Handbook: clarify vulnerability reporting
Merged
requested to merge mrybczyn/org.eclipse.dash.handbook:vuln-reporting-clarifications into master
Compare changes
+ 26
− 2
@@ -23,12 +23,20 @@ The {securityPolicyUrl}[Eclipse Foundation Vulnerability Reporting Policy] conta
@@ -23,12 +23,20 @@ The {securityPolicyUrl}[Eclipse Foundation Vulnerability Reporting Policy] conta
The Eclipse Foundation Security Team provides help and advice to Eclipse projects on security issues and is the first point of contact for handling security vulnerabilities. Members of the Security Team are selected from committers on Eclipse Projects, members of the xref:roles-ac[Eclipse Architecture Council], and Eclipse Foundation staff.
The Eclipse Foundation Security Team provides help and advice to Eclipse projects on security issues and is the first point of contact for handling security vulnerabilities. Members of the Security Team are selected from committers on Eclipse Projects, members of the xref:roles-ac[Eclipse Architecture Council], and Eclipse Foundation staff.
The default project setup is to use general Eclipse Foundation reporting (see below). The strong recommendation is to list reporting methods clearly inside a `SECURITY.md` file in the main repository (also in other repositories if it makes sense) to help security researchers to communicate with the project in a secure way. Similar information should be available in the project's documentation.
If the project decides to activate reporting via confidential issues (GitLab) or private security advisories (GitHub), please make a request via the {Helpdesk}[https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/new]. The Eclipse Foundation Security team can train the project in using those means. When new reporting methods are set up, update your `SECURITY.md` accordingly.
In order to be able to set up, monitor, and also help projects dealing with security settings, new project are set up with members of the EF Security team. Also, in GitHub repositories, if self-management is enabled, the project will include `.eclipsefdn` repository. Please refer to the <<resources-github-self-service, documentation>> for more information.
Vulnerabilities can be reported either via email to {securityTeamEmail} or directly with a project via the Eclipse Foundation's issue tracker.
The general mailto:{securityTeamEmail}[security team email address] can also be used to report vulnerabilities. Members of the Eclipse Foundation Security Team will receive messages sent to this address. This address should be used only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to vulnerabilities in Eclipse Foundation project software will be ignored. Note that this email address is not encrypted.
The general mailto:{securityTeamEmail}[security team email address] can be used to report vulnerabilities in any Eclipse Foundation project. Members of the Eclipse Foundation Security Team will receive messages sent to this address. This address should be used only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to vulnerabilities in Eclipse Foundation project software will be ignored. Note that this email address is not encrypted.
The community is encouraged to report vulnerabilities using the standard project-specific issue tracker. The appropriate link should be available in the project's `SECURITY.md` file. In case of a doubt, use the {vulnerabilityReportUrl}[general vulnerability issue tracker].
@@ -217,3 +225,19 @@ Ultimately, whether or not we should create a CVE is the project team's call.
@@ -217,3 +225,19 @@ Ultimately, whether or not we should create a CVE is the project team's call.
In this case, please contact the <<vulnerability-team, Security Team>>. Please note that the Eclipse Foundation Security Team notifies project leads by default.