Difference between revisions of "Report Software Vulnerability"
| Line 1: | Line 1: | ||
== Software Vulnerability Handling == | == Software Vulnerability Handling == | ||
| − | Software Vulnerabilities found | + | Software Vulnerabilities found which are relevant to GridPP are handled by the EGI Software Vulnerability Group (SVG) according to the approved |
| − | [https://documents.egi.eu/document/ | + | [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ] |
| − | == | + | == Security Incidents == |
| − | If a vulnerability has been exploited it is a security incident and should be reported using the GridPP incident handling procedure, see[[Report_Security_Incident | Report Security Incident ]] | + | If a vulnerability has been exploited it is a security incident and should be reported using the GridPP incident handling procedure, see[[Report_Security_Incident | Report Security Incident ]]== What to do if you find a Software Vulnerability == |
| − | + | ||
| − | == What to do if you find a Software Vulnerability == | + | |
* '''DO NOT''' discuss on a mailing list - especially one with an open subscription policy or public archive | * '''DO NOT''' discuss on a mailing list - especially one with an open subscription policy or public archive | ||
| − | * '''DO NOT''' post information on a web page | + | * '''DO NOT''' post information on a web page |
* '''DO NOT''' publicise in any way - e.g. to the media | * '''DO NOT''' publicise in any way - e.g. to the media | ||
Report it immediately by e-mail to '''report-vulnerability at egi.eu''' | Report it immediately by e-mail to '''report-vulnerability at egi.eu''' | ||
| + | |||
| + | This is what you should do if you discover a vulnerability in software, or if you become aware of a vulnerability you think is important to GridPP and EGI. | ||
== What happens next == | == What happens next == | ||
| Line 23: | Line 23: | ||
You should normally receive a response from a member of the EGI SVG Risk Assessment Team (RAT) within a few hours or at least during the next working day if you report the issue outside working hours. | You should normally receive a response from a member of the EGI SVG Risk Assessment Team (RAT) within a few hours or at least during the next working day if you report the issue outside working hours. | ||
| − | The issue will then be investigated by the RAT and the software provider, and you are welcome to participate in this investigation. | + | The issue will then be investigated by the RAT and the software provider if appropriate, and you are welcome to participate in this investigation. |
This should establish whether the issue is real and what the potential effects of an exploit might be. | This should establish whether the issue is real and what the potential effects of an exploit might be. | ||
| Line 30: | Line 30: | ||
== More information == | == More information == | ||
| − | * [https://documents.egi.eu/document/ | + | * [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ] formally approved procedure |
* [https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary EGI SVG Wiki Issue Handling Summary] | * [https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary EGI SVG Wiki Issue Handling Summary] | ||
* [https://wiki.egi.eu/wiki/SVG SVG Wiki ] | * [https://wiki.egi.eu/wiki/SVG SVG Wiki ] | ||
*[[Security_Information | GridPP Wiki Security Information]] | *[[Security_Information | GridPP Wiki Security Information]] | ||
Revision as of 14:19, 5 January 2018
Contents
Software Vulnerability Handling
Software Vulnerabilities found which are relevant to GridPP are handled by the EGI Software Vulnerability Group (SVG) according to the approved
EGI Software Vulnerability Issue Handling Process
Security Incidents
If a vulnerability has been exploited it is a security incident and should be reported using the GridPP incident handling procedure, see Report Security Incident == What to do if you find a Software Vulnerability ==
- DO NOT discuss on a mailing list - especially one with an open subscription policy or public archive
- DO NOT post information on a web page
- DO NOT publicise in any way - e.g. to the media
Report it immediately by e-mail to report-vulnerability at egi.eu
This is what you should do if you discover a vulnerability in software, or if you become aware of a vulnerability you think is important to GridPP and EGI.
What happens next
You should normally receive a response from a member of the EGI SVG Risk Assessment Team (RAT) within a few hours or at least during the next working day if you report the issue outside working hours.
The issue will then be investigated by the RAT and the software provider if appropriate, and you are welcome to participate in this investigation. This should establish whether the issue is real and what the potential effects of an exploit might be.
If the issue is real and relevant to EGI then a risk assessment is carried out. The vulnerability is put into one of four risk categories, 'Critical', 'High', 'Moderate', or 'Low'. A target date for resolution is set according to the Risk Category.
More information
- EGI Software Vulnerability Issue Handling Process formally approved procedure
- EGI SVG Wiki Issue Handling Summary
- SVG Wiki
