Document control

Procedure status


ApproversEGI Executive Board
Approval status


Approved version and date


StatementThe scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities.
Dissemination Level

TLP:WHITE - Public

Procedure reviews

The following table is updated after every review of this procedure.

DateReview bySummary of resultsFollow-up actions / Comments


Import from EGI wiki

Table of contents


After a problem has been assessed as critical by EGI-CSIRT or SVG, and a solution or a mitigation is available then sites are required to take action. This procedure describes the needed actions and responsibilities of the involved parties.


Please refer to the EGI Glossary for the definitions of the terms used in this procedure.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Entities involved in the procedure

  • SVG: svg-rat at
  • EGI-CSIRT Security Officer on Duty: irtf at
  • NGI Security Officer: NGI Security E-Mail as defined in Configuration Database
  • Resource Center: RC CSIRT E-Mail as defined in Configuration Database


This procedure applies to Vulnerabilities assessed as CRITICAL by EGI-CSIRT/SVG. The assessment process and the resulting required steps to handle vulnerabilities is described in SEC02 Software Vulnerability Issue Handling.


Vulnerability affecting Resource Center services or resources

Step# ResponsibleActionPrerequisites, if anyTime to comply
EGI-CSIRT / SVGSend advisory as per SEC02 Software Vulnerability Issue HandlingSVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.*
Resource Center

Upgrade the affected software to a non vulnerable version or apply mitigations

Non-vulnerable version available or mitigation described in the advisory7 Calendar days after Step 1
EGI-CSIRT / Security MonitoringUpdate Security Monitoring to check for vulnerable software versions/configurationsVulnerability detectable via Pakiti or a dedicated nagios probe*
EGI-CSIRT Security Officer on DutyFor each RC who failed to comply to step 2, the EGI-CSIRT Security Officer on Duty opens an RT-IR ticket against the RC.

Mails are send from RT-IR to the RC CSIRT E-Mail and the NGI Security E-Mail as set in GOC-DB.

Failure to comply to step 2*
51Resource CenterAny notified RC has to comply to the actions required by the EGI-CSIRT Security Officer on Duty to resolve the vulnerability.

In particular, RC are expected to respond to the ticket after having fixed the vulnerability and, when applicable, manually run the Pakiti client.

Vulnerable site notified during step 43 working days after step 4

2NGI Security OfficerNGI Security Officer/Management should coordinate the activities in their NGI, in particular follow up with unresponsive sites within the given target times.
EGI-CSIRT Security Officer on DutyFor each RC who failed to comply to step 5, the EGI-CSIRT Security Officer on Duty temporarily suspends it from the infrastructure by setting the Certification Status of this RC to Suspended in GOC-DB. The EGI-CSIRT Security Officer on Duty will inform the NGI Security Officer and EGI Operations of this actionRC failing to comply to step 5*
Resource CenterSuspended RCs might request recertification as per PROC09 Resource Centre Registration and CertificationRC suspended in step 6*

A diagram representing this procedure is available below as a PDF.