[496425] Security policy should not reference specific technologies
At present, Bugzilla is the only place where vulnerability issues can be
reported, so we're leaving specific references to Bugzilla in the
document. The use of the word "bug", however, has been changed to
"issue".
diff --git a/index.php b/index.php
index 3037ec8..8b072bc 100755
--- a/index.php
+++ b/index.php
@@ -51,18 +51,18 @@
href="mailto:security@eclipse.org">security@eclipse.org</a>. Members
of the Eclipse Security Team will receive messages sent to this
address. This address should be used only for reporting undisclosed
- Vulnerabilities; regular bug reports and questions unrelated to
+ Vulnerabilities; regular issue reports and questions unrelated to
Vulnerabilities in Eclipse software will be ignored. Note that this
email address is not encrypted.
</p>
<p>
The community is also encouraged to report Vulnerabilities using the
standard <a href="https://bugs.eclipse.org/bugs">Eclipse Bugzilla</a>
- instance. Bug reports related to Vulnerabilities must be marked as
+ instance. Issue reports related to Vulnerabilities must be marked as
"committers-only", either by the reporter, or by a
- committer during the triage process. Note that bugs marked
+ committer during the triage process. Note that issues marked
"committers-only" are visible to all Eclipse committers. By
- default, a "committers-only" bug is also accessible to the
+ default, a "committers-only" issue is also accessible to the
reporter and individuals explicitly indicated in the "cc" list.
</p>
@@ -74,7 +74,7 @@
the <a href="policy.php">Eclipse Security Policy</a>.
</p>
<p>
- Publicly disclosed bugs are listed on the <a href="known.php">Disclosed
+ Publicly disclosed issues are listed on the <a href="known.php">Disclosed
Vulnerabilities Page</a>.
</p>
</div>
diff --git a/policy_2011.php b/policy_2011.php
index d971d52..0db3a25 100755
--- a/policy_2011.php
+++ b/policy_2011.php
@@ -72,21 +72,21 @@
<p>The general security mailing list address is security@eclipse.org.
Members of the Eclipse Security Team will receive messages sent to
this address. This address should be used only for reporting
- undisclosed Vulnerabilities; regular bug reports and questions
+ undisclosed Vulnerabilities; regular issue reports and questions
unrelated to Vulnerabilities in Eclipse software will be ignored.
Note that this email address is not encrypted.</p>
<p>The community is encouraged to report Vulnerabilities using the
- standard Eclipse Bugzilla instance. Bug reports related to
+ standard Eclipse Bugzilla instance. Issue reports related to
Vulnerabilities must be marked as "committers-only", either by the
reporter, or by a committer during the triage process.</p>
- <p>Note that bugs marked "committers-only" are visible to all Eclipse
- committers. By default, a "committers-only" bug is also accessible to
+ <p>Note that issues marked "committers-only" are visible to all Eclipse
+ committers. By default, a "committers-only" issue is also accessible to
the reporter and individuals explicitly indicated in the "cc" list.
These defaults can be overridden to further restrict access at the
discretion of the committer and project leadership.</p>
<dl>
<dd>
- <i>Note that Bugzilla sends out emails as bugs are modified. Email
+ <i>Note that Bugzilla sends out emails as issues are modified. Email
is inherently insecure.</i>
</dd>
</dl>
@@ -147,17 +147,17 @@
<h3>Quiet Disclosure</h3>
<p>
A Vulnerability can be <i>quietly</i> disclosed by simply removing
- the 'committers_only' flag. The bug's history will record that the
- flag has been removed, and the bug will become visible for everyone
+ the 'committers_only' flag. The issue's history will record that the
+ flag has been removed, and the issue will become visible for everyone
in searches.
</p>
- <p>In general, quiet disclosure is appropriate only for bugs that are
+ <p>In general, quiet disclosure is appropriate only for issues that are
identified by a committer as having been erroneously marked as
Vulnerabilities.</p>
<a name="Progressive_Disclosure"></a>
<h3>Progressive Disclosure</h3>
<p>Knowledge of a Vulnerability can be easily extended to individuals
- by adding them to the "cc" list on the bug. A Vulnerability may--at
+ by adding them to the "cc" list on the issue. A Vulnerability may--at
the discretion of the committer--be disclosed to specific
individuals. A committer may, for example, provide access to a
subject-matter expert to solicit help or advice. The Vulnerability
@@ -166,7 +166,7 @@
resolution.</p>
<p>Contacts added to an unresolved Vulnerability must be individuals.
Groups (e.g. mailing lists)--with the exception of
- security@eclipse.org--should never be copied on a Vulnerability bug.
+ security@eclipse.org--should never be copied on a Vulnerability issue.
</p>
<a name="Full_Disclosure"></a>
<h3>Full Disclosure</h3>
@@ -182,8 +182,8 @@
href="#Distribution" title="">Distribution</a>).
</p>
<p>To complete the disclosure of a Vulnerability, the committers-only
- flag must be removed from the bug and the 'security' keyword added.
- Bugs in this state are automatically reported on the security page
+ flag must be removed from the issue and the 'security' keyword added.
+ Issues in this state are automatically reported on the security page
and RSS feed.</p>
<a name="Escalation"></a>
<h3>Escalation</h3>
