Eclipse Vulnerability Reporting | The Eclipse Foundation

admin

How to report a vulnerability?

If you would like to report a security vulnerability in an Eclipse
Foundation project, first check the project’s repository for the
SECURITY.md file and follow specific instructions for that
project. If there is no specific information there, you have two
options. Either report the issue by email to the
Eclipse Foundation Security Team,
or use the dedicated issue tracker.

Additional information

The Eclipse Foundation Security Team provides help and
advice to Eclipse Foundation
projects on vulnerability issues and is the first point of contact for
handling security vulnerabilities. Members of the Eclipse Foundation
Security Team are selected amongs committers on Eclipse Projects, members
of the Eclipse Architecture Council, and Eclipse Foundation staff.

The general security mailing list address is security@eclipse-foundation.org. Members
of the Eclipse Foundation Security Team will receive messages sent to this
address. This address should be used only for reporting undisclosed
vulnerabilities; regular issue reports and questions unrelated to
vulnerabilities in Eclipse Foundation software will be ignored. Note that
this email set to this address is not encrypted.

Note that, as a matter of policy, the security team does not
open attachments.

The community is also encouraged to report vulnerabilities using the

Eclipse Foundation’s issue tracker. Note that you will
need an Eclipse Foundation account to create an issue report
(create
an account here if you do not have one), but by doing so you will be able to participate
directly in the resolution of the issue.

Issue reports related to vulnerabilities must be marked as
“confidential”, either automatically by clicking the provided
link by the reporter, or by a committer during the triage process.

Disclosure

The timing and manner of disclosure is governed by
the Eclipse Foundation Vulnerability Reporting Policy.

Publicly disclosed issues are listed on the Disclosed
Vulnerabilities Page.

Read more here: Source link