Dear LCG rollout, 

At the last EGEE conference it was agreed that a vulnerability issue
group should be setup.  I'm hoping some people in the LCG rollout list
may be interested in taking part. 

Here is a summary of how the vulnerability group will operate, at least
initially. 

-----------------------------------------------------------

We will form a vulnerability group. The purpose of the vulnerability
group is to inform developers and deployment people of vulnerabilities
as they are identified and encourage them to produce fixes or to reduce
their impact. Any vulnerability that has been exploited is considered an
incident, and should be escalated to incident response.

A subset of the vulnerability group will be a core group which manages
the group and ensures information is passed on to the appropriate
people.

The vulnerability group will log specific vulnerability issues they
become aware of or are informed of, discuss issues, and keep information
initially within the group. Members of the vulnerability group should
not pass information outside the group without first discussing it with
the core group, and only in very exceptional circumstances pass
information outside the group without the agreement of the core group.
Exceptional circumstances may include where after discussion with the
core group the issue of disclosure could not be resolved and the member
would be in breach of his own contract not to pass information on.  

If immediate action needs to be taken, appropriate deployment people
should be informed.

If a vulnerability cannot be fixed within about 45 days, a summary of
the nature of the vulnerability and a risk assessment will be produced
including a recommendation on whether or not the software should
continue to be deployed. This information will be passed on to
appropriate deployment people.  This is a compromise between going
public and keeping potential problems confidential, recognising the
current status of Grid software. 

If a vulnerability can be fixed quickly, information is passed on to the
appropriate deployment people. After a certain time (to allow the
deployment to be upgraded - suggest 3 weeks) this can be made public.

A private mailing list has been setup which members of the vulnerability
group can subscribe to.

A database has been setup, for entering and tracking vulnerabilities, to
which vulnerability group members will have read and write access. Other
people may enter a vulnerability they become aware of - but will not be
able to read the database. Non-members of the vulnerability group who
enter vulnerabilities should receive feedback.

This work will be carried out on a best efforts basis, we cannot make
any guarantees as manpower is limited.

---------------------------------------------------

I have setup a Savannah project called 'Grid Vulnerability issue
logging' at https://savannah.cern.ch/projects/grid-vul/
There are already 30 'bugs' in this.
If you wish to join you may request by logging onto Savannah - (Savannah
does not allow me to add people without the request in Savannah.) 

A Grid-vulnerability e-mail list is also available, please let me know
if you would like to join and I will add you.

We are still sorting out the methods for informing appropriate
deployment people, and who carries out appropriate risk analysis (by
discussion with the LCG OCST) and how we go about ensuring information
is passed onto appropriate developers.  However, we think that now is
the time to encourage more people to join in who are members of
appropriate grid projects.

Linda.

---------------------------------------------------
Dr Linda Cornwall,
Particle Physics Department,
The Rutherford-Appleton Laboratory,
Chilton, DIDCOT, OX11 8EQ
England

Tel. 44/0 1235 44 6138

E-mail [log in to unmask]