| Re: [eclipse.org-architecture-council] June Meeting time change |
Dear Eclipse Technical Advisory Council,
I would like to add a discussion item to the agenda regarding a change the Eclipse Foundation Security Team would like to make to the management of the security@xxxxxxxxxxxxxxxxxxxxxx inbox.
In short, we would like to stop accepting vulnerability reports through this email address, at least temporarily.
The volume of reports has increased significantly, including a growing share of AI-generated submissions. As a result, the current process is no longer sustainable. Today, the Eclipse Foundation Security Team spends a considerable amount of time copying, pasting, forwarding, assigning, and otherwise moving information between reporters, Project Security Teams, and issue trackers. This approach worked well enough when volumes were lower, but it has become inefficient, error-prone, and not the best use of our resources.
Our goal is to stay out of the way as much as possible while still remaining appropriately involved. We need to be able to fulfill our obligations, ensure that coordinated vulnerability disclosure is followed, and assist projects whenever needed. However, we believe that the current use of the security@xxxxxxxxxxxxxxxxxxxxxx inbox is no longer the right mechanism for doing so.
We recognize that stopping vulnerability reports by email will raise the barrier for some reporters, especially those who want to remain anonymous. We do not see this as an ideal long-term outcome.
Instead, we expect this to be a temporary measure while we work toward a better long-term approach for everyone, including projects using GHSA. Our goal is to restore a low barrier for vulnerability report submission while reducing the manual handling currently required from the Security Team.
We are currently exploring several options, including adjusting the existing setup at https://gitlab.eclipse.org/security/vulnerability-reports, using a service desk-like SaaS solution, or developing custom tooling. We would also welcome ideas and suggestions from the Council.
I look forward to hearing your observations, opinions, and insights.
Cheers,
Greetings Eclipse Technical Advisory Council.My apologies for not getting this out earlier in the week.I would like to go over some ideas the Eclipse Projects Team has been exploring regarding the project proposal/creation process and incubation. Specifically, we've been exploring ideas for creating projects quickly (e.g., in one day) and introducing additional flexibility in the incubation phase to give new project teams time to develop and evolve their project's name, scope, and top level project alignment; learn how to use the IP Due Diligence Process and implement the security policy; etc.If time permits, I'd like to talk about some elements of the Committer Due Diligence Guidelines.If you have other topics you would like to add to the list, please let us know.We are on tomorrow, June 18 at 9 am ET (which I believe is 1500 CET).We'll use this Zoom link: https://eclipse.zoom.us/my/waynebeatonSee you tomorrow!WayneOn Tue, 9 Jun 2026 at 17:48, Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx> wrote:Hey Eclipse Technical Advisory Council.I cannot attend at our usual time this week, so I've moved our meeting to next week.Thursday June 18 2026 @ 9:00 AM ET, 1500 CETI'll send out an agenda early next week.If you have any items that you'd like to add to the agenda, please let me know.Wayne
--Wayne Beaton (he/him)
Head of Open Source Projects | Eclipse Foundation
--Wayne Beaton (he/him)
Head of Open Source Projects | Eclipse Foundation
_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council