diff options
| author | Matthias Sohn <matthias.sohn@sap.com> | 2024-02-28 00:40:34 +0100 |
|---|---|---|
| committer | Matthias Sohn <matthias.sohn@sap.com> | 2024-02-28 00:42:12 +0100 |
| commit | 64911e2119c7bb177cd32da01394399c92bf6f62 (patch) | |
| tree | 58700f822ea71a1fd0212ef682bf8b5dc8b2225c /SECURITY.md | |
| parent | d132050c2bfd13463482cb6f69b0e0e4de9556d7 (diff) | |
| download | jgit-64911e2119c7bb177cd32da01394399c92bf6f62.tar.gz jgit-64911e2119c7bb177cd32da01394399c92bf6f62.zip | |
Update SECURITY.md
Use the text of the general Eclipse Vulnerability Reporting page at
https://www.eclipse.org/security.
Bug: jgit-31
Change-Id: I07dcf83199956e0173f958356661ade33252dab4
Diffstat (limited to 'SECURITY.md')
| -rw-r--r-- | SECURITY.md | 53 |
1 files changed, 23 insertions, 30 deletions
diff --git a/SECURITY.md b/SECURITY.md index e6f57c6986..468a1dbfdf 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,48 +2,41 @@ _ISO 27005 defines vulnerability as: "A weakness of an asset or group of assets that can be exploited by one or more threats."_ -## The Eclipse Security Team +## Reporting a Security Vulnerability -The Eclipse Security Team provides help and advice to Eclipse projects -on vulnerability issues and is the first point of contact -for handling security vulnerabilities. -Members of the Security Team are committers on Eclipse Projects -and members of the Eclipse Architecture Council. +Vulnerabilities can be reported either via +[email to the Eclipse Security Team](security@eclipse-foundation.org) +or using the +[dedicated security issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability). -Contact the [Eclipse Security Team](mailto:security@eclipse.org). +## Additional Information -**Note that, as a matter of policy, the security team does not open attachments.** +**The Eclipse Foundation Security Team** provides help and advice to Eclipse Foundation projects on +vulnerability issues and is the first point of contact for handling security vulnerabilities. +Members of the Eclipse Foundation Security Team are selected amongs committers on Eclipse Projects, +members of the Eclipse Architecture Council, and Eclipse Foundation staff. -## Reporting a Security Vulnerability +The general security mailing list address is security@eclipse-foundation.org. Members of the Eclipse +Foundation Security Team will receive messages sent to this address. This address should be used +only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to +vulnerabilities in Eclipse Foundation software will be ignored. Note that this email set to this +address is not encrypted. -Vulnerabilities can be reported either via email to the Eclipse Security Team -or directly with a project via the Eclipse Foundation's Bugzilla instance. - -The general security mailing list address is security@eclipse.org. -Members of the Eclipse Security Team will receive messages sent to this address. -This address should be used only for reporting undisclosed vulnerabilities; -regular issue reports and questions unrelated to vulnerabilities in Eclipse software -will be ignored. -Note that this email address is not encrypted. +**Note that, as a matter of policy, the security team does not open attachments.** The community is also encouraged to report vulnerabilities using the -[Eclipse Foundation's Bugzilla instance](https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Vulnerability%20Reports&keywords=security&groups=Security_Advisories). -Note that you will require an Eclipse Foundation account to create an issue report, +[Eclipse Foundation’s issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability). +Note that you will need an Eclipse Foundation account to create an issue report +([create an account here if you do not have one](https://accounts.eclipse.org/user/register?destination=user)), but by doing so you will be able to participate directly in the resolution of the issue. -Issue reports related to vulnerabilities must be marked as "committers-only", -either automatically by clicking the provided link, by the reporter, -or by a committer during the triage process. -Note that issues marked "committers-only" are visible to all Eclipse committers. -By default, a "committers-only" issue is also accessible to the reporter -and individuals explicitly indicated in the "cc" list. +Issue reports related to vulnerabilities must be marked as “confidential”, either automatically by +clicking the provided link by the reporter, or by a committer during the triage process. ## Disclosure -Disclosure is initially limited to the reporter and all Eclipse Committers, -but is expanded to include other individuals, and the general public. The timing and manner of disclosure is governed by the -[Eclipse Security Policy](https://www.eclipse.org/security/policy.php). +[Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy). Publicly disclosed issues are listed on the -[Disclosed Vulnerabilities Page](https://www.eclipse.org/security/known.php).
\ No newline at end of file +[Disclosed Vulnerabilities page](https://www.eclipse.org/security/known).
\ No newline at end of file |