[eclipse.org-architecture-council] [Bug 337004] New: Eclipse Security Policy and Procedures
Product/Component: Community / Architecture Council
Summary: Eclipse Security Policy and Procedures
Classification: Eclipse Foundation
Component: Architecture Council
One more thing for our plate: I need to draft a security policy and procedures
document, and I'd like your help.
The motivation here is that we have discovered a handful of security issues
across several projects. As our projects continue to diversify and find
adoption in diverse areas, we expect that additional security issues will be
uncovered. We at the Foundation would rather like to be prepared to deal with
Of course, we need to balance this with the ever-increasing demands on project
resources, so I do intend to be sensitive to that.
As for a policy, the expect that our eclipse.org-wide policy will be something
along the lines of "We care about security" as it is impossible for eclipse.org
to implement specific policies with regard to timeliness of fixes, rebuilds,
and that sort of thing. Ultimately, the response to a disclosed security issue
is wholly dependent on the individual projects. In that regard, I'm thinking
that we'd all be better served by a well-documented set of best practices for
dealing with security issues, coupled with support processes and infrastructure
To keep the scope of this bug as focussed as possible, I'd like to restrict the
conversation here to that of actual policy, and I'll open subtasks/blocker bugs
to cover discussion of specific procedures/best practices.
Configure bugmail: https://bugs.eclipse.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.