security

We are excited to announce that the Eclipse Foundation Security Team has conducted a Rapid Security Review of Eclipse SysON, the first review of our new initiative. A Rapid Security Review is a lightweight security assessment designed to help projects strengthen their overall security posture. It provides an easy to...

Do you want to know more about vulnerability management? As a developer, you might receive reports, or need to create some for your upstream projects. As a user, you might find something that could have security impacts. As a Committer, you want to know how to best manage reports your...

With the recent publication of the EU’s Cyber Resilience Act (CRA) in the EU official journal, a 3 year race now begins for compliance by the global technology industry. This legislation sets new cybersecurity requirements that manufacturers and the open source projects they rely upon must meet. The open source...

You know that security is important but just have no time to spend digging into numerous tutorials and guides to figure out what’s relevant to you. To support fellow developers, the Eclipse Foundation is offering free security training for all Committers and Contributors. The complete training contains three parts: the...

Today marks an important milestone for the open source community. As open source software continues to drive innovation across industries, ensuring its relevance and compliance with emerging regulations has never been more critical.  To address these challenges, the Eclipse Foundation is proud to announce the formal launch of the Open...

In response to requests from various projects and after discussions between the Eclipse Foundation Security Team and the Architecture Council, we announced the creation of Project Security Teams (see the discussion at https://github.com/orgs/eclipse-csi/discussions/4 ) This blog post gives an overview of various questions that we have received in the last...

Do you have a demo or examples in a specific repository? Or perhaps you have a functionality that needs time to mature, and you publish it in the open source spirit, but nobody should use it (yet) in a production setup? If you have such a code, mark it clearly...

As you probably know, the Eclipse Foundation is a CNA (CVE Numbering Authority), responsible for assigning vulnerability identification numbers, known as CVE (Common Vulnerability Enumerations), to our projects. This August 2024, a new set of rules for CNAs comes into force. The PDF detailing these new rules spans 23 pages...

Eclipse Foundation projects can request to use GitHub Private Vulnerability Reporting . This feature allows committers of projects hosted on GitHub to receive potential vulnerability reports in a confidential way. When you are working on an existing vulnerability report, you might see the “Request CVE” button. Please do not use...

A vulnerability description includes several fields, like the title and description. However, one is causing difficulties for people writing CVE (Common Vulnerability Enumeration) entries: the CVSS (Common Vulnerability Scoring System) vector. CVSS is an important field because it answers a fundamental question about the vulnerability: "How serious is it?" A...