Since 2014, Trusted CI (formerly the Center for Trustworthy Scientific Cyberinfrastructure, a.k.a., CTSC) has delivered concise announcements on critical vulnerabilities that affect the software and cyberinfrastructure (CI) of higher education and scientific research communities. The alerting service began informally in 2014 at Indiana University with the creation of two mailing lists specific to software and infrastructure vulnerabilities. In 2016, the process was formalized by the NSF solicitation for the Cybersecurity Center of Excellence (CCoE) which called for "situational awareness of the current cyber threats to the research and education environment, including those that impact scientific instruments." The two mailing lists were merged and a more formalized process of monitoring external information sources for potential threats was established. These information sources included:
- US-CERT advisories
- RHEL/EPEL advisories
- REN-ISAC Alerts and Advisories
- Security announcements from open source projects such as OpenSSL and OpenSSH
- Announcements from CI projects such as XSEDE, ACCESS CI, Globus, and OSG
- Social media sites such as X/Twitter and Reddit (/r/netsec and /r/cybersecurity)
- News sources such as The Hacker News, Threatpost, The Register, Naked Security, Slashdot, Krebs on Security, SANS Internet Storm Center, and Schneier on Security
The Trusted CI team monitored these sources for vulnerabilities, then determined which ones were of critical interest to the CI community. While there were many cybersecurity issues reported in the news, we strove to alert on issues that affected the CI community in particular. For issues that warranted alerts to the Trusted CI mailing list, we provided guidance on how operators and developers could reduce risks and mitigate threats.
In April of 2024, the Cyberinfrastructure Vulnerabilities alerting service was replaced by the OmniSOC Community Advisory. This semi-monthly newsletter highlights current events and information security news aimed at the research cyberinfrastructure community. We encourage the Trusted CI community to subscribe to the OmniSOC newsletter by sending email to omnisoc-community-advisory-l-subscribe@iu.edu . Additionally, users are encouraged to subscribe to other CVE/vulnerability announcement lists, including:
In the first quarter of 2024, the Cyberinfrastructure Vulnerabilities team discussed 11 vulnerabilities and issued 4 alerts to 188 subscribers. Since 2014, the team has issued nearly 200 alerts to the community.
The archives of alerts issued since 2017 are available here and here.
