|
| 1 | +<!--- https://www.eclipse.org/security/ ---> |
| 2 | + |
| 3 | +_ISO 27005 defines vulnerability as: |
| 4 | +"A weakness of an asset or group of assets that can be exploited by one or more threats."_ |
| 5 | + |
| 6 | +## The Eclipse Security Team |
| 7 | + |
| 8 | +The Eclipse Security Team provides help and advice to Eclipse projects |
| 9 | +on vulnerability issues and is the first point of contact |
| 10 | +for handling security vulnerabilities. |
| 11 | +Members of the Security Team are committers on Eclipse Projects |
| 12 | +and members of the Eclipse Architecture Council. |
| 13 | + |
| 14 | +Contact the [Eclipse Security Team ](mailto:[email protected]). |
| 15 | + |
| 16 | +**Note that, as a matter of policy, the security team does not open attachments.** |
| 17 | + |
| 18 | +## Reporting a Security Vulnerability |
| 19 | + |
| 20 | +Vulnerabilities can be reported either via email to the Eclipse Security Team |
| 21 | +or directly with a project via the Eclipse Foundation's Bugzilla instance. |
| 22 | + |
| 23 | +The general security mailing list address is [email protected]. |
| 24 | +Members of the Eclipse Security Team will receive messages sent to this address. |
| 25 | +This address should be used only for reporting undisclosed vulnerabilities; |
| 26 | +regular issue reports and questions unrelated to vulnerabilities in Eclipse software |
| 27 | +will be ignored. |
| 28 | +Note that this email address is not encrypted. |
| 29 | + |
| 30 | +The community is also encouraged to report vulnerabilities using the |
| 31 | +[Eclipse Foundation's Bugzilla instance](https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Vulnerability%20Reports&keywords=security&groups=Security_Advisories). |
| 32 | +Note that you will require an Eclipse Foundation account to create an issue report, |
| 33 | +but by doing so you will be able to participate directly in the resolution of the issue. |
| 34 | + |
| 35 | +Issue reports related to vulnerabilities must be marked as "committers-only", |
| 36 | +either automatically by clicking the provided link, by the reporter, |
| 37 | +or by a committer during the triage process. |
| 38 | +Note that issues marked "committers-only" are visible to all Eclipse committers. |
| 39 | +By default, a "committers-only" issue is also accessible to the reporter |
| 40 | +and individuals explicitly indicated in the "cc" list. |
| 41 | + |
| 42 | +## Disclosure |
| 43 | + |
| 44 | +Disclosure is initially limited to the reporter and all Eclipse Committers, |
| 45 | +but is expanded to include other individuals, and the general public. |
| 46 | +The timing and manner of disclosure is governed by the |
| 47 | +[Eclipse Security Policy](https://www.eclipse.org/security/policy.php). |
| 48 | + |
| 49 | +Publicly disclosed issues are listed on the |
| 50 | +[Disclosed Vulnerabilities Page](https://www.eclipse.org/security/known.php). |
0 commit comments