Report Software Vulnerability
Software Vulnerability Handling
Software Vulnerabilities found which are relevant to GridPP are handled by the EGI Software Vulnerability Group (SVG) according to the approved
If a vulnerability has been exploited it is a security incident and should be reported using the GridPP incident handling procedure, see Report Security Incident == What to do if you find a Software Vulnerability ==
- DO NOT discuss on a mailing list - especially one with an open subscription policy or public archive
- DO NOT post information on a web page
- DO NOT publicise in any way - e.g. to the media
Report it immediately by e-mail to report-vulnerability at egi.eu
This is what you should do if you discover a vulnerability in software, or if you become aware of a vulnerability you think is important to GridPP and EGI.
What happens next
You should normally receive a response from a member of the EGI SVG Risk Assessment Team (RAT) within a few hours or at least during the next working day if you report the issue outside working hours.
The issue will then be investigated by the RAT and the software provider if appropriate, and you are welcome to participate in this investigation. This should establish whether the issue is real and what the potential effects of an exploit might be.
If the issue is real and relevant to EGI then a risk assessment is carried out. The vulnerability is put into one of four risk categories, 'Critical', 'High', 'Moderate', or 'Low'. A target date for resolution is set according to the Risk Category.
- EGI Software Vulnerability Issue Handling Process formally approved procedure
- EGI SVG Wiki Issue Handling Summary
- SVG Wiki