diff options
Diffstat (limited to 'SECURITY.md')
| -rw-r--r-- | SECURITY.md | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..468a1dbfdf --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,42 @@ +<!--- https://www.eclipse.org/security/ ---> +_ISO 27005 defines vulnerability as: + "A weakness of an asset or group of assets that can be exploited by one or more threats."_ + +## Reporting a Security Vulnerability + +Vulnerabilities can be reported either via +[email to the Eclipse Security Team](security@eclipse-foundation.org) +or using the +[dedicated security issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability). + +## Additional Information + +**The Eclipse Foundation Security Team** provides help and advice to Eclipse Foundation projects on +vulnerability issues and is the first point of contact for handling security vulnerabilities. +Members of the Eclipse Foundation Security Team are selected amongs committers on Eclipse Projects, +members of the Eclipse Architecture Council, and Eclipse Foundation staff. + +The general security mailing list address is security@eclipse-foundation.org. Members of the Eclipse +Foundation Security Team will receive messages sent to this address. This address should be used +only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to +vulnerabilities in Eclipse Foundation software will be ignored. Note that this email set to this +address is not encrypted. + +**Note that, as a matter of policy, the security team does not open attachments.** + +The community is also encouraged to report vulnerabilities using the +[Eclipse Foundation’s issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability). +Note that you will need an Eclipse Foundation account to create an issue report +([create an account here if you do not have one](https://accounts.eclipse.org/user/register?destination=user)), +but by doing so you will be able to participate directly in the resolution of the issue. + +Issue reports related to vulnerabilities must be marked as “confidential”, either automatically by +clicking the provided link by the reporter, or by a committer during the triage process. + +## Disclosure + +The timing and manner of disclosure is governed by the +[Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy). + +Publicly disclosed issues are listed on the +[Disclosed Vulnerabilities page](https://www.eclipse.org/security/known).
\ No newline at end of file |