Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

1. There are no references to other sites or branding or contacts or even to eduGAIN.

True statement. No branding at all. Deliberately kept simple to minimize the risk of programming mistakes and vulnerabilities. I'd argue that the fact that the web site is running TLS and lives within the edugain.org domain space attests to its association with eduGAIN, but of course, it is debatable whether that is enough.
2.  The text suggests you are timing a response and ranking us.   I do have an issue with this because someone aimlessly clicking a link in an email without checking with colleagues or checking it's validity, is a potential information security risk to organisation.  Quick responses are not necessarily the best, and also we prioritise calls as I'd expect any service desk to, and responding to an automated check would figure much lower than a real security incident.   Similarly, they could be categorised as spam by less experienced staff or someone who may not be aware of this security challenge, particularly as our calls to security@ are part of a wider ticketing system.

Ranking: True statement. The wording is possibly or even probably poor. We probably should not use the phrase "rank" anywhere. We took this from similar campaigns in other environments of collaborating CERT/CSIRT's. In fact this "scoring" will stay anonymous and will only be used to discuss desirable reaction times with the community in which this challenge was run. Nevertheless it has proven to add a gamification component to it :-) You will only get your own scoring. The results of other teams will only be used to check if we have an issue with the registered contact addresses, and, or if the foreseen communication methods do not work as expected.



  • No labels