI SVG to the vulnerability EGI RT # concerning <title of issue >. We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of this information. As this has been announced publicly, we will carry out a risk assessment, jointly with the EGI IRTF. The EGI IRTF will decide on the appropriate action, if any. If it is 'High' or 'Critical' in the EGI environment then an advisory is likely to be issued and updates in the infrastructure monitored. Regards, The EGI Software Vulnerability Group
Contact the software developers - for SLA or other collaborating people who we know - template SoftwareDevelopersAfterReport
A possible software vulnerability has been reported in <X software>. <1 or 2 sentence description of problem reported> The information is being forwarded to you OR information can be viewed at: https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> Please could you help us investigate and/or tell us which developers we should contact to investigate this? ---------------------------------------------------------------------- We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: https://documents.egi.eu/public/ShowDocument?docid=3145 The process can be summarised as follows:- The RAT, along with the developers of the software involved, investigate the issue. If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue into one of four Risk Categories - Critical, High, Moderate or Low. A target date for resolution is then set according to the Risk category. We aim to do this within 4 working days. The information is then passed to the developers and software distributors who should ensure the problem is eliminated in time for the target date. An advisory should be issued when the problem is fixed, or on the Target date, whichever is the sooner. More information can be found on the EGI Software Vulnerability Group Wiki at https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary ---------------------------------------------------------------------- Thank you, The EGI Software Vulnerability Group (SVG)
For 3rd parties, who we know less well. Note this is an example, there may be a clear way of reporting
provided on the software provider's web page. We should still say reporting on behalf of SVG, with some
appropriate sentences and links.
Dear Sir or Madam, I am e-mailing you on behalf of the European Grid Infrastructure (EGI) Software Vulnerability Group (SVG). A possible vulnerability in <software> has been reported to us. (Any Relevant information) ( Please would you give me the e-mail address for <package> security support? For obvious reasons I do not want to risk exposing this information inappropriately. The EGI http://www.egi.eu/ Software Vulnerability group http://www.egi.eu/policy/groups/Software_Vulnerability_Group_SVG.html runs a process for handling software vulnerabilities reported. While our work is primarily designed to handle vulnerabilities in Grid Middleware, other vulnerabilities found in software used in the EGI infrastructure may also be reported to us and we pass the information on to the software suppliers, as well as considering the risk to the EGI infrastructure. Thank you, <name> on behalf of The EGI Software Vulnerability Group (SVG)
Alert the rest of the RAT - in case they have not seen the notification - template RATAfterReport
RAT Alert - New Vulnerability EGI RT no. Dear RAT members, As you may have seen, a new Vulnerability has been reported concerning <xxxx>. Please take a look at this issue, and consider whether you can volunteer to help with the investigation. (add any other relevant info) It is in the EGI request Tracker at https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> Regards, <Name>
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |