Report Software Vulnerability

From GridPP Wiki
Jump to: navigation, search

Software Vulnerability Handling

Software Vulnerabilities found which are relevant to GridPP are handled by the EGI Software Vulnerability Group (SVG) according to the

EGI Software Vulnerability Issue Handling Process

Security Incidents

If a vulnerability has been exploited it is a security incident and should be reported using the GridPP incident handling procedure, see Report Security Incident == What to do if you find a Software Vulnerability ==

  • DO NOT discuss on a mailing list - especially one with an open subscription policy or public archive
  • DO NOT post information on a web page
  • DO NOT publicize in any way - e.g. to the media

Report it immediately by e-mail to report-vulnerability at

This is what you should do if you discover a vulnerability in software, or if you become aware of a vulnerability you think is important to GridPP and EGI.

What happens next

You should normally receive a response from a member of the EGI SVG Risk Assessment Team (RAT) within a few hours or at least during the next working day if you report the issue outside working hours.

The issue will then be investigated by the RAT and the software provider if appropriate, and you are welcome to participate in this investigation. This should establish whether the issue is real and what the potential effects of an exploit might be.

If the issue is real and relevant to EGI then a risk assessment is carried out. The vulnerability is put into one of four risk categories, 'Critical', 'High', 'Moderate', or 'Low'. A target date for resolution is set according to the Risk Category.

More information