Marta Rybczynska · 1814cf4a · 2dd44ecc · 61a6f787 · 1814cf4a · 2dd44ecc
--- a/content/en_index.php

+ 34

− 69
+++ b/content/en_index.php

+ 34

− 69
 <?php
 /**
- * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ * Copyright (c) 2011, 2015, 2018, 2023 Eclipse Foundation and others.
 *
 * This program and the accompanying materials are made
 * available under the terms of the Eclipse Public License 2.0
 @@ -12,95 +12,60 @@
 @@ -12,95 +12,60 @@
 *
 * SPDX-License-Identifier: EPL-2.0
 */
-/*
- * Assemble the base URL and the interesting arguments
- * separately. We'll combine them into a URL and a form.
- */
-$bugzilla = 'https://bugs.eclipse.org/bugs/enter_bug.cgi';
-$options = array(
-  'product' => 'Community',
-  'component' => 'Vulnerability Reports',
-  'keywords' => 'security',
-  'groups' => 'Security_Advisories'
-);
-/*
- * Assemble the bits into the artifacts that we're going to
- * need.
- */
-$args = array();
-$inputs = array();
-foreach($options as $key => $value) {
-  $args[] = $key . '=' . preg_replace('/\s/','%20', $value);
-  $inputs[] = "<input type=\"hidden\" name=\"$key\" value=\"$value\"/>";
-}
-$inputs[] = "<button type=\"submit\">Report a potential vulnerability now</button>";
-$link = "$bugzilla?" . implode('&', $args);
-$form = "<form method=\"get\" action=\"$bugzilla\">" . implode('', $inputs) . "</form>";
 ?>
+<h2>How to report a vulnerability?</h2>
 <p>
-  <i>ISO 27005 defines vulnerability as: &quot;A weakness of an asset
+  If you would like to report a security vulnerability in an Eclipse
-  or group of assets that can be exploited by one or more
+  Foundation project, first check the project's repository for the
-  threats.&quot;</i>
+  <tt>SECURITY.md</tt> file and follow specific instructions for that
+  project. If there is no specific information there, you have two
+  options. Either report the issue by email to the
+  <a href="mailto:security@eclipse-foundation.org">Eclipse Foundation Security Team</a>,
+  or use the <a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability">dedicated issue tracker</a>.
 </p>
-<h2>The Eclipse Security Team</h2>
-<p>The Eclipse Security Team provides help and advice to Eclipse
+<h2>Additional information</h2>
+<p>The <strong>Eclipse Foundation Security Team</strong> provides help and
+  advice to Eclipse Foundation
  projects on vulnerability issues and is the first point of contact for
-  handling security vulnerabilities. Members of the Security Team are
+  handling security vulnerabilities. Members of the Eclipse Foundation
-  committers on Eclipse Projects and members of the Eclipse
+  Security Team are selected amongs committers on Eclipse Projects, members
-  Architecture Council.
+  of the Eclipse Architecture Council, and Eclipse Foundation staff.
-</p>
-<p>
-  Contact the <a href="mailto:security@eclipse.org">Eclipse Security
-  Team</a>.
 </p>
-<p><strong>Note that, as a matter of policy, the security team does not
-	open attachments.</strong></p>
-<h2>Reporting a Security Vulnerability</h2>
-<p>Vulnerabilities can be reported either via email to the Eclipse
-  Security Team or directly with a project via the Eclipse Foundation's
-  Bugzilla instance.
 </p>
-<p>
  The general security mailing list address is <a
-    href="mailto:security@eclipse.org">security@eclipse.org</a>. Members
+    href="mailto:security@eclipse-foundation.org">security@eclipse-foundation.org</a>. Members
-  of the Eclipse Security Team will receive messages sent to this
+  of the Eclipse Foundation Security Team will receive messages sent to this
  address. This address should be used only for reporting undisclosed
  vulnerabilities; regular issue reports and questions unrelated to
-  vulnerabilities in Eclipse software will be ignored. Note that this
+  vulnerabilities in Eclipse Foundation software will be ignored. Note that
-  email address is not encrypted.
+  this email set to this address is not encrypted.
 </p>
+<p><strong>Note that, as a matter of policy, the security team does not
+	open attachments.</strong></p>
 <p>
  The community is also encouraged to report vulnerabilities using the
-  <a href="<?php echo $link; ?>">Eclipse Foundation's Bugzilla
+  <a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability">
-  instance</a>. Note that you will require an Eclipse Foundation account
+  Eclipse Foundation's issue tracker</a>. Note that you will
-  to create an issue report, but by doing so you will be able to participate
+  need an Eclipse Foundation account to create an issue report
+  (<a href="https://accounts.eclipse.org/user/register?destination=user">create
+  an account here if you do not have one</a>), but by doing so you will be able to participate
  directly in the resolution of the issue.
 </p>
-<p>
-  <?php print $form; ?>
-</p>
 <p>
  Issue reports related to vulnerabilities must be marked as
-  &quot;committers-only&quot;, either automatically by clicking the provide
+  &quot;confidential&quot;, either automatically by clicking the provided
-  link, by the reporter, or by a committer during the triage process. Note that issues marked
+  link by the reporter, or by a committer during the triage process.
-  &quot;committers-only&quot; are visible to all Eclipse committers. By
-  default, a &quot;committers-only&quot; issue is also accessible to the
-  reporter and individuals explicitly indicated in the &quot;cc&quot; list.
 </p>
 <h2>Disclosure</h2>
 <p>
-  Disclosure is initially limited to the reporter and all Eclipse
+  The timing and manner of disclosure is governed by
-  Committers, but is expanded to include other individuals, and the
+  the <a href="policy.php">Eclipse Foundation Vulnerability Reporting Policy</a>.
-  general public. The timing and manner of disclosure is governed by
-  the <a href="policy.php">Eclipse Security Policy</a>.
 </p>
 <p>
  Publicly disclosed issues are listed on the <a href="known.php">Disclosed
  Vulnerabilities Page</a>.
 </p>
 \ No newline at end of file