LAST UPDATE | 16 JULY 2020
CiviCERT is an international network of rapid responders, digital security help desks, and infrastructure providers focused on supporting individuals, groups, and organizations striving towards social justice and the defense of human and digital rights. It is a professional framing for the rapid response community’s distributed CERT-like efforts, accredited by Trusted Introducer, the European network of trusted computer emergency response teams (CERTs).
Given its independent status outside of existing organizations, CiviCERT can be seen as a neutral coordinating center for technical civil society organizations, and is open and participatory as any civil society group can apply to join. Its current work includes:
- The Digital First Aid Kit (DFAK) – a resource for rapid responders, as well as a tool for contacting CiviCERT organizations
- A private encrypted mailing list, open only to trusted members, for confidential threat intelligence sharing
- A Malware Information Sharing Platform (MISP) instance reserved to trusted members
- The Suspicious Email Submitter project
- A dedicated Cukoo instance
- A dedicated Mattermost instance
- Members of CiviCERT have access to the above-mentioned encrypted mailing list, and MISP instance.
- Members will be listed in the civicert.org website.
- If they wish to, members of the trusted core are also listed in the DFAK website and have access to the DFAK gitlab repository.
- Members will be able to share cases without vetting and sharing sensitive information on threats, as well as manage CiviCERT membership and procedures.
- Members will have access to internal resources and knowledge base.
- Members will be invited to CiviCERT events.
- Members will have access to training and professional development opportunities.
- No members of CiviCERT may use CiviCERTs name, image, or other aspect of our identity to create a false or misleading impression that they are official representatives of CiviCERT; even if well-intentioned. If any member wishes to utilize the CiviCERT identity (or a separate identity that is similar enough to cause confusion) that member should provide qualifying language on their site which prominently and unambiguously states that they are not the official CiviCERT and act only as Members of the CiviCERT coordinating body
Procedure for joining:
- Adopt RaReNet Code of Conduct
- Adopt and sign CiviCERT’s vetting policy
- Adopt and sign CiviCERT’s information policy
- When policies are enforced, candidates can apply through 2 other existing CiviCERT members from different organizations vouching for them. If nobody objects in 1 month, membership will be granted.
- The member(s) from the network nominating a new member provides background information about that organization/group/person:
- How do you know this organization/group/person?
- Have you worked with them, on what?
- What would the added value of this organization/group/person for CiviCERT be?
- What rapid response services do they provide?
- After applying, potential CiviCERT members must join the RaReNet community while they make sure their procedures and policies enable them to join the trusted core; by joining RaReNet, they will be subscribed to the RaReNet mailing list and will be invited to public RaReNet events.
- Once the application has been accepted, the new member will sign the vetting and information management policy and provide the necessary information for civicert.org website and, if relevant, the Digital First Aid Kit.
Requirements for members:
- Members will send updates over the encrypted mailing list on the status of their work (requests, statistics, etc.) every 6 months or less. If no updates are sent for longer than 12 months, revocation of their membership can be initiated.
- Members who want to be included in the DFAK website will fill in a form with all the required information, including a list of provided services.
- Contributing to the maintenance and management of CiviCERT (infrastructure, accreditation, etc.).
This is not a level of trust: admins are selected from the members of CiviCERT. At least 2 people will be the admin for each of the following items, to ensure responsiveness:
- Encrypted list admin
- Encrypted list facilitation
- MISP instance admin
- Cukoo instance admin
- Civicert.org admin
- RaReNet.org admin
- Access to civicert first contact mailbox and website contact form
- Gitlab/DFAK admin
- Suspicious Email Submitter addons dev/admin
If a representant of an organization leaves, they should inform about a new colleague to join CiviCERT in their place.
Any member may leave the group at any time without the need to give any explanation. After leaving, all members will have to abide to the confidentiality agreement in the information management policy they signed when joining.
Termination of membership
If a member of CiviCERT
- does not send regular updates on the status of their activities within a year,
- does not contribute, when requested, to the shared expenses for infrastructure and Trusted Introducer membership fee,
- violates CiviCERT’s policies,
- violates the Rapid Response Network’s Code of Practice,
- or is reported by another member organization, who raises trust or security concerns regarding the member’s participation in CiviCERT,
their membership will be reviewed and potentially suspended. The member will have the opportunity to justify their violation of CiviCERT’s rules within six months of the suspension, after which the membership will be revoked.
Project coordination structure
The coordination of CiviCERT will be reduced to a minimum, especially after the deployment of the new DFAK website as an intake mechanism.
The coordination of the encrypted mailing list, including subscriptions and regular requests for update on the status of members’ work, will rotate yearly among members.
CiviCERT’s git repositories and websites will be managed by at least 2 members per time, to ensure responsiveness.
When decisions need to be made by CiviCERT members they will be clearly exposed and facilitated in the encrypted mailing list giving 15 days for discussing it and achieving a collective consent decision. If a consent is achieved by the group but one member wants to block it, this blocking should be based on serious security or ethical concerns that can put at risk CiviCERT reputation or integrity.
Changes to this policy
This policy can be changed during in-person CiviCERT meetings, which though ad-hoc occur at least once a year and must allow for remote participation. Changes will be submitted in advance to the encrypted mailing list and discussed during the meetings.