[go: up one dir, main page]
More Web Proxy on the site http://driver.im/Skip to main content

With over 425 open source projects and billions of downloads, it’s increasingly difficult for any Eclipse contributor to manage security best practices across their project and handle their dependencies appropriately. Through close collaboration and guidance for our community, the Eclipse Foundation makes it easier to mitigate risks in open source projects.

Transparency and trust are foundational and lead to an improved software security posture throughout the Eclipse community. Our security initiatives are designed to empower contributors with the knowledge and tools to manage OSS security risks effectively. This includes vulnerability management and reporting, project security support, best practices for repository management, developer training, self-service tools, and security advocacy.

Report a Vulnerability

To report a security vulnerability in an Eclipse Foundation Project, first, check the project’s repository for a SECURITY.md file and follow its instructions. If none exist, you can email the Eclipse Foundation Security Team at security@eclipse-foundation.org or use the dedicated issue tracker

For the principles under which the Eclipse Foundation manages the reporting, management, discussion, and disclosure of vulnerabilities discovered in Eclipse software, refer to the Eclipse Foundation Vulnerability Reporting Policy.

For more details on how we handle vulnerability reports, see the dedicated chapter in the
Eclipse Project Handbook.

Known Vulnerabilities and Advisories

Projects can communicate security information to users through security advisories. They describe a vulnerability (or a class of vulnerabilities) and the solutions to mitigate risks. They usually contain information on which product versions are affected and which contain a fix, including workarounds if available.

To see the vulnerabilities affecting Eclipse sites and Projects, refer to the Eclipse Known Vulnerabilities page.
There is a dedicated section about security advisories in the Eclipse Security Handbook

Key Services and Benefits

The Eclipse Foundation’s software security services ensure the integrity, authenticity, and compliance of Projects, empowering development teams with expert guidance, secure infrastructure, and essential training. By prioritising OSS security at every development stage, we help maintain the trustworthiness of our open source ecosystem, enabling projects to thrive while reducing risks and vulnerabilities.

Vulnerability Management and Reporting
(PSIRT & CVE Assignment)

Eclipse Foundation’s Project Security Incident Response Team (PSIRT) manages vulnerability reporting, triage, disclosure, and remediation, while also acting as a CVE Numbering Authority (CNA).

Repository Management and
Infrastructure Security

Best practices in repository management through self-service tools and the management of overall infrastructure security.

Project Security Support

Infrastructure support, OSS security audits, and guidance to help Projects improve their overall security posture.

Code and Artifacts Signing

Supports code and artifact signing to verify the authenticity and integrity of software releases.

Security Advocacy and Communication

Provides both inward (to all contributors) and outward (to the general technical public) communication to raise awareness and guide security best practices and achievements.

Developer Training

Educational programs to help developers learn best practices, secure coding principles, and vulnerability management.

About the Eclipse Foundation
Security Team

The Eclipse Foundation (EF) Security Team is the part of the Eclipse Management Organization (EMO) tasked with software security and vulnerability coordination and management on behalf of the Eclipse community. It is composed of a small number of security experts. 

The EF Security Team does not resolve vulnerabilities; rather, they are addressed and resolved by a project's security team and committers with guidance and assistance from the EF Security Team. The EF Security team triages and redirects vulnerability reports to the appropriate project.

Email the Eclipse Foundation

 Security Team at
security@eclipse-foundation.org

Insights & Resources

News & Events

View All

Back to the top