From 1bd40a52a291cba799d693f2659cc7fd3c50b38d Mon Sep 17 00:00:00 2001 From: Marc Dumais Date: Mon, 28 Jun 2021 12:32:51 -0400 Subject: [PATCH] Add SECURITY.md Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes #8795 Signed-off-by: Marc Dumais --- .github/ISSUE_TEMPLATE/bug_report.md | 2 +- SECURITY.md | 49 ++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 1d536a95138e1..f11dc35be456a 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -1,5 +1,5 @@ --- -name: Bug Report +name: Bug Report (except security vulnerabilities) about: Create a report to help us improve --- diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000000..4200f14b29432 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,49 @@ + +_ISO 27005 defines vulnerability as: + "A weakness of an asset or group of assets that can be exploited by one or more threats."_ + +## The Eclipse Security Team + +The Eclipse Security Team provides help and advice to Eclipse projects +on vulnerability issues and is the first point of contact +for handling security vulnerabilities. +Members of the Security Team are committers on Eclipse Projects +and members of the Eclipse Architecture Council. + +Contact the [Eclipse Security Team](mailto:security@eclipse.org). + +**Note that, as a matter of policy, the security team does not open attachments.** + +## Reporting a Security Vulnerability + +Vulnerabilities can be reported either via email to the Eclipse Security Team +or directly with a project via the Eclipse Foundation's Bugzilla instance. + +The general security mailing list address is security@eclipse.org. +Members of the Eclipse Security Team will receive messages sent to this address. +This address should be used only for reporting undisclosed vulnerabilities; +regular issue reports and questions unrelated to vulnerabilities in Eclipse software +will be ignored. +Note that this email address is not encrypted. + +The community is also encouraged to report vulnerabilities using the +[Eclipse Foundation's Bugzilla instance](https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Vulnerability%20Reports&keywords=security&groups=Security_Advisories). +Note that you will require an Eclipse Foundation account to create an issue report, +but by doing so you will be able to participate directly in the resolution of the issue. + +Issue reports related to vulnerabilities must be marked as "committers-only", +either automatically by clicking the provided link, by the reporter, +or by a committer during the triage process. +Note that issues marked "committers-only" are visible to all Eclipse committers. +By default, a "committers-only" issue is also accessible to the reporter +and individuals explicitly indicated in the "cc" list. + +## Disclosure + +Disclosure is initially limited to the reporter and all Eclipse Committers, +but is expanded to include other individuals, and the general public. +The timing and manner of disclosure is governed by the +[Eclipse Security Policy](https://www.eclipse.org/security/policy.php). + +Publicly disclosed issues are listed on the +[Disclosed Vulnerabilities Page](https://www.eclipse.org/security/known.php).