Mercurial > farol > farol
annotate farol/templates/vulnerability/edit_involvement.j2 @ 50:496ae1e8e90c
Add Descriptions for edit_involvement
| author | Benoît Allard <benoit.allard@greenbone.net> |
|---|---|
| date | Tue, 07 Oct 2014 16:29:58 +0200 |
| parents | 4a9f23230eba |
| children |
| rev | line source |
|---|---|
| 0 | 1 {# |
| 2 # Description: | |
| 3 # Web Template used in Farol Design | |
| 4 # | |
| 5 # Authors: | |
| 6 # Benoît Allard <benoit.allard@greenbone.net> | |
| 7 # | |
| 8 # Copyright: | |
| 9 # Copyright (C) 2014 Greenbone Networks GmbH | |
| 10 # | |
| 11 # This program is free software; you can redistribute it and/or | |
| 12 # modify it under the terms of the GNU General Public License | |
| 13 # as published by the Free Software Foundation; either version 2 | |
| 14 # of the License, or (at your option) any later version. | |
| 15 # | |
| 16 # This program is distributed in the hope that it will be useful, | |
| 17 # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 19 # GNU General Public License for more details. | |
| 20 # | |
| 21 # You should have received a copy of the GNU General Public License | |
| 22 # along with this program; if not, write to the Free Software | |
| 23 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. | |
| 24 -#} | |
| 25 | |
| 26 {% extends "base.j2" %} | |
|
50
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
27 {% from "macros.j2" import textinput, textarea, selectinput, examples %} |
| 0 | 28 {% block title %}Edit Involvement{% endblock %} |
| 29 | |
| 30 {% set active = 'vulnerability' %} | |
| 31 | |
| 32 {% block content %} | |
|
50
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
33 <p>The <strong>Involvement</strong> container allows the document producers (or third party) to comment on their level of involvement in the vulnerability identification, scoping, and remediation process.</p> |
| 0 | 34 <form role="form" method="POST"> |
| 35 | |
|
50
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
36 {% call selectinput("party", "Party", parties, party) %} |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
37 <p>The attribute <em>Party</em> indicates the type of the producer issuing the status. It is identical to the <strong>Document Publisher</strong> attribute <em>Type</em>. Most of the time, both attributes will be the same because document producers will issue an <string>Involvement</strong> status on their own behalf. However, if the document producer wants to issue a status on behalf of a third party and use a different type from that used in <strong>Document Publisher</strong>, that use is allowed by the schema. If this is the case, <strong>Description</strong> should contain additional context regarding what is going on.</p> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
38 <dl class="dl-horizontal"> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
39 <dt>Vendor:</dt> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
40 <dd>Developers or maintainers of information system products or services. This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and product resellers and distributors, including authoritative vendor partners.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
41 <dt>Discoverer:</dt> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
42 <dd>Individuals or organizations that find vulnerabilities or security weaknesses. This includes all manner of researchers.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
43 <dt>Coordinator:</dt> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
44 <dd>Individuals or organizations that manage a single vendor’s response or multiple vendors’ responses to a vulnerability, a security flaw, or an incident. This includes all Computer Emergency/Incident Response Teams (CERTs/CIRTs) or agents acting on the behalf of a researcher.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
45 <dt>User:</dt> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
46 <dd>Everyone using a vendor’s product.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
47 <dt>Other:</dt> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
48 <dd>Catchall for everyone else. Currently this includes forwarders, republishers, language translators, and miscellaneous contributors.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
49 </dl> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
50 {% endcall %} |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
51 |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
52 {% call selectinput("status", "Status", statuses, status) %} |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
53 <p>The attribute <em>Status</em> indicates the level of involvement of Party.</p> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
54 <p>The child <strong>Description</strong> (below) is an optional element used to give context about the involvement or engagement of the <em>Party</em>.</p> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
55 <p>The final two status states, <samp>Contact Attempted</samp> and <samp>Not Contacted</samp>, are intended for use by document producers other than vendors (such as research or coordinating entities).</p> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
56 <p>Status types include:</p> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
57 <dl class="dl-horizontal"> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
58 <dt>Open:</dt><dd>This is the default status. It doesn’t indicate anything about the vulnerability remediation effort other than the fact that the vendor has acknowledged awareness of the vulnerability report. The use of this status by a vendor indicates that future updates from the vendor about the vulnerability are to be expected.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
59 <dt>Disputed:</dt><dd>This status indicates that the vendor disputes the vulnerability report in its entirety. Vendors should indicate this status when they believe that a vulnerability report regarding their product is completely inaccurate (that there is no real underlying security vulnerability) or that the technical issue being reported has no security implications.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
60 <dt>In Progress:</dt><dd>This status indicates that some hotfixes, permanent fixes, mitigations, workarounds, or patches may have been made available by the vendor, but more information or fixes may be released in the future. The use of this status by a vendor indicates that future information from the vendor about the vulnerability is to be expected.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
61 <dt>Completed:</dt><dd>The vendor asserts that investigation of the vulnerability is complete. No additional information, fixes, or documentation from the vendor about the vulnerability should be expected to be released.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
62 <dt>Contact Attempted:</dt><dd>The document producer attempted to contact the affected vendor.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
63 <dt>Not Contacted:</dt><dd>The document producer has not attempted to make contact with the affected vendor.</dd> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
64 </dl> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
65 <p>Each status is mutually exclusive—only one status is valid for a particular vulnerability at a particular time. As the vulnerability ages, a party’s involvement could move from state to state. However, in many cases, a document producer may choose not to issue CVRF documents at each state, or simply omit this element altogether. It is recommended, however, that vendors that issue CVRF documents indicating an open or in-progress <strong>Involvement</strong> should eventually expect to issue a document as Disputed or Completed.</p> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
66 {% endcall %} |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
67 {% call textarea("description", "Description", "", description, 10) %} |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
68 <p>The <strong>Description</strong> element will contain a thorough human-readable discussion of the <strong>Involvement</strong>.</p> |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
69 {{ examples(['Cisco acknowledges that the IronPort Email Security Appliances (ESA) and Cisco IronPort Security Management Appliances (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. A Mitigation is available.', 'We emailed the vendor on February 14, 2012 when the vulnerability was first discovered by our team.']) }} |
|
496ae1e8e90c
Add Descriptions for edit_involvement
Benoît Allard <benoit.allard@greenbone.net>
parents:
0
diff
changeset
|
70 {% endcall %} |
| 0 | 71 |
| 72 <button class="btn btn-primary" type="submit">{{ action or 'Update' }}</button> | |
| 73 <a class="btn btn-danger" href="{% if action=='Add' %}{{ url_for('.view', ordinal=ordinal) }}{% else %}{{ url_for('.view_involvement', ordinal=ordinal, index=index) }}{% endif %}">Cancel</a> | |
| 74 </form> | |
| 75 {% endblock %} |