The following table is updated after every review of this procedure.
Table of contents
The purpose of this page is to provide instructions to the EGI SDIS team members part of the operations-vulnerability-handling SSO group on how to handle Security Vulnerability identified by CSIRT IRTF.
The main idea behind this handling is to make sure that sites are aware of the issue and working on it. Usually, sites that are showing good intention are not penalised even if the progress is not strictly within the procedure: SEC03 EGI-CSIRT Critical Vulnerability Handling.
Please refer to the EGI Glossary for the definitions of the terms used in this procedure.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Entities involved in the procedure
- CSIRT IRTF
- EGI SDIS team (former EGI Operations team)
- CSIRT IRTF identified a security vulnerability.
|Step#||Responsible||Action||Prerequisites, if any|
|1||IRTF||is responsible for:|
Dear security contact for XX-XX-XXX, This is a friendly reminder that we didn't receive any update about this ticket! Thanks,
|There is no acknowledgement or answer from the site|
|b||SDIS||There is an acknowledgement, but no solution announced|
|3||a||SDIS||A solution is said to be deployed|
|b||SDIS||suspends the site and closes the ticket.||After the due date, if there is still no answer/solution announced|