UPDATE ......From Tuesday 8 April 2025 we have changed the way that Single Sign-on works on this wiki. Please see here for more information:
Update
...
The security contact shall respect the following base requirements:
- It is strongly recommended to use a dedicated email address for the security contact.
- Where possible, use the NREN's security function (local CERT/CSIRT). We will also accept specific security capability for the federation service, if the organization has a proper procedure to deal with the communication.
- Notify the eduGAIN CSIRT <abuse@edugain.org>, which is the established security contact for the eduGAIN Service, in case of federated security incident and coordination (as required by [eduGAIN-sec-handbook]).
Respond to requests for assistance with a security incident from the eduGAIN CSIRT or other eduGAIN Participants in a timely manner. The recommended response time is half business day.
Respect the Traffic Light Protocol [TLP] information disclosure policy and use it during incident response communications (ref. https://www.first.org/tlp).
- The contact needs to expect that the eduGAIN CSIRT runs periodic communication checks which need to be handled as any other incident response communication.
[eduGAIN-sec-handbook] https://wiki.refeds.org/display/GROUPS/SIRTFI?preview=%2F44958353%2F65896525%2FeduGAIN+Security+Incident+Response+Handbook+v1.0.pdf