Update on vulnerability reporting for Eclipse Foundation #998
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We got the following email and should update SECURITY.md
We have recently been working on updating our vulnerability reporting process. The most visible reason is to move it out of Bugzilla. We also want to add more documentation so that it is easy to follow for people reporting and fixing security issues for the first time.
Our default way to report security issues is now mailing security@eclipse-foundation.org or creating an issue at https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability
For projects on GitHub, we are running a pilot of using GitHub private advisories. If your project is interested, please create a Helpdesk ticket at https://gitlab.eclipse.org/eclipsefdn/helpdesk/
We are also working on enabling additional security-related features to projects. Stay tuned! You might see the security team being added to your projects as a side effect (hint: we need that to set up Security Managers in GitHub projects).
When you need help creating a security fix, discussing disclosure with security researchers, implementing best practices, or any other security question, we can help you. Reach out to us by email, ticket, Matrix...
Additional reading and watching:
The updated Handbook is available: https://www.eclipse.org/projects/handbook/#vulnerability
The recording of a webinar on this subject: https://youtu.be/SDm477kS_g0
The text was updated successfully, but these errors were encountered: