Versions Compared

Old Version 7

changes.mady.by.user Mike Taylor

Saved on

compared with

New Version 8

changes.mady.by.user Axel Dörrer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The result of triage is to produce a reduced set of vulnerability defects which can then be addressed by the appropriate developer or development team in order of priority ranking.

Estimated time for a triage process

While most security issues will be triaged during weekly Security Team meetings, it's also the responsibility of the Security Team to recognize when a reported vulnerability needs to be processed more urgently.  When required, internal slack communication and/or ad-hoc meetings will be utilized.

Assigning a vulnerability score

...

Multiple communication channels are available to the project

  • Slack channels: private or public or public
    → The nature of the vulnerability will determine which slack channel(s) are used for notifications.  For instance, if remediation and/or workarounds for a vulnerability require action to be taken by system operators, the #sys-ops channel will be used. 
  • Email distribution list (s) FOLIO Sysops SIG
  • FOLIO Wiki Security Team Space
    → If warranted, either due to impact, complexity, etc., wiki pages may be created to serve as a place to consolidate information and guidance.  One example of this is Log4Shell.

Notification Timing

The timing of notifications depends on several factors, include the type of notification and urgency of the vulnerability.  Notifications are a shared responsibility among Security Team members.  Availability will dictate which member will send a notification.

  • Acknowledgement - response time starts when vulnerability is reported:
    • P1 vulnerability → As soon as possible - within 1 business day.
    • P2 vulnerability → Within 1 week or sooner
    • > P2 vulnerability → explicit notification not required, management and communication is handled within the JIRA issue
  • Workaround - response time starts when vulnerability is acknowledged:
    • P1 vulnerability → As soon as possible, but sooner as 2 business days
    •  P2 vulnerability → As soon as available, but sooner as 1 week
    • > P2 vulnerability - explicit notification not required, management and communication is handled within the JIRA issue
    • If there is no additional guidance or workaround to provide within this timeframe, it will be send out a message with an update.
  • Resolution:
    •  P1 + P2 vulnerability → As soon as available
    •  > P2 vulnerability → explicit notification not required, management and communication is handled within the JIRA issue

Workflow Diagram