SVG:RAT Issue Handling Templates

From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

RAT Issue Handling Templates


In all cases - contact information e-mailed to RAT members separately.

This page is included to help RAT members, and to keep the process (although of course not the specific vulnerabilities) transparent.

When issue is reported

Acknowledge the reporter - template ReporterAfterReport

Vulnerability Concerning <title> EGI RT #


Dear <Name>,

Thank you for reporting the potential vulnerability <ticket No> concerning <title of issue> to the EGI Software Vulnerability Group. 

<any questions etc concerning this issue>

We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of this information. 
We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from:

https://documents.egi.eu/public/ShowDocument?docid=3145

The process may be summarised as follows:-

Anyone may report a vulnerability, by e-mail to report-vulnerability@egi.eu

Please use this method in future if you did not do so in this case.  

The RAT, possibly along with the developers of the software involved, investigate the issue. 
You may be invited to participate in this investigation.

If the issue is not found to be valid, or not relevant to EGI, we will tell you why. 

If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue in one of four Risk Categories - 
Critical, High, Moderate or Low.

If the issue has not been fixed, a target date for resolution is then set according to the Risk category. 
The information usually is passed to the relevant developers and software distributors who should try to
ensure the problem is eliminated in time for the target date. 

We aim to do this within 4 working days.

If an advisory is issued and you are the first to report this to us your name will be included in the advisory, 
unless you tell us you do not wish it to be included. You should receive a copy of any advisory issued. 

More information can be found on the EGI Software Vulnerability Group Wiki at
https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary


Regards,

The EGI Software Vulnerability Group

Simple template for when we are alerted to a vulnerability that has been e.g. announced publicly


Vulnerability Concerning <title> EGI RT #

Dear <Name>,

Thank you for alerting the EGI SVG  to the vulnerability EGI RT # concerning  <title of issue >.
We confirm that a member of our Risk Assessment Team (RAT) has seen this report and we take note of 
this information. 

As this has been announced publicly, we will carry out a risk assessment, jointly with the EGI IRTF. 
The EGI IRTF will decide on the appropriate action, if any.   If it is 'High' or 'Critical' in the 
EGI environment then an advisory is likely to be issued and updates in the infrastructure monitored. 

Regards,

The EGI Software Vulnerability Group

Contact the software developers - for SLA or other collaborating people who we know - template SoftwareDevelopersAfterReport


A possible software vulnerability has been reported in <X software>.

<1 or 2 sentence description of problem reported>

The information is being forwarded to you OR information can be viewed at: 
https://rt.egi.eu/rt/Ticket/Display.html?id=<ID>

Please could you help us investigate and/or tell us which developers we should contact to investigate this?  


----------------------------------------------------------------------

We will follow the approved EGI Software Vulnerability issue handling process which can be downloaded from:

https://documents.egi.eu/public/ShowDocument?docid=3145

The process can be summarised as follows:-

The RAT, along with the developers of the software involved, investigate the issue. 

If the issue is valid, the RAT carries out a Risk Assessment which involves placing the issue into  
one of four Risk Categories - Critical, High, Moderate or Low.

A target date for resolution is then set according to the Risk category.

We aim to do this within 4 working days.

The information is then passed to the developers and software distributors who should ensure the 
problem is eliminated in time for the target date. 

An advisory should be issued when the problem is fixed, or on the Target date, whichever is the sooner. 

More information can be found on the EGI Software Vulnerability Group Wiki at
https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary

----------------------------------------------------------------------


Thank you, 


The EGI Software Vulnerability Group (SVG)



For 3rd parties, who we know less well. Note this is an example, there may be a clear way of reporting provided on the software provider's web page. We should still say reporting on behalf of SVG, with some appropriate sentences and links.


Dear Sir or Madam,

I am e-mailing you on behalf of the European Grid Infrastructure (EGI) Software Vulnerability Group (SVG). 

A possible vulnerability in <software> has been reported to us.

(Any Relevant information)
( Please would you give me the e-mail address for <package> security support?  
For obvious reasons I do not want to risk exposing this information inappropriately.  

The EGI http://www.egi.eu/ Software Vulnerability group  
http://www.egi.eu/policy/groups/Software_Vulnerability_Group_SVG.html runs a process for handling software 
vulnerabilities reported. While our work is primarily designed to handle vulnerabilities in Grid Middleware, 
other vulnerabilities found in software used in the EGI infrastructure may also be reported to us and we pass 
the information on to the software suppliers, as well as considering the risk to the EGI infrastructure. 

Thank you, 

<name> on behalf of

The EGI Software Vulnerability Group (SVG)


Alert the rest of the RAT - in case they have not seen the notification - template RATAfterReport

RAT Alert - New Vulnerability EGI RT no. 


Dear RAT members,

As you may have seen, a new Vulnerability has been reported concerning <xxxx>. 
Please take a look at this issue, and consider whether you can volunteer to help
with the investigation. 

(add any other relevant info)

It is in the EGI request Tracker at

https://rt.egi.eu/rt/Ticket/Display.html?id=<ID>

Regards,

<Name> 

| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |

| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |