SVG:Notes On Risk

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members


Notes On Risk

This provides some notes on Risk Categories

The Risk Assessment Team (RAT) put each valid issue in 1 of 4 risk categories:

The RAT decides on the Risk category, according to their judgement. There is no fixed formula for setting the risk category. Various mitigating factors may lower the risk category, such as a vulnerability being difficult to exploit, or only being exploitable in rare circumstances. Certain situations may raise the risk category, such as a public exploit being available. The categories below are simply examples from past experience and discussions of which type of issue falls into which category.

Note that these properties refer to the potential for exploit, and have not been exploited.

Vulnerabilities which have been exploited are classed as Incidents and should be handled according to

by reporting to abuse (at)

Also see the EGI CSIRT Incident Reporting Wiki


Usually for a vulnerability to be assessed as 'Critical' the problem needs to be widespread, and not only affect a small number of sites.



e.g. hard to exploit buffer overflow
e.g. hard to exploit Race conditions


| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |

Personal tools