Consider requiring/recommending that projects include a SECURITY file in their repositories. The file should include a pointer to the [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy.php) along with implementation details that are specific to the project. What implementation details should be included in the file? * By what mechanism should vulnerabilities be reported * How vulnerabilities are tracked by the project team * By what criteria the project team will decide whether or not a CVE will be requested from the Eclipse Foundation What else?