summaryrefslogtreecommitdiffstats
path: root/SECURITY.md
blob: 468a1dbfdf92dfa88d0e6ab4fec565b0c04aa1e2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<!--- https://www.eclipse.org/security/ --->
_ISO 27005 defines vulnerability as:
 "A weakness of an asset or group of assets that can be exploited by one or more threats."_

## Reporting a Security Vulnerability

Vulnerabilities can be reported either via
[email to the Eclipse Security Team](security@eclipse-foundation.org)
or using the
[dedicated security issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability).

## Additional Information

**The Eclipse Foundation Security Team** provides help and advice to Eclipse Foundation projects on
vulnerability issues and is the first point of contact for handling security vulnerabilities.
Members of the Eclipse Foundation Security Team are selected amongs committers on Eclipse Projects,
members of the Eclipse Architecture Council, and Eclipse Foundation staff.

The general security mailing list address is security@eclipse-foundation.org. Members of the Eclipse
Foundation Security Team will receive messages sent to this address. This address should be used
only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to
vulnerabilities in Eclipse Foundation software will be ignored. Note that this email set to this
address is not encrypted.

**Note that, as a matter of policy, the security team does not open attachments.**

The community is also encouraged to report vulnerabilities using the
[Eclipse Foundation’s issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability).
Note that you will need an Eclipse Foundation account to create an issue report
([create an account here if you do not have one](https://accounts.eclipse.org/user/register?destination=user)),
but by doing so you will be able to participate directly in the resolution of the issue.

Issue reports related to vulnerabilities must be marked as “confidential”, either automatically by
clicking the provided link by the reporter, or by a committer during the triage process.

## Disclosure

The timing and manner of disclosure is governed by the
[Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy).

Publicly disclosed issues are listed on the
[Disclosed Vulnerabilities page](https://www.eclipse.org/security/known).