Marta Rybczynska's blog

A vulnerability description includes several fields, like the title and description. However, one is causing difficulties for people writing CVE (Common Vulnerability Enumeration) entries: the CVSS (Common Vulnerability Scoring System) vector. CVSS is an important field because it answers a fundamental question about the vulnerability: "How serious is it?" A...

Today, the Eclipse Foundation released the results of our security audit for Eclipse CycloneDDS . Findings from the audit have been addressed in the latest versioned source code of Eclipse CycloneDDS, available at https://github.com/eclipse-cyclonedds/cyclonedds . Eclipse CycloneDDS is an implementation of the Data Distribution Service (DDS) specification published by the...

Today, the Eclipse Foundation released the results of our security audit for the Eclipse Temurin project . Findings from the audit have been addressed in the latest versioned source code of Eclipse Adoptium and Eclipse Temurin, available in various repositories at https://github.com/adoptium . Eclipse Temurin is a part of the...

Today, the Eclipse Foundation released the results of our security audit for the Eclipse Kuksa project . Findings from the audit have been addressed in the latest version source code of Kuksa available from https://github.com/eclipse-kuksa/kuksa-databroker . Please note that the repository has changed locations recently, so update your links. One...

The Eclipse Foundation Security Team has been made aware of the vulnerability VU#421644 affecting multiple HTTP/2 implementations, that could cause an out-of-memory crash. The crash could happen if there is an insufficient limit on insufficient limitation of the number of CONTINUATION frames in one stream. The description of the issue...

Eclipse Foundation’s vulnerability reporting programme has seen an important revamp in 2023.

During this year's EclipseCon, the Eclipse Foundation staff offered a tutorial on best practices in open-source projects. For people who could not be there or want to learn more, repositories are available for everyone to re-use! Repository Best Practices Tutorial The first tutorial focuses on securing repositories. Your task is...

You might have noticed a SECURITY.md file in git repositories of multiple projects. Should you have it? The answer is yes. Who uses SECURITY.md? When a security researcher has a potential vulnerability to communicate to a project, SECURITY.md is one of the first places (if not the first one) they...

Have you found something that looks like a security issue in an Eclipse Foundation project? Here is a description of how to report them. Method 1: Project-specific Instructions First, look if the concerned project has SECURITY.md in its main repository. If it does, follow the instructions from that file. Method...

Eclipse Foundation projects share a default way to report security issues. Security researchers and all concerned users can create private issues to describe potential security issues so that projects can learn about them, study and fix them. For years, security issues have been reported using Bugzilla. Recently, related to the...