Eclipse Foundation projects share a default way to report security issues. Security researchers and all concerned users can create private issues to describe potential security issues so that projects can learn about them, study and fix them. For years, security issues have been reported using Bugzilla. Recently, related to the process of sunsetting Bugzilla, this reporting facility has moved to the Eclipse Foundation GitLab instance.
Default Vulnerability Reporting
Any party (a security researcher, a user, a project developer) can report a confidential issue in the vulnerability tracker. When completing the report, please follow the template and fill in all the information you know. If you know which committers should be notified, add them as Assignees of the issue. By default, the Eclipse Foundation Security staff will have a look and assign the issue to the project leads and committers of the affected project. The issues will be made public when the issue is resolved and/or when 90 days have passed.
If you receive a notification of a new issue, please log in to the GitLab instance before accessing the issue. Otherwise, you will see a 404 error.
GitHub Security Advisories Pilot
Projects hosted on GitHub, may decide to handle their security issues by using GitHub Private Advisories. This feature allows everyone to report security issues and gives space to project developers to discuss fixes and prepare security advisories. If your project is interested, please create a Helpdesk issue.
Describing the Reporting Methods
Security researchers may not know the exact process to follow in your project. The best practice is to have a SECURITY.md file, at least in the main project repository, describing how to report security issues. In practice, it greatly reduces the risk of the reporter creating a public issue because they could not find a better way.
If you already have the file, change the link to fit the new tracker.
Final Remarks
Security reports might come to any project at random (and unexpected) times. Your project team must explain how they expect those reports to be sent and document that. Eclipse Foundation provides the infrastructure to the projects to use the generic security@eclipse-foundation.org mailing list, the default vulnerability tracker, or, if the project desires, a specific bug tracker for the project in question.
Additional Resources:
Eclipse Newsletter article from May 2023
