Project teams should be encouraged to include a link to the security policy and easy links for creating vulnerability reports on their project download pages.
The Eclipse Foundation is a CVE Numbering Authority.
Whether or not a vulnerability requires a CVE is decided by the project team with assistance from their PMC (if required).
To request a CVE Number assignment, the vulnerability must be captured in a Bugzilla record. The project team can track work on a vulnerability elsewhere, but we can only escalate via Bugzilla. If the project team does not have a Bugzilla product, use "Community/Vulnerability Reports". Note that Bugzilla records can be marked "Committers only" to prevent broad dissemination of the vulnerability before the project team has had a chance to get ahead of the issue (note also that the Security Policy defines a means of progressive disclosure)
The Bugzilla record must contain a one or two sentence summary of the issue, clearly identify the Eclipse Project affected, along with the impacted release version. The record must be RESOLVED/FIXED and the "Committers only" flag must be turned off before we will start the escalation process.
Send a message to security@eclipse.org with a request to assign a CVE Number to a specific Bugzilla record.
The security team will assign a CVE Number to the Bugzilla record as both an alias and as a prefix in the short description, they will then notify the central authority, and--when the report is accepted and posted, add the central authority's link to the URL field of the bug.
--
There are some processy bits that we should capture regarding the Security Team's workflow, but they don't belong here.
I'm thinking that as a matter of policy we should use the URL field in a vulnerability report bug to point to the CVE record at Mitre. That would make the field unavailable for other URLs, but I think that should be generally okay. Thoughts?
I've combined content from comments here and from the existing content on the website and rolled it into the "Project Resources and Services" section of the handbook.