How to report a vulnerability?
If you would like to report a security vulnerability in an Eclipse Foundation
project, first check the project’s repository for the
SECURITY.md file and
follow specific instructions for that project. If there is no specific
information there, you have two options. Either report the issue by email to
the Eclipse Foundation Security Team,
or use the dedicated issue tracker.
The Eclipse Foundation Security Team provides help and advice to Eclipse
Foundation projects on vulnerability issues and is the first point of contact
for handling security vulnerabilities. Members of the Eclipse Foundation
Security Team are selected amongs committers on Eclipse Projects, members of
the Eclipse Architecture Council, and Eclipse Foundation staff.
The general security mailing list address is firstname.lastname@example.org.
Members of the Eclipse Foundation Security Team will receive messages sent to
this address. This address should be used only for reporting undisclosed
vulnerabilities; regular issue reports and questions unrelated to
vulnerabilities in Eclipse Foundation software will be ignored. Note that this
email set to this address is not encrypted.
Note that, as a matter of policy, the security team does not open attachments.
The community is also encouraged to report vulnerabilities using the Eclipse
Foundation’s issue tracker.
Note that you will need an Eclipse Foundation account to create an issue report
(create an account here if you do not have one),
but by doing so you will be able to participate directly in the resolution of
Issue reports related to vulnerabilities must be marked as “confidential”,
either automatically by clicking the provided link by the reporter, or by a
committer during the triage process.
The timing and manner of disclosure is governed by the Eclipse Foundation Vulnerability Reporting Policy.
Publicly disclosed issues are listed on the Disclosed Vulnerabilities page.