Skip to content

Add a requirement/recommendation to provide a SECURITY file with project documentation

Consider requiring/recommending that projects include a SECURITY file in their repositories.

The file should include a pointer to the Eclipse Foundation Vulnerability Reporting Policy along with implementation details that are specific to the project.

What implementation details should be included in the file?

  • By what mechanism should vulnerabilities be reported
  • How vulnerabilities are tracked by the project team
  • By what criteria the project team will decide whether or not a CVE will be requested from the Eclipse Foundation

What else?

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent