| [eclipse.org-committers] Update on vulnerability reporting for Eclipse Foundation |
Dear all,
We have recently been working on updating our vulnerability reporting process. The most visible reason is to move it out of Bugzilla. We also want to add more documentation so that it is easy to follow for people reporting and fixing security issues for the first time.
Our default way to report security issues is now mailing security@xxxxxxxxxxxxxxxxxxxxxx or creating an issue at https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability
For projects on GitHub, we are running a pilot of using GitHub private advisories. If your project is interested, please create a Helpdesk ticket at https://gitlab.eclipse.org/eclipsefdn/helpdesk/
We are also working on enabling additional security-related features to projects. Stay tuned! You might see the security team being added to your projects as a side effect (hint: we need that to set up Security Managers in GitHub projects).
When you need help creating a security fix, discussing disclosure with security researchers, implementing best practices, or any other security question, we can help you. Reach out to us by email, ticket, Matrix...
Additional reading and watching:
The updated Handbook is available: https://www.eclipse.org/projects/handbook/#vulnerability
The recording of a webinar on this subject: https://youtu.be/SDm477kS_g0
Kind regards,
Marta Rybczynska, for the Eclipse Foundation Security Team