Bug 573743

Summary: The Eclipse Security Mailing list is publicly accessible!
Product: Community Reporter: Peter Stöckli <peter.stockli>
Component: Vulnerability ReportsAssignee: Eclipse Webmaster <webmaster>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: P1 CC: wayne.beaton
Version: unspecifiedKeywords: security
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description Peter Stöckli CLA 2021-05-25 04:16:17 EDT 
Hello Eclipse Security Team

I just stumbled upon the following Mailing List archive via Google:

https://www.eclipse.org/lists/security/threads.html

=> As you can see this means the (private) Eclipse Security Mailing
list is publicly accessible!

Firstly, you should make the list archive private again.
Secondly and more importantly, this means that all vulnerability
reports discussed on this list are publicly accessible and should be
considered as publicly known.


This messages was also sent to security@eclipse.org, but has not yet shown up in the Archive.
Comment 1 Wayne Beaton CLA 2021-05-25 11:25:36 EDT 
I swear that we set this up without an archive at all.

Webmaster, please remove the archive of this mailing list.
Comment 2 Eclipse Webmaster CLA 2021-05-25 11:27:53 EDT 
The archive has been removed.

Good catch.

-M.