How to report a vulnerability?
If you would like to report a security vulnerability in an Eclipse Foundation project, first check the project's repository for the SECURITY.md file and follow specific instructions for that project. If there is no specific information there, you have two options. Either report the issue by email to the Eclipse Foundation Security Team, or use the dedicated issue tracker.
The Eclipse Foundation Security Team provides help and advice to Eclipse Foundation projects on vulnerability issues and is the first point of contact for handling security vulnerabilities. Members of the Eclipse Foundation Security Team are selected amongs committers on Eclipse Projects, members of the Eclipse Architecture Council, and Eclipse Foundation staff.The general security mailing list address is firstname.lastname@example.org. Members of the Eclipse Foundation Security Team will receive messages sent to this address. This address should be used only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to vulnerabilities in Eclipse Foundation software will be ignored. Note that this email set to this address is not encrypted.
Note that, as a matter of policy, the security team does not open attachments.
The community is also encouraged to report vulnerabilities using the Eclipse Foundation's issue tracker. Note that you will need an Eclipse Foundation account to create an issue report (create an account here if you do not have one), but by doing so you will be able to participate directly in the resolution of the issue.
Issue reports related to vulnerabilities must be marked as "confidential", either automatically by clicking the provided link by the reporter, or by a committer during the triage process.
The timing and manner of disclosure is governed by the Eclipse Foundation Vulnerability Reporting Policy.
Publicly disclosed issues are listed on the Disclosed Vulnerabilities Page.