In early June 2025, the Eclipse Foundation Security Team delivered the second part of our security training for developers. The first day covered the basics of vulnerability management, and the second day delved into more complex subjects like multi-project coordination, embargoes, and SBOM management. We also introduced our SBOM early adopter project.
For those who could not attend or are just now learning about the training, videos and slides from all sessions are available.
Section 1: Vulnerability Management Introduction
We covered what a vulnerability is: a weakness that can be exploited and that affects one of the security principles: confidentiality, integrity, and availability. Then we explored various vulnerability databases, including CVE (Common Vulnerability Enumeration), and decoded abbreviations like NVD, CVSS, and more.
Section 2: Vulnerability Management at Eclipse Foundation
In this section, we went more in-depth on how vulnerability management works in practice and what tools we use for synchronization: mailing lists, vulnerability reporting using the EF GitLab instance, and the functionality of Private Advisories on GitHub for projects hosted there.
This session will also be useful for people working on projects in other infrastructure, because everyone uses similar tools.
Section 3: Coordinated Disclosures and Embargoes
The third session digs deeper into more complicated use cases: when we need to synchronize multiple projects fixing the same or similar issue and coordinate releases. We also talk about embargoes and coordinators who can help in vulnerability management.
Section 4: Dependency Management
We have seen in recent years that dependency management is crucial for project security, because dependencies might hide threats or unfixed vulnerabilities. In this section, we give examples of the XZ and Log4j incidents and show best practices in handling dependencies, including automated tooling like Dependabot (for projects on GitHub).
Section 5: SBOM (Software Bill of Materials)
The section on SBOMs introduces the concept by comparing SBOMs to cooking recipes, and then we get (way) more technical into the details of tools you can use today to generate SBOMs for your projects. We also introduce the early adopter’s program for SBOMs, including our DependencyTrack instance.
If your project hosted at the Eclipse Foundation would like to take part in the early adopter’s program for SBOM, see details in the slides below on how to contact the EF Security Team.
Share these resources with developers and projects that might be interested!
We will be running more training over the next months, stay tuned!
This training has been funded by the Sovereign Tech Fund (a program of the Sovereign Tech Agency) as part of our previously announced collaboration.
