|
1 | | -# How To Report a Vulnerability |
| 1 | +# Security Policy |
| 2 | + |
| 3 | +This Eclipse Foundation Project adheres to the [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy/). |
| 4 | + |
| 5 | +## How To Report a Vulnerability |
| 6 | + |
| 7 | +If you think you have found a vulnerability in Eclipse Open VSX, please report it to us through coordinated disclosure. |
| 8 | + |
| 9 | +**Please do not report security vulnerabilities through public issues, discussions, or change requests.** |
2 | 10 |
|
3 | | -If you think you have found a vulnerability in Eclipse Open VSX you can report it using one of the following ways: |
| 11 | +Instead, you can report it using one of the following ways: |
4 | 12 |
|
5 | | -* Contact the [Eclipse Foundation Security Team](mailto:security@eclipse-foundation.org) |
6 | | -* Create a [confidential issue](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability) |
| 13 | +* Contact the [Eclipse Foundation Security Team](mailto:security@eclipse-foundation.org) via email |
| 14 | +* Create a [confidential issue](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability) in the Eclipse Foundation Vulnerability Reporting Tracker |
| 15 | +* Report a [vulnerability](https://github.com/eclipse-csi/otterdog/security/advisories/new) directly via private vulnerability reporting on GitHub |
7 | 16 |
|
8 | 17 | You can find more information about reporting and disclosure at the [Eclipse Foundation Security page](https://www.eclipse.org/security/). |
9 | 18 |
|
10 | | -# Supported Versions |
| 19 | +Please include as much of the information listed below as you can to help us better understand and resolve the issue: |
11 | 20 |
|
12 | | -<!-- |
13 | | - Which releases of the project's software are actively maintaned and receive security updates? |
14 | | ---> |
15 | | -Supported versions are: v0.x.x |
16 | | -Check [Open VSX releases](https://github.com/eclipse/openvsx/releases) for latest versions. |
| 21 | +* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) |
| 22 | +* Affected version(s) |
| 23 | +* Impact of the issue, including how an attacker might exploit the issue |
| 24 | +* Step-by-step instructions to reproduce the issue |
| 25 | +* The location of the affected source code (tag/branch/commit or direct URL) |
| 26 | +* Full paths of source file(s) related to the manifestation of the issue |
| 27 | +* Any special configuration required to reproduce the issue |
| 28 | +* Any log files that are related to this issue (if possible) |
| 29 | +* Proof-of-concept or exploit code (if possible) |
17 | 30 |
|
18 | | -# Security Policy |
| 31 | +This information will help us triage your report more quickly. |
| 32 | + |
| 33 | +# Supported Versions |
19 | 34 |
|
20 | | -This project follows [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy/). |
| 35 | +This project supports and provides security fixes only for the latest released version (see [Open VSX releases](https://github.com/eclipse/openvsx/releases)). |
0 commit comments