Difference between revisions of "Report Software Vulnerability"
(2 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
== Software Vulnerability Handling == | == Software Vulnerability Handling == | ||
− | Software Vulnerabilities found which are relevant to GridPP are handled by the EGI Software Vulnerability Group (SVG) according to the | + | Software Vulnerabilities found which are relevant to GridPP are handled by the EGI Software Vulnerability Group (SVG) according to the |
− | [https://documents.egi.eu/document/ | + | [https://documents.egi.eu/document/3867 EGI Software Vulnerability Issue Handling Process ] |
== Security Incidents == | == Security Incidents == | ||
Line 13: | Line 13: | ||
* '''DO NOT''' post information on a web page | * '''DO NOT''' post information on a web page | ||
− | * '''DO NOT''' | + | * '''DO NOT''' publicize in any way - e.g. to the media |
Report it immediately by e-mail to '''report-vulnerability at egi.eu''' | Report it immediately by e-mail to '''report-vulnerability at egi.eu''' | ||
Line 30: | Line 30: | ||
== More information == | == More information == | ||
− | * [https://documents.egi.eu/document/ | + | * [https://documents.egi.eu/document/3867 EGI Software Vulnerability Issue Handling Process ] |
− | * [https:// | + | * [https://confluence.egi.eu/display/EGIBG/Issue+Handling+Summary EGI SVG Wiki Issue Handling Summary] |
− | * [https:// | + | * [https://ims.egi.eu/pages/viewpage.action?pageId=82380236 The EGI Software Vulnerability Group ] |
*[[Security_Information | GridPP Wiki Security Information]] | *[[Security_Information | GridPP Wiki Security Information]] |
Latest revision as of 15:55, 3 August 2023
Contents
Software Vulnerability Handling
Software Vulnerabilities found which are relevant to GridPP are handled by the EGI Software Vulnerability Group (SVG) according to the
EGI Software Vulnerability Issue Handling Process
Security Incidents
If a vulnerability has been exploited it is a security incident and should be reported using the GridPP incident handling procedure, see Report Security Incident == What to do if you find a Software Vulnerability ==
- DO NOT discuss on a mailing list - especially one with an open subscription policy or public archive
- DO NOT post information on a web page
- DO NOT publicize in any way - e.g. to the media
Report it immediately by e-mail to report-vulnerability at egi.eu
This is what you should do if you discover a vulnerability in software, or if you become aware of a vulnerability you think is important to GridPP and EGI.
What happens next
You should normally receive a response from a member of the EGI SVG Risk Assessment Team (RAT) within a few hours or at least during the next working day if you report the issue outside working hours.
The issue will then be investigated by the RAT and the software provider if appropriate, and you are welcome to participate in this investigation. This should establish whether the issue is real and what the potential effects of an exploit might be.
If the issue is real and relevant to EGI then a risk assessment is carried out. The vulnerability is put into one of four risk categories, 'Critical', 'High', 'Moderate', or 'Low'. A target date for resolution is set according to the Risk Category.