Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:RAT Issue Handling Templates contd"

From EGIWiki
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 3: Line 3:
== After investigation ==
== After investigation ==


After the investigation has concluded, assuming the issue is valid request a risk assessment to the RAT - template RATRequestRiskAssessment
After the investigation has concluded, assuming the issue is valid request a risk assessment to the RAT  


<pre>
<pre>
Line 16: Line 16:


https://rt.egi.eu/rt/Ticket/Display.html?id=<ID for this case>
https://rt.egi.eu/rt/Ticket/Display.html?id=<ID for this case>
Guidelines on SVG's risk categories are at:
https://wiki.egi.eu/wiki/SVG:Notes_On_Risk


Please discuss the risk in the SVG-RAT list - this keeps the information on the  
Please discuss the risk in the SVG-RAT list - this keeps the information on the  
discussion between ourselves - a summary and conclusions will be placed in the tracker  
discussion between ourselves - a summary and conclusions will be placed in the tracker.
 
It is useful to consider whether the Risk is different for different types of deployment.
For example, if the Risk is different on a server or elsewhere.


Thank you,  
Thank you,  
Line 29: Line 36:


For arranging resolution - Send to S/W provider, developer(s),  
For arranging resolution - Send to S/W provider, developer(s),  
EGI and EMI contacts as listed.
EGI/UMD and other contacts as appropriate (contacts may be revised)


For UMD issues -


<pre>
<pre>
Send to S/W provider,
developer(s),
EGI and EMI contacts as listed
Francesco Giacomini francesco.giacomini@cnaf.infn.it (EMI SA1)
Michel Drescher michel.drescher@egi.eu (EGI SA2 Activity Manager)
Michael Gronager gronager@ndgf.org (EGI Team Leader TSA2.5 - DMSU (Distributed Middleware Support Unit)
Kostas Koumantaros kkoum@grnet.gr  (EGI Team Leader TSA2.4 - EGI Repository and support tools)
Mario David  david@lip.pt (Task Leader TSA1.3 - StageRollout)
CC RAT, Reporter.


Result of Risk Assessment for EGI RT issue <n> concerning <xxx>
Result of Risk Assessment for EGI RT issue <n> concerning <xxx>
Line 51: Line 45:
------------------------------------------------------
------------------------------------------------------


Dear  
 
Francesco Giacomini (EMI SA1 leader)
Dear <Software Developers>, <UMD people if appropriate>
Michel Drescher (EGI SA2 Activity Manager)
Michael Gronager (EGI Team Leader TSA2.5 - DMSU (Distributed Middleware Support Unit)
Kostas Koumantaros  (EGI Team Leader TSA2.4 - EGI Repository and support tools)
Mario David  (Task Leader TSA1.3 - StageRollout)
<.....>,


The Software Vulnerability Concerning <xxx> has be assessed as <RISK> risk. Hence a target date for resolution  
The Software Vulnerability Concerning <xxx> has be assessed as <RISK> risk. Hence a target date for resolution  
Line 73: Line 62:
The advisory will be located at  
The advisory will be located at  


https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-<rt number>
https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-<rt number>


Please ensure that your release notes refer to this advisory.
Please ensure that your release notes refer to this advisory.
Line 89: Line 78:
</pre>
</pre>


For IGE issues:
For software which is not produced by our collaborators, but we need to ask them to fix, a bespoke mail will probably be needed. This is expected to be quite rare.
 
<pre>
 
Send to Oscar Koeroo, Mischa Salle,  Mattias Ellert, Helmut.Heller  CC RAT, Reporter.


Dear Oscar, Mischa, Mattias, Helmut, .....


The Software Vulnerability Concerning <xxx> has be assessed as <RISK> risk. Hence a target date for resolution
Inform the Reporter of the outcome  
has been set to <n> <weeks/months> from now, to <date>. Please co-ordinate to  ensure that this issue is resolved
in the middleware available for installation in the EGI infrastructure by this date.
 
 
Information is available in the EGI RT at
https://rt.egi.eu/rt/Ticket/Display.html?id=<ID>
 
If you cannot view this or need further information then please ask.
 
We will draft an advisory, and would appreciate your input to ensure it is complete and correct.
The advisory will be located at
 
https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-<rt number>
 
Please ensure that your release notes refer to this advisory.
 
