|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||More|
This describes the EGI Software Vulnerability Group issue handling process from the EGI Computer Security Incident Report Team EGI-CSIRT point of view.
Some members of the SVG Risk Assessment Team RAT are from the CSIRT Team.
CSIRT Team may report a vulnerability
CSIRT members may find a security problem that is due to a vulnerability in the EGI Middleware. In this case they may report the vulnerability, in which case they become Reporters
If the CSIRT Inicent Response Task Force (IRTF) is handling an incident, and the incident is due to a software vulnerability in the Grid Middleware, it should be reported to the SVG. A vulnerability that has caused an incident is likely to be classed as 'Critical' or at least 'High' risk. This will allow the appropriate interaction with the Grid Middleware software providers to take place.
The CSIRT Team will be informed of Critical Vulnerabilities
If a vulnerability is assessed by the SVG RAT as Critical, CSIRT will be informed. It will be handled accoding to the EGI Critical Vulnerability Handling process - which is a joint SVG/CSIRT process (Currently in work)
The CSIRT Team will be informed when advisories are issued
The EGI SVG will inform CSIRT when an advisory is issued. It will be copied to CSIRT.
The CSIRT Team will be informed of issues which will not be fixed
If an issue will not be fixed, for whatever reason, CSIRT will be informed with details of the problem and why it will not be fixed. This information will probably take the form of an advisory.
CSIRT Team may consult the RAT
The CSIRT team may see the RAT as a resource and may consult as appropriate.
There are ongoing discussion on how SVG and CSIRT co-operate on vulnerabilities which do not involve Grid Middleware, e.g. issues with operating systems which have been made public.