The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:RAT Issue Handling Templates"
Jump to navigation
Jump to search
| Line 12: | Line 12: | ||
<pre> | <pre> | ||
Vulnerability Concerning <title> EGI RT # | Vulnerability Concerning <title> EGI RT # | ||
Dear <Name>, | Dear <Name>, | ||
Thank you for reporting the potential vulnerability <ticket No> concerning <title of issue> | Thank you for reporting the potential vulnerability <ticket No> concerning <title of issue> to the EGI Software Vulnerability Group. | ||
to the EGI Software Vulnerability Group. | |||
<any questions etc concerning this issue> | |||
We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of this information. We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: | |||
The process | https://documents.egi.eu/public/ShowDocument?docid=2538 | ||
The process may be summarised as follows:- | |||
Anyone may report a vulnerability, by e-mail to report-vulnerability@egi.eu | Anyone may report a vulnerability, by e-mail to report-vulnerability@egi.eu | ||
Please use this method in future if you did not do so in this case. | Please use this method in future if you did not do so in this case. | ||
The RAT, along with the developers of the software involved, investigate the issue. | The RAT, along with the developers of the software involved, investigate the issue. | ||
You are invited to participate in this investigation. | You are invited to participate in this investigation. | ||
If the issue is not found to be valid, we will tell you why. | If the issue is not found to be valid, or not relevant to EGI, we will tell you why. | ||
If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue | If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue in one of four Risk Categories - Critical, High, Moderate or Low. | ||
in one of four Risk Categories - Critical, High, Moderate or Low. | |||
If the issue has not been fixed, a target date for resolution is then set according to the Risk category. The information is also passed to the developers and software distributers who should ensure the problem is eliminated in time for the target date. | |||
We aim to do this within 4 working days. | We aim to do this within 4 working days. | ||
If an advisory is issued and you are the first to report this to us your name will be included in the advisory, unless you tell us you do not wish it to be included. You should receive a copy of any advisory issued. | |||
More information can be found on the EGI Software Vulnerability Group Wiki at | More information can be found on the EGI Software Vulnerability Group Wiki at | ||
https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary | https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary | ||
Regards, | Regards, | ||
The EGI Software Vulnerability Group | The EGI Software Vulnerability Group | ||
</pre> | </pre> | ||
Revision as of 11:47, 28 April 2016
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
RAT Issue Handling Templates
In all cases - contact information e-mailed to RAT members separately.
This page is included to help RAT members, and to keep the process (although of course not the specific vulnerabilities) transparent.
When issue is reported
Acknowlege the reporter - template ReporterAfterReport
Vulnerability Concerning <title> EGI RT # Dear <Name>, Thank you for reporting the potential vulnerability <ticket No> concerning <title of issue> to the EGI Software Vulnerability Group. <any questions etc concerning this issue> We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of this information. We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: https://documents.egi.eu/public/ShowDocument?docid=2538 The process may be summarised as follows:- Anyone may report a vulnerability, by e-mail to report-vulnerability@egi.eu Please use this method in future if you did not do so in this case. The RAT, along with the developers of the software involved, investigate the issue. You are invited to participate in this investigation. If the issue is not found to be valid, or not relevant to EGI, we will tell you why. If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue in one of four Risk Categories - Critical, High, Moderate or Low. If the issue has not been fixed, a target date for resolution is then set according to the Risk category. The information is also passed to the developers and software distributers who should ensure the problem is eliminated in time for the target date. We aim to do this within 4 working days. If an advisory is issued and you are the first to report this to us your name will be included in the advisory, unless you tell us you do not wish it to be included. You should receive a copy of any advisory issued. More information can be found on the EGI Software Vulnerability Group Wiki at https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary Regards, The EGI Software Vulnerability Group
Contact the software developers - for Grid Middleware - template SoftwareDevelopersAfterReport
Possible vulnerability in <software> in <gLite/Unicore/ARC/other as appropriate> Dear < Software Providers name and/or function>, A possible software vulnerability has been reported in <x>. You have also been added to the item in the tracker, so you should receive an e-mail from the tracker. <Either - paste information or - add person(s) to RT item and add link> The information is being forwarded to you OR information can be viewed at: https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> -------------------------------------------------------------------------- We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from: https://documents.egi.eu/public/ShowDocument?docid=717 The process can be summarised as follows:- The RAT, along with the developers of the software involved, investigate the issue. If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue in one of four Risk Categories - Critical, High, Moderate or Low. A target date for resolution is then set according to the Risk category. We aim to do this within 4 working days. The information is then passed to the developers and software distributers who should ensure the problem is eliminated in time for the target date. An advisory should be issued on or before the Target date. More information can be found on the EGI Software Vulnerability Group Wiki at https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary -------------------------------------------------------------------------- Please participate with us to investigate this issue. Thank you, The EGI Software Vulnerability Group.
Alert the rest of the RAT - in case they have not seen the notification - tempate RATAfterReport
RAT Alert - New Vulnerability EGI RT no. (Possibly superfluous - RAT receives notification from RT) Dear RAT members, As you may have seen, a new Vulnerability has been reported concerning <xxxx>. Please take a look at this issue, and consider whether you can volunteer to help with the investigation. (add any other relevant info) It is in the EGI request Tracker at https://rt.egi.eu/rt/Ticket/Display.html?id=<ID> Regards, <Name>
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |