Add a requirement/recommendation to provide a SECURITY file with project documentation
Consider requiring/recommending that projects include a SECURITY file in their repositories.
The file should include a pointer to the Eclipse Foundation Vulnerability Reporting Policy along with implementation details that are specific to the project.
What implementation details should be included in the file?
- By what mechanism should vulnerabilities be reported
- How vulnerabilities are tracked by the project team
- By what criteria the project team will decide whether or not a CVE will be requested from the Eclipse Foundation
What else?