Include discussion of the Security Policy in the handbook
Submitted by Wayne Beaton @wbeaton
Link to original bug (#496426)
Description
We may only need a pointer. But we should have that pointer.
Depends on
Blocking
Activity
@wbeatonsaid:The Eclipse Foundation is a CVE Numbering Authority.
Whether or not a vulnerability requires a CVE is decided by the project team with assistance from their PMC (if required).
To request a CVE Number assignment, the vulnerability must be captured in a Bugzilla record. The project team can track work on a vulnerability elsewhere, but we can only escalate via Bugzilla. If the project team does not have a Bugzilla product, use "Community/Vulnerability Reports". Note that Bugzilla records can be marked "Committers only" to prevent broad dissemination of the vulnerability before the project team has had a chance to get ahead of the issue (note also that the Security Policy defines a means of progressive disclosure)
The Bugzilla record must contain a one or two sentence summary of the issue, clearly identify the Eclipse Project affected, along with the impacted release version. The record must be RESOLVED/FIXED and the "Committers only" flag must be turned off before we will start the escalation process.
Send a message to security@eclipse.org with a request to assign a CVE Number to a specific Bugzilla record.
The security team will assign a CVE Number to the Bugzilla record as both an alias and as a prefix in the short description, they will then notify the central authority, and--when the report is accepted and posted, add the central authority's link to the URL field of the bug.
--
There are some processy bits that we should capture regarding the Security Team's workflow, but they don't belong here.
@wbeatonsaid:Include this link to help with the decision making process.
https://cve.mitre.org/cve/editorial_policies/counting_rules.html
@wbeatonsaid:As part of a vulnerability report, we need a Common Weakness Enumeration (CWE) code.
mentioned in issue #165 (closed)
FYI @mbarbero
