Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Software Providers View"

From EGIWiki
Jump to navigation Jump to search
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{svg-header}}
{{svg-header}}
{{under construction}}


== Software providers agree to an SLA ==
== Software providers which don't have a relationship with the EGI community ==


In order that their software is included in the EGI UMD, software providers agree to a Service Level Agreement (SLA). For members of EGI, this can be read from  
It is quite rare that vulnerabilities are first discovered and reported to us in software which is not written by collaborating projects or institutions, but it does happen occasionally. In this case we report the vulnerability to the Software Provider, in a way in which does not make it public, through whatever means the software provider does make available.
 
SVG will NEVER attempt to sell information.
 
We won't make information on a vulnerability public until it is fixed, or has reached the target date which is set according to the risk. 
 
== Software providers we have a relationship with, including those who provide software which is made available in the EGI UMD ==
 
In order that their software is included in the EGI UMD, software providers have in the past agreed to a Service Level Agreement (SLA). For members of EGI, this can be read from  
* [https://documents.egi.eu/document/212  Service Level Agreement]
* [https://documents.egi.eu/document/212  Service Level Agreement]


 
In summary, software providers agree:
In summary, software providers agree:


* Suspected vulnerabities found in their software are handled using the EGI SVG issue handling process
* Suspected vulnerabities found in their software are handled using the EGI SVG issue handling process
Line 22: Line 28:
== Await Risk Assessment ==
== Await Risk Assessment ==


After investigation, the software providers will await a risk assessment.
After investigation, assuming there is a vulnerability, the software providers will await a risk assessment.


== Fix the software ==
== Fix the software ==


If the vulnerability is real, fix the software and co-ordinate with certification people, as well as the EGI Middleware unit to ensure that the vulnerability is eliminated in the software available in the EGI UMD by the Target Date.
Assuming there is a vulnerability, fix the software and co-ordinate with their own certification people, as well as the EGI Middleware unit (if applicable) to ensure that the vulnerability is eliminated in the software available to the EGI infrastructure (in most cases in the UMD) by the Target Date.
Note that SVG does not have the manpower to test fixes, but relies on the software provider to fix the issue and test it.  


== Review Advisory ==
== Review Advisory ==


The software providers should review the advisory, and ensure it is accurate.
The software providers should review the advisory, and ensure it is accurate.
The software provider should also provide a link to the advisory in the release notes, and provide a link to the release notes for inclusion in the advisory.
Basicially, when the software is released the release notes contains a link to the advisory, and the advisory contains a
link to the release notes.
== If software providers find a vulnerability ==
If software providers find a vulnerability in their own software they must ensure that appropriate action is taken in a timely manner, and not release information on it prior to the problem being resolved in software available to the EGI infrastructure (in most cases in the UMD) without agreement from the SVG.
There are 2 options if software providers find a vulnerability in their own software:
* Report it to SVG as soon as it is found. It will then be treated in the same way as any other vulnerability
* Fix the vulnerability prior to informing SVG.
The former is preferred, as we can give an opinion on the risk fairly quickly, and it reduces the risk of a known vulnerability not been addressed in a timely manner.
== Software providers supply RAT members ==
The larger software providers supply members to the RAT. Thus they help provide a secure infrastructure.


{{svg-issue-views}}
{{svg-issue-views}}

Latest revision as of 09:56, 29 April 2016

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Software Providers View


Software providers which don't have a relationship with the EGI community

It is quite rare that vulnerabilities are first discovered and reported to us in software which is not written by collaborating projects or institutions, but it does happen occasionally. In this case we report the vulnerability to the Software Provider, in a way in which does not make it public, through whatever means the software provider does make available.

SVG will NEVER attempt to sell information.

We won't make information on a vulnerability public until it is fixed, or has reached the target date which is set according to the risk.

Software providers we have a relationship with, including those who provide software which is made available in the EGI UMD

In order that their software is included in the EGI UMD, software providers have in the past agreed to a Service Level Agreement (SLA). For members of EGI, this can be read from

In summary, software providers agree:

  • Suspected vulnerabities found in their software are handled using the EGI SVG issue handling process
  • To provide contact details, and keep them up to date
  • To respond when asked by SVG as soon as possible - or at least within 2 working days

Software providers co-operate with the investigation

Software providers should help with the investigation of a potential vulnerability to find whether it is real or not, what the consequences of an exploit might be, and in what circumstances it may be exploited.

Await Risk Assessment

After investigation, assuming there is a vulnerability, the software providers will await a risk assessment.

Fix the software

Assuming there is a vulnerability, fix the software and co-ordinate with their own certification people, as well as the EGI Middleware unit (if applicable) to ensure that the vulnerability is eliminated in the software available to the EGI infrastructure (in most cases in the UMD) by the Target Date. Note that SVG does not have the manpower to test fixes, but relies on the software provider to fix the issue and test it.

Review Advisory

The software providers should review the advisory, and ensure it is accurate.

The software provider should also provide a link to the advisory in the release notes, and provide a link to the release notes for inclusion in the advisory.

Basicially, when the software is released the release notes contains a link to the advisory, and the advisory contains a link to the release notes.

If software providers find a vulnerability

If software providers find a vulnerability in their own software they must ensure that appropriate action is taken in a timely manner, and not release information on it prior to the problem being resolved in software available to the EGI infrastructure (in most cases in the UMD) without agreement from the SVG.

There are 2 options if software providers find a vulnerability in their own software:

  • Report it to SVG as soon as it is found. It will then be treated in the same way as any other vulnerability
  • Fix the vulnerability prior to informing SVG.

The former is preferred, as we can give an opinion on the risk fairly quickly, and it reduces the risk of a known vulnerability not been addressed in a timely manner.

Software providers supply RAT members

The larger software providers supply members to the RAT. Thus they help provide a secure infrastructure.

| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |