Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

SVG View

Software Vulnerability Group (SVG) view and responsibilities concerning issue handling

The vulnerability issue handling process is mostly carried out by the SVG Risk Assessment Team or RAT.

Setup and maintain infrastructure

It is the SVG's responsibility to setup and maintain the infrastructure needed to carry out the software vulnerability issue handling. This includes the mailing list for resporting issues, mailing list for the RAT to investigate and assess issues, this wiki and the mechanism for distributing advisories. (Note that these will be on sites hosted by EGI). It also involves ensuring that contact details for various software providers are at hand and readily available.

Provide a rota for working days

SVG will try and ensure that at least 1 RAT member is available on all working days. Note that the SVG does not guarantee cover on all working days, but aims to do so.

Handle potential vulnerabilities reported

Issues will be handled according to the OMB approved Software Vulnerability Group issue handling process EGI Software Vulnerability Issue Handling Process

This includes:

  • Investigation of issue - with the software provider
  • Risk Assessement - placing in 1 of 4 risk Categories - Critical, High, Moderate or Low
  • Setting the Target Date - Critical 3 days, High 6 weeks, Moderate 4 months, Low 1 year
  • Alerting the Software provider, Reporter, EGI Middleware Unit of the Risk Category and Target date.
  • Draft Advisory
  • Release Advisory on the Target Date, or when the issue is resolved in the EGI UMD, whichever is the sooner.

Provide advice where needed on the resolution of vulnerabilities

It is not an SVG function to fix vulnerabilities, but SVG will try and provide help and advice on how to eliminate vulnerabilities if it is needed.

RAT members instructions

RAT issue Handling Instructions contains information and templates to help RAT members carry out the issue handling process.

| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |