|
1 | | -<!--- https://www.eclipse.org/security/ ---> |
2 | | -_ISO 27005 defines vulnerability as: |
3 | | -"A weakness of an asset or group of assets that can be exploited by one or more threats."_ |
| 1 | +# Security Policy |
| 2 | +This Eclipse Foundation Project adheres to the [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy/). |
4 | 3 |
|
5 | | -## The Eclipse Security Team |
| 4 | +## How To Report a Vulnerability |
6 | 5 |
|
7 | | -The Eclipse Security Team provides help and advice to Eclipse projects |
8 | | -on vulnerability issues and is the first point of contact |
9 | | -for handling security vulnerabilities. |
10 | | -Members of the Security Team are committers on Eclipse Projects |
11 | | -and members of the Eclipse Architecture Council. |
| 6 | +If you think you have found a vulnerability in this repository, please report it to us through coordinated disclosure. |
12 | 7 |
|
13 | | -Contact the [Eclipse Security Team](mailto:security@eclipse.org). |
| 8 | +**Please do not report security vulnerabilities through public issues, discussions, or pull requests.** |
14 | 9 |
|
15 | | -**Note that, as a matter of policy, the security team does not open attachments.** |
| 10 | +Instead, report it using one of the following ways: |
16 | 11 |
|
17 | | -## Reporting a Security Vulnerability |
| 12 | +* Contact the [Eclipse Foundation Security Team ](mailto:[email protected]) via email |
| 13 | +* Create a [confidential issue](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability) in the Eclipse Foundation Vulnerability Reporting Tracker |
18 | 14 |
|
19 | | -Vulnerabilities can be reported either via email to the Eclipse Security Team |
20 | | -or directly with a project via the Eclipse Foundation's Bugzilla instance. |
| 15 | +You can find more information about reporting and disclosure at the [Eclipse Foundation Security page](https://www.eclipse.org/security/). |
21 | 16 |
|
22 | | -The general security mailing list address is [email protected]. |
23 | | -Members of the Eclipse Security Team will receive messages sent to this address. |
24 | | -This address should be used only for reporting undisclosed vulnerabilities; |
25 | | -regular issue reports and questions unrelated to vulnerabilities in Eclipse software |
26 | | -will be ignored. |
27 | | -Note that this email address is not encrypted. |
| 17 | +Please include as much of the information listed below as you can to help us better understand and resolve the issue: |
28 | 18 |
|
29 | | -The community is also encouraged to report vulnerabilities using the |
30 | | -[Eclipse Foundation's Bugzilla instance](https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Vulnerability%20Reports&keywords=security&groups=Security_Advisories). |
31 | | -Note that you will require an Eclipse Foundation account to create an issue report, |
32 | | -but by doing so you will be able to participate directly in the resolution of the issue. |
| 19 | +* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) |
| 20 | +* Affected version(s) |
| 21 | +* Impact of the issue, including how an attacker might exploit the issue |
| 22 | +* Step-by-step instructions to reproduce the issue |
| 23 | +* The location of the affected source code (tag/branch/commit or direct URL) |
| 24 | +* Full paths of source file(s) related to the manifestation of the issue |
| 25 | +* Configuration required to reproduce the issue |
| 26 | +* Log files that are related to this issue (if possible) |
| 27 | +* Proof-of-concept or exploit code (if possible) |
33 | 28 |
|
34 | | -Issue reports related to vulnerabilities must be marked as "committers-only", |
35 | | -either automatically by clicking the provided link, by the reporter, |
36 | | -or by a committer during the triage process. |
37 | | -Note that issues marked "committers-only" are visible to all Eclipse committers. |
38 | | -By default, a "committers-only" issue is also accessible to the reporter |
39 | | -and individuals explicitly indicated in the "cc" list. |
40 | | - |
41 | | -## Disclosure |
42 | | - |
43 | | -Disclosure is initially limited to the reporter and all Eclipse Committers, |
44 | | -but is expanded to include other individuals, and the general public. |
45 | | -The timing and manner of disclosure is governed by the |
46 | | -[Eclipse Security Policy](https://www.eclipse.org/security/policy.php). |
47 | | - |
48 | | -Publicly disclosed issues are listed on the |
49 | | -[Disclosed Vulnerabilities Page](https://www.eclipse.org/security/known.php). |
| 29 | +This information will help us triage your report more quickly. |
0 commit comments