• Share this article:

Using GitHub Private Vulnerability Reporting by Eclipse Foundation Projects

Thursday, August 8, 2024 - 14:31 by Marta Rybczynska

Eclipse Foundation projects can request to use GitHub Private Vulnerability Reporting. This feature allows committers of projects hosted on GitHub to receive potential vulnerability reports in a confidential way.

When you are working on an existing vulnerability report,  you might see the “Request CVE” button. Please do not use it (if you do, the GitHub team will refuse assigning a CVE). Instead, open a ticket at https://gitlab.eclipse.org/security/cve-assignement/-/issues/new?issuable_template=cve 

Indeed, due to a current limitation, GitHub does not include all information the Eclipse Foundation Security Team adds to CVE entries, such as the correct Project name. Entries are also allocated by a different CNA (CVE Numbering Authority) than they should be. 

We are collaborating with GitHub on a more streamlined process and hope to have a solution reasonably soon. 

To check if private vulnerability reporting is already enabled for your repositories you can navigate to the “Security” tab of your repository on github.com. Additionally you can check the status for the repositories in your project at https://otterdog.eclipse.org. To enable private vulnerability reporting, you can use  the self-service tool, or open a ticket on the Helpdesk.

For more information on handling vulnerability reports, see https://www.eclipse.org/projects/handbook/#vulnerability

Tags