SVG:Issue Handling Summary
|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||RAT/Membership||Documents||Assessment||Secure Coding||Info for SVG members|
Issue Handling Summary
This page contains a very basic summary of the approved EGI Software Vulnerability Issue Handling Process
Reporting an issue
Anyone may report an issue - by e-mail to
report-vulnerability (at) egi.eu
Investigation of an issue
If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG members, reporter, others, as is relevant.)
The relevance and effect in EGI are determined.
A Risk Assesment is then carried out by the RAT for all valid issues which are relevant to EGI, where the issue is placed in 1 of 4 risk categories
Target Date Set
If the issue had not been fixed, the target date for resolution is set to a fixed value for each risk category
- Critical - special procedure according to circumstances
- High - 6 weeks
- Moderate - 4 months
- Low - 1 year
This allows the prioritization of fixing of issues, according to how serious they are. This is mainly relevant to software produced by members of EGI and those collaborating with EGI.
Fixing the problem
It is then up to the developers and software distributers to ensure the vulnerability is eliminated from the software available to the EGI infrastructure in time for the Target Date.
Advisory is issued by SVG
- When the vulnerability is fixed if EGI SVG is the main handler of vulnerabilities for this software, or software is in EGI Repository regardless of the risk. If the issue is not fixed by the target date, an advisory will normally be issued anyway, this is known as 'responsible disclosure'.
- If the issue is ‘Critical’ or ‘High’ in the EGI infrastructure
- If we think there is a good reason to issue an advisory to the sites.
Various views and responsibilities in issue handling process
From here we link to more information on the EGI Vulnerability Issue handling from various points of view.
(Note these are currently being updated (26th April 2016).
The Reporters View summarises the process and responsibilities from the Reporters point of view.
The SVG View summarises the process and responsibilities from the SVG point of view.
The Software Providers View summarises the process and responsibilities from the Software Providers point of view.
The EGI MW Unit View summarises the process and responsibilities from the EGI Middleware Unit's view.
The Deployment View summarises the process and responsibilities of the NGIs and Sites deploying the Middleware in the EGI infrastructure.
Some Notes On Risk are also available
The approved issue handling
- EGI Software Vulnerability Issue Handling Process describes the process in detail. This has been updated and was approved by the EGI Operations Management Board on 17th December 2015, this was further updated and approved by the EGI OMB in November 2017.