Please also provide a link to your release notes for inclusion in the advisory (this may be done
shortly before you release the software) and let us know when you are about to release the software
so that we can release the advisory when you release your software.
 
 
Regards,
 
The EGI Software Vulnerability Group (SVG)
 
 
 
</pre>
 
 
Inform the Reporter of the outcome - template ReporterAfterRisk


<pre>
<pre>
Line 147: Line 100:
Regards,
Regards,
The EGI Software Vulnerability Group
The EGI Software Vulnerability Group
</pre>
== Non Grid Middleware/SLA software ==
<pre>
Software vulnerability concerning <software>
Dear Sir or Madam,
I am e-mailing you on behalf of the European Grid Infrastructure (EGI)
Software Vulnerability Group (SVG).
A possible vulnerability in <software> has been reported to us.
(Any Relevant information)
The EGI http://www.egi.eu/ Software Vulnerability group 
http://www.egi.eu/policy/groups/Software_Vulnerability_Group_SVG.html runs a process
for handling software vulnerabilities reported. While our work is primarily designed
to handle vulnerabilities in Grid Middleware, other vulnerabilities found in software
used in the EGI infrastructure may also be reported to us and we pass the information
on to the software suppliers, as well as considering the risk to the EGI infrastructure.
Thank you,
<name> on behalf of
The EGI Software Vulnerability Group (SVG)


</pre>
</pre>

Latest revision as of 15:20, 28 April 2016

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

RAT Issue Handling Templates contd


After investigation

After the investigation has concluded, assuming the issue is valid request a risk assessment to the RAT 

Include RAT Alert - request Risk Assessment for EGI RT <number>  Send 'High' importance

Dear RAT members,

Please take a look at the vulnerability EGI RT <number> concerning <xxx> 
and give your opinion on the risk. 

It is in the EGI request Tracker at

https://rt.egi.eu/rt/Ticket/Display.html?id=<ID for this case>

Guidelines on SVG's risk categories are at:

https://wiki.egi.eu/wiki/SVG:Notes_On_Risk

Please discuss the risk in the SVG-RAT list - this keeps the information on the 
discussion between ourselves - a summary and conclusions will be placed in the tracker.

It is useful to consider whether the Risk is different for different types of deployment. 
For example, if the Risk is different on a server or elsewhere. 

Thank you, 

<RAT member sending message>

After Risk Assessment

For arranging resolution - Send to S/W provider, developer(s), EGI/UMD and other contacts as appropriate (contacts may be revised) 



Result of Risk Assessment for EGI RT issue <n> concerning <xxx>

------------------------------------------------------


Dear <Software Developers>, <UMD people if appropriate>

The Software Vulnerability Concerning <xxx> has be assessed as <RISK> risk. Hence a target date for resolution 
has been set to <n> <weeks/months> from now, to <date>. Please co-ordinate to ensure that this issue is resolved 
in the middleware available for installation in the EGI infrastructure by this date. Please ensure that you do 
not reveal information publicly which could be useful to an attacker.

Information is available in the EGI RT at 
https://rt.egi.eu/rt/Ticket/Display.html?id=<ID>

You should be able to view this information. If you cannot or need further information then please ask.

We will draft an advisory, and would appreciate your input to ensure it is complete and correct.

The advisory will be located at 

https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-<rt number>

Please ensure that your release notes refer to this advisory.

Please also provide a link to your release notes for inclusion in the advisory (this may be done shortly
before you release the software) and let us know when you are about to release the software so that we 
can release the advisory when you release your software. 


Regards,

The EGI Software Vulnerability Group (SVG)

For software which is not produced by our collaborators, but we need to ask them to fix, a bespoke mail will probably be needed. This is expected to be quite rare.


Inform the Reporter of the outcome 

Dear <name>,

Re- Vulnerability issue concerning xxx 

The EGI Software Vulnerability Group Risk Assessment Team has considered this issue and it has 
been assessed as <RISK> risk. An advisory will be released no later than <put target date here>.
 
You should receive a copy of the advisory.

Or 
The EGI Software Vulnerability Group  Risk Assessment Team has considered this issue and 
<appropriate other findings and action or not>


Regards,
The EGI Software Vulnerability Group

Advisory Template

Use the General Advisory Template


| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |


| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |


Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:RAT_Issue_Handling_Templates_contd&oldid=87286"