Commit 0ad6d999 authored by Wayne Beaton's avatar Wayne Beaton
Browse files

Add the security policy to the handbook.

parent db6adb16
* Copyright (C) 2018 Eclipse Foundation, Inc. and others.
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* SPDX-License-Identifier: EPL-2.0
= Eclipse Vulnerability Reporting Policy
== Overview
The purpose of the Eclipse Vulnerability Reporting Policy is to set forth the general principles under which the Eclipse Foundation will manage the reporting, management, discussion, and disclosure of vulnerabilities discovered in Eclipse software. This Vulnerability Reporting Policy applies to all software distributed by the Eclipse Foundation, including all software authored by Eclipse Committers and third-parties. This IP Policy should at all times be interpreted in a manner that is consistent with the Purposes of the Eclipse Foundation as set forth in the {bylawsUrl}[Eclipse Foundation Bylaws].
This policy uses the ISO 27005 definition of vulnerability: "A weakness of an asset or group of assets that can be exploited by one or more threats."
== Eclipse Security Team
The Security Team is the first line of defense: it is effectively a triage unit with security and vulnerability management expertise. Ultimately, vulnerabilities are resolved by individual projects with assistance from the Security Team.
The Security Team is composed of a small number of security experts and representatives from the Project Management Committees.
Mail sent to the mailto:{securityTeamEmail}[security team email address] is sent exclusively to all members of the Security Team. Anybody can send mail to this address. This list is not archived, and is not open for public subscription.
== Discussion
Initial discussion of an open vulnerability may occur privately amongst members of the project and Security Team. Discussion should be moved to and tracked by an Eclipse Foundation-supported issue tracker as early as possible in the mitigation process. Appropriate effort must be be undertaken to ensure that the visibility of a reported issue is managed.
== Resolution
A vulnerability is considered resolved when either a patch or workaround is available, or it is determined that a fix is not possible or desirable.
It is left to the discretion of the Security Team and project leadership to determine what subset of the project committers are best suited to resolve vulnerabilities. The Security Team and project leaders may also—at their discretion—assemble external resources (e.g. subject matter experts) or call on the expertise of the Eclipse Architecture Council.
== Distribution
Once a vulnerability has been resolved, the updated software must be made available to the community.
At a minimum, updated software is made available via normal project distribution channels (e.g. downloads server).
The Eclipse Planning Council must be made aware of vulnerabilities in software that is part of a simultaneous release. The Eclipse Planning Council will determine whether or not a _respin_ of the simultaneous release content is required. The Eclipse Planning Council will coordinate the timing of the respin with the project leadership.
== Disclosure
Disclosure is initially limited to the reporter and all Eclipse Committers, but can be expanded to include other individuals.
All vulnerabilities must be disclosed, regardless of the resolution. Users and administrators of Eclipse software must made aware that a vulnerability exists so they can assess risk, and take the appropriate action to protect their users, servers and systems from potential exploit.
=== Timing
The timing of disclosure is left to the discretion of the project leadership, including the project lead(s), PMC, and EMO(ED). In the absence of specific guidance from the project leadership, the following guidelines are recommended:
* Vulnerabilities for which there is a patch, workaround or fix, should be disclosed to the community immediately.
* Vulnerabilities—regardless of state—must be disclosed to the community after a maximum three months.
Vulnerabilities need not necessarily be resolved at the time of disclosure.
=== Quiet Disclosure
A Vulnerability can be _quietly_ disclosed by simply removing visibility restrictions. The issue's history will record that the flag has been removed, and the issue will become visible for everyone in searches.
In general, quiet disclosure is appropriate only for issues that are identified by a committer as having been erroneously marked as vulnerabilities.
=== Progressive Disclosure
Knowledge of a vulnerability can be easily extended to specific individuals before it is reported to the community. A vulnerability may--at the discretion of the committer--be disclosed to specific individuals. A committer may, for example, provide access to a subject-matter expert to solicit help or advice. A vulnerability may also be disclosed to known adopters to allow them an opportunity to mitigate their immediate risk and prepare for a forthcoming resolution.
=== Full Disclosure
All vulnerabilities must eventually be fully disclosed to the community at large.
All vulnerabilities affecting projects that participate in a simultaneous release must be reported to the Eclipse Planning Council prior to full disclosure to the community at large. Disclosure of a vulnerability must be coordinated with the distribution of the updated software from the Pproject's own distribution channels, the simultaneous release repository, and known downstream consumer where possible.
To complete the disclosure of a vulnerability, all restrictions on visibility must be removed and the vulnerability reported via channels provided by the Eclipse Foundation.
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment