The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Software Providers View"
| Line 1: | Line 1: | ||
{{svg-header}} | {{svg-header}} | ||
== Software providers agree to an SLA == | == Software providers agree to an SLA == | ||
| Line 6: | Line 6: | ||
In order that their software is included in the EGI UMD, software providers agree to a Service Level Agreement (SLA). For members of EGI, this can be read from | In order that their software is included in the EGI UMD, software providers agree to a Service Level Agreement (SLA). For members of EGI, this can be read from | ||
* [https://documents.egi.eu/document/212 Service Level Agreement] | * [https://documents.egi.eu/document/212 Service Level Agreement] | ||
In summary, software providers agree: | In summary, software providers agree: | ||
| Line 31: | Line 30: | ||
The software providers should review the advisory, and ensure it is accurate. | The software providers should review the advisory, and ensure it is accurate. | ||
== If software providers find a vulnerability == | |||
If software providers find a vvulnerability they must ensure that appropriate action is taken in a timely manner, and not release information on it prior to a patch being available in the UMD without agreement from the SVG. | |||
There are 2 options if software providers find a vulnerability in their own software: | |||
* Report it to SVG as soon as it is found. It will then be treated in the same way as any other vulnerability | |||
* Fix the vulnerability prior to informing SVG. | |||
== Software providers supply RAT members == | |||
The larger software providers supply members to the RAT. Thus they help provide a secure infrastructure. | |||
{{svg-issue-views}} | {{svg-issue-views}} | ||
Revision as of 17:36, 28 October 2010
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Software Providers View
Software providers agree to an SLA
In order that their software is included in the EGI UMD, software providers agree to a Service Level Agreement (SLA). For members of EGI, this can be read from
In summary, software providers agree:
- Suspected vulnerabities found in their software are handled using the EGI SVG issue handling process
- To provide contact details, and keep them up to date
- To respond when asked by SVG as soon as possible - or at least within 2 working days
Software providers co-operate with the investigation
Software providers should help with the investigation of a potential vulnerability to find whether it is real or not, what the consequences of an exploit might be, and in what circumstances it may be exploited.
Await Risk Assessment
After investigation, the software providers will await a risk assessment.
Fix the software
If the vulnerability is real, fix the software and co-ordinate with certification people, as well as the EGI Middleware unit to ensure that the vulnerability is eliminated in the software available in the EGI UMD by the Target Date.
Review Advisory
The software providers should review the advisory, and ensure it is accurate.
If software providers find a vulnerability
If software providers find a vvulnerability they must ensure that appropriate action is taken in a timely manner, and not release information on it prior to a patch being available in the UMD without agreement from the SVG.
There are 2 options if software providers find a vulnerability in their own software:
- Report it to SVG as soon as it is found. It will then be treated in the same way as any other vulnerability
- Fix the vulnerability prior to informing SVG.
Software providers supply RAT members
The larger software providers supply members to the RAT. Thus they help provide a secure infrastructure.
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |