The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:RAT Issue Handling Templates"
Jump to navigation
Jump to search
| Line 60: | Line 60: | ||
</pre> | </pre> | ||
Contact software providers - template SoftwareProviderAfterReport | Contact software providers - for Grid Middleware - template SoftwareProviderAfterReport | ||
<pre> | <pre> | ||
| Line 74: | Line 74: | ||
Please could you help us investigate and/or tell us which developers we should contact to | Please could you help us investigate and/or tell us which developers we should contact to investigate this? | ||
investigate this? | |||
and/Or (if we know the developers) | and/Or (if we know the developers) | ||
| Line 83: | Line 81: | ||
<developer 1> (and <developer 2>) to investigate this. | <developer 1> (and <developer 2>) to investigate this. | ||
---------------------------------------------------------------------- | |||
We will follow the approved EGI Software Vulnerability issue handling process which can be | We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: | ||
downloaded from: | |||
https://documents.egi.eu/public/ShowDocument?docid=47 | https://documents.egi.eu/public/ShowDocument?docid=47 | ||
| Line 94: | Line 90: | ||
The RAT, along with the developers of the software involved, investigate the issue. | The RAT, along with the developers of the software involved, investigate the issue. | ||
If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue | If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue into one of four Risk Categories - Critical, High, Moderate or Low. | ||
A target date for resolution is then set according to the Risk category. | A target date for resolution is then set according to the Risk category. | ||
| Line 104: | Line 99: | ||
problem is eliminated in time for the target date. | problem is eliminated in time for the target date. | ||
A publicly readable advisory should be issued when the problem is fixed, or on the Target date, | A publicly readable advisory should be issued when the problem is fixed, or on the Target date, whichever is the sooner. | ||
More information can be found on the EGI Software Vulnerability Group Wiki at | |||
https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary | |||
---------------------------------------------------------------------- | |||
| Line 112: | Line 110: | ||
The EGI | The EGI Software Vulnerability Group (SVG) | ||
</pre> | </pre> | ||
Contact the software developers - template SoftwareDevelopersAfterReport | Contact the software developers - for Grid Middleware - template SoftwareDevelopersAfterReport | ||
<pre> | <pre> | ||
Possible vulnerability in <software> in <gLite/Unicore/ARC/other as appropriate> | Possible vulnerability in <software> in <gLite/Unicore/ARC/other as appropriate> | ||
| Line 133: | Line 133: | ||
https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> | https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> | ||
-------------------------------------------------------------------------- | |||
We will follow the approved EGI Software Vulnerability issue handling process which can be | We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: | ||
downloaded from: | |||
https://documents.egi.eu/public/ShowDocument?docid=47 | https://documents.egi.eu/public/ShowDocument?docid=47 | ||
| Line 155: | Line 153: | ||
An advisory should be issued on or before the Target date. | An advisory should be issued on or before the Target date. | ||
-------------------------------------------------------------------------- | |||
More information can be found on the EGI Software Vulnerability Group Wiki at | |||
https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary | |||
-------------------------------------------------------------------------- | |||
Please participate with us to investigate this issue. | Please participate with us to investigate this issue. | ||
Thank you, | Thank you, | ||
The EGI | The EGI Software Vulnerability Group. | ||
Revision as of 18:04, 9 December 2010
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
RAT Issue Handling Templates
In all cases - contact information e-mailed to RAT members separately.
This page is included to help RAT members, and to keep the process (although of course not the specific vulnerabilities) transparent.
When issue is reported
Acknowlege the reporter - template ReporterAfterReport
Vulnerability Concerning <title> EGI RT # Dear <Name>, Thank you for reporting the potential vulnerability <ticket No> concerning <title of issue> to the EGI Software Vulnerability Group. We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of this information. We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: https://documents.egi.eu/public/ShowDocument?docid=47 The process can be summarised as follows:- Anyone may report a vulnerability, by e-mail to report-vulnerability@egi.eu Please use this method in future if you did not do so in this case. The RAT, along with the developers of the software involved, investigate the issue. You are invited to participate in this investigation. If the issue is not found to be valid, we will tell you why. If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue in one of four Risk Categories - Critical, High, Moderate or Low. A target date for resolution is then set according to the Risk category. We aim to do this within 4 working days. The information is then passed to the developers and software distributers who should ensure the problem is eliminated in time for the target date. An advisory should be issued on or before the Target date, and you should receive a copy. More information can be found on the EGI Software Vulnerability Group Wiki at https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary Please let us know if you wish your name to appear on the advisory to be credited as the reporter of the problem should an advisory be issued. <any questions etc concerning this issue> Regards, The EGI Software Vulnerability Group
Contact software providers - for Grid Middleware - template SoftwareProviderAfterReport
Possible vulnerability in <software> in <gLite/Unicore/ARC/other as appropriate> Dear < Software Providers name and/or function>, A possible software vulnerability has been reported in <x> piece of software. The information is being forwarded to you OR information can be viewed at: https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> Please could you help us investigate and/or tell us which developers we should contact to investigate this? and/Or (if we know the developers) We are also contacting <developer 1> (and <developer 2>) to investigate this. ---------------------------------------------------------------------- We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: https://documents.egi.eu/public/ShowDocument?docid=47 The process can be summarised as follows:- The RAT, along with the developers of the software involved, investigate the issue. If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue into one of four Risk Categories - Critical, High, Moderate or Low. A target date for resolution is then set according to the Risk category. We aim to do this within 4 working days. The information is then passed to the developers and software distributers who should ensure the problem is eliminated in time for the target date. A publicly readable advisory should be issued when the problem is fixed, or on the Target date, whichever is the sooner. More information can be found on the EGI Software Vulnerability Group Wiki at https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary ---------------------------------------------------------------------- Thank you, The EGI Software Vulnerability Group (SVG)
Contact the software developers - for Grid Middleware - template SoftwareDevelopersAfterReport
Possible vulnerability in <software> in <gLite/Unicore/ARC/other as appropriate> Dear < Software Providers name and/or function>, A possible software vulnerability has been reported in <x>. You have also been added to the item in the tracker, so you should receive an e-mail from the tracker. <Either - paste information or - add person(s) to RT item and add link> The information is being forwarded to you OR information can be viewed at: https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> -------------------------------------------------------------------------- We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: https://documents.egi.eu/public/ShowDocument?docid=47 The process can be summarised as follows:- The RAT, along with the developers of the software involved, investigate the issue. If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue in one of four Risk Categories - Critical, High, Moderate or Low. A target date for resolution is then set according to the Risk category. We aim to do this within 4 working days. The information is then passed to the developers and software distributers who should ensure the problem is eliminated in time for the target date. An advisory should be issued on or before the Target date. More information can be found on the EGI Software Vulnerability Group Wiki at https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary -------------------------------------------------------------------------- Please participate with us to investigate this issue. Thank you, The EGI Software Vulnerability Group.
Alert the rest of the RAT - in case they have not seen the notification - tempate RATAfterReport
AT Alert - New Vulnerability EGI RT no. (Possibly superfluous - RAT receives notification from RT) Dear RAT members, As you may have seen, a new Vulnerability has been reported concerning <xxxx>. Please take a look at this issue, and consider whether you can volunteer to help with the investigation. It is in the EGI request Tracker at https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> Please put information in the tracker - or respond to a tracker notification. Regards, <Name>
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |