Update the handbook
diff --git a/handbook/eclipse.html b/handbook/eclipse.html
index 5aaa38a..b6b87d7 100644
--- a/handbook/eclipse.html
+++ b/handbook/eclipse.html
@@ -51,6 +51,7 @@
<li><a href="#resources-gitlab">GitLab</a></li>
<li><a href="#resources-github">GitHub</a></li>
<li><a href="#resources-gerrit">Gerrit Code Review</a></li>
+<li><a href="#resources-archiving-repositories">Archiving Repositories</a></li>
<li><a href="#resources-issues">Issue Trackers</a></li>
<li><a href="#resources-mailing-list">Mailing Lists</a></li>
<li><a href="#resources-forums">Forums and Outbound Communication</a></li>
@@ -61,12 +62,14 @@
<li><a href="#resources-signing">Signed Artifacts</a></li>
<li><a href="#resources-downloads">Downloads</a></li>
<li><a href="#resources-external">External Resources</a></li>
+<li><a href="#chat-service">Chat Service</a></li>
<li><a href="#resources-faq">Frequently Asked Questions</a></li>
</ul>
</li>
<li><a href="#vulnerability">Managing and Reporting Vulnerabilities</a>
<ul class="sectlevel2">
<li><a href="#vulnerability-team">Eclipse Foundation Security Team</a></li>
+<li><a href="#projects-security-team">Project’s Security Team</a></li>
<li><a href="#project-setup-for-vulnerability-reporting">Project Setup for Vulnerability Reporting</a></li>
<li><a href="#vulnerability-reporting">Reporting</a></li>
<li><a href="#vulnerability-disclosure">Disclosure</a></li>
@@ -232,7 +235,7 @@
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
-<p>Current as of 2024-07-16.</p>
+<p>Current as of 2024-08-19.</p>
</div>
</div>
</div>
@@ -1508,6 +1511,9 @@
<p><a href="#resources-mailing-list">Mailing lists</a>;</p>
</li>
<li>
+<p><a href="#chat-service">Chat service</a> based on Matrix protocol;</p>
+</li>
+<li>
<p>IT support via the <a href="https://gitlab.eclipse.org/eclipsefdn/helpdesk">Help Desk</a>;</p>
</li>
</ul>
@@ -2062,7 +2068,7 @@
<div class="sect3">
<h4 id="resources-github-self-service"><a class="anchor" href="#resources-github-self-service"></a><a class="link" href="#resources-github-self-service">Self-Service of GitHub Resources</a></h4>
<div class="paragraph">
-<p>The Eclipse Foundation offers self-service of GitHub resources via a tool named <a href="https://gitlab.eclipse.org/eclipsefdn/security/otterdog">Otterdog</a>.</p>
+<p>The Eclipse Foundation offers self-service of GitHub resources via a tool named <a href="https://github.com/eclipse-csi/otterdog">Otterdog</a>.</p>
</div>
<div class="paragraph">
<p>Upon opting-in, a new repository <em>.eclipsefdn</em> will be created that hosts the GitHub configuration as code.</p>
@@ -2134,6 +2140,15 @@
</div>
</div>
<div class="sect2">
+<h3 id="resources-archiving-repositories"><a class="anchor" href="#resources-archiving-repositories"></a><a class="link" href="#resources-archiving-repositories">Archiving Repositories</a></h3>
+<div class="paragraph">
+<p>If a repository belonging to a project is unmaintained or deprecated and will not receive any further updates, it is good practice to clearly indicate that in the corresponding <code>README.md</code> and <code>SECURITY.md</code> files of the repository with a migration path if applicable.</p>
+</div>
+<div class="paragraph">
+<p>Committers shall mark a deprecated repository as being <code>archived</code> either by using the <a href="#resources-github-self-service">Self-Service of GitHub Resources</a> or by <a href="https://gitlab.eclipse.org/eclipsefdn/helpdesk">opening a Help Desk issue</a> to request assistance from the Eclipse IT Team.</p>
+</div>
+</div>
+<div class="sect2">
<h3 id="resources-issues"><a class="anchor" href="#resources-issues"></a><a class="link" href="#resources-issues">Issue Trackers</a></h3>
<div class="paragraph">
<p>Eclipse projects must use an Eclipse Foundation-provided issue tracker. Project teams may opt to use either the <a href="#resources-gitlab">Eclipse Foundation GitLab</a> instance or — for projects that use <a href="#resources-github">GitHub</a> — GitHub Issues instances associated with Eclipse Foundation-managed GitHub project repositories.</p>
@@ -2458,6 +2473,50 @@
</div>
</div>
<div class="sect2">
+<h3 id="chat-service"><a class="anchor" href="#chat-service"></a><a class="link" href="#chat-service">Chat Service</a></h3>
+<div class="paragraph">
+<p>The chat service is a great way for projects to communicate and to connect with the community, provide real-time support, and to discuss project-related topics.</p>
+</div>
+<div class="paragraph">
+<p>Projects can request rooms/spaces for their project on the chat service. The channel name is of the form <code><mark><shortname></code> by default (e.g. <code>#dash</code> for the <code>technology.dash</code> project) and located by default in the <a href="https://chat.eclipse.org/" class="bare">https://chat.eclipse.org/</a></mark>/room/#eclipse-projects:matrix.eclipse.org[#eclipse-projects:matrix.eclipse.org] space.</p>
+</div>
+<div class="paragraph">
+<p>Custom rooms/spaces organization can be requested, see the following examples:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="https://chat.eclipse.org/#/room/#oniro:matrix.eclipse.org">oniro</a></p>
+</li>
+<li>
+<p><a href="https://chat.eclipse.org/#/room/#automotive.tractusx:matrix.eclipse.org">automotive.tractusx</a></p>
+</li>
+<li>
+<p>…​</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>All requests for new rooms/spaces have to be made by opening a <a href="https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/new?issue%5Btitle%5D=%5BChat%20service%5D%20Create%20room%20and%20space%20for%20%3CProject%3E&issuable_template=chat-service">Help Desk</a> issue.</p>
+</div>
+<div class="paragraph">
+<p>The chat service can be accessed via the web client at <a href="https://chat.eclipse.org/">chat.eclipse.org</a> or by using a Matrix client (e.g. Element, NeoChat, or <a href="https://matrix.org/ecosystem/clients">any other Matrix client</a>) via the <code>matrix.eclipse.org</code> server.</p>
+</div>
+<div class="paragraph">
+<p>For more information, please see the documentation <a href="https://chat.eclipse.org/docs/">here</a>:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="https://chat.eclipse.org/docs/getting-started/">Getting started with the chat service</a></p>
+</li>
+<li>
+<p><a href="https://chat.eclipse.org/docs/faq/">Frequently Asked Questions</a></p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect2">
<h3 id="resources-faq"><a class="anchor" href="#resources-faq"></a><a class="link" href="#resources-faq">Frequently Asked Questions</a></h3>
<div class="qlist qanda">
<ol>
@@ -2527,13 +2586,44 @@
<div class="sect2">
<h3 id="vulnerability-team"><a class="anchor" href="#vulnerability-team"></a><a class="link" href="#vulnerability-team">Eclipse Foundation Security Team</a></h3>
<div class="paragraph">
-<p>The Eclipse Foundation Security Team provides help and advice to Eclipse projects on security issues and is the first point of contact for handling security vulnerabilities. Members of the Security Team are selected from committers on Eclipse Projects, members of the <a href="#roles-ac">Eclipse Architecture Council</a>, and Eclipse Foundation staff.</p>
+<p>The Eclipse Foundation Security Team provides help and advice to Eclipse projects on security issues and is the first point of contact for handling security vulnerabilities. Members of the Security Team are selected from the Eclipse Foundation staff.</p>
</div>
<div class="paragraph">
<p>You can contact the Eclipse Foundation Security Team by sending email to <a href="mailto:security@eclipse-foundation.org">security@eclipse-foundation.org</a> or by open an issue in the <a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability">general vulnerability issue tracker</a>.</p>
</div>
</div>
<div class="sect2">
+<h3 id="projects-security-team"><a class="anchor" href="#projects-security-team"></a><a class="link" href="#projects-security-team">Project’s Security Team</a></h3>
+<div class="paragraph">
+<p>All project contributors are responsible for ensuring best security practices and following of the <a href="https://www.eclipse.org/security/policy.php">Eclipse Foundation Vulnerability Reporting Policy</a>. However, a specific group called the Project’s Security Team is responsible for handling undisclosed vulnerabilities. It is up to the project and project’s leadership chain to organise the Project’s Security Team. In the absence of other decisions, the Project’s Security Team includes all committers.</p>
+</div>
+<div class="paragraph">
+<p>The project might decide to include a subset of the committers in the team, for example based on their security experience. Any project committer can propose a creation of a separate Project’s Security Team. This is discussed by the project leadership and might be submitted to a vote of all committers. The same procedure applies to bringing the responsibility back to the complete group of committers.</p>
+</div>
+<div class="paragraph">
+<p>The project must provide a security contact to the Eclipse Foundation Security Team and should communicate that contact information to potential reporters (like security researchers).</p>
+</div>
+<div class="paragraph">
+<p>The following resources are recommended for each project’s security team:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>A <strong>private security mailing list</strong> that is to be used only for discussion of undisclosed vulnerabilities in this project. All communication should move to public channels after disclosure;</p>
+</li>
+<li>
+<p>A dedicated <strong>security project</strong> under the <a href="https://gitlab.eclipse.org/security/">Eclipse Foundation GitLab instance security tracker</a> for vulnerability reporting;</p>
+</li>
+<li>
+<p><strong>Enable private vulnerability reporting on GitHub</strong> when the project uses GitHub;</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>The Project’s Security Team members might grant access to specific issues to people outside of the team. Such rules should be defined by the Project’s Security Team and the PMI in advance.</p>
+</div>
+</div>
+<div class="sect2">
<h3 id="project-setup-for-vulnerability-reporting"><a class="anchor" href="#project-setup-for-vulnerability-reporting"></a><a class="link" href="#project-setup-for-vulnerability-reporting">Project Setup for Vulnerability Reporting</a></h3>
<div class="paragraph">
<p>The default project setup is to use general Eclipse Foundation reporting (see below). The strong recommendation is to list reporting methods clearly inside a <code>SECURITY.md</code> file in the main repository (also in other repositories if it makes sense) to help security researchers to communicate with the project in a secure way. Similar information should be available in the project’s documentation.</p>
@@ -2548,7 +2638,7 @@
<div class="sect2">
<h3 id="vulnerability-reporting"><a class="anchor" href="#vulnerability-reporting"></a><a class="link" href="#vulnerability-reporting">Reporting</a></h3>
<div class="paragraph">
-<p>Vulnerabilities can be reported via a project-specific security tracker, or via general Eclipse Foundation means: an email to <a href="mailto:security@eclipse-foundation.org">security@eclipse-foundation.org</a> or and issue in the <a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability">general vulnerability issue tracker</a>.</p>
+<p>Vulnerabilities can be reported via a project-specific security tracker, or via general Eclipse Foundation means: an email to <a href="mailto:security@eclipse-foundation.org">security@eclipse-foundation.org</a> or an issue in the <a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability">general vulnerability issue tracker</a>.</p>
</div>
<div class="paragraph">
<p>The general <a href="mailto:security@eclipse-foundation.org">security team email address</a> can be used to report vulnerabilities in any Eclipse Foundation project. Members of the Eclipse Foundation Security Team will receive messages sent to this address. This address should be used only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to vulnerabilities in Eclipse Foundation project software will be ignored. Note that this email address is not encrypted.</p>
@@ -2583,7 +2673,7 @@
<div class="sect2">
<h3 id="vulnerability-cve"><a class="anchor" href="#vulnerability-cve"></a><a class="link" href="#vulnerability-cve">Common Vulnerabilities and Exposure (CVE)</a></h3>
<div class="paragraph">
-<p>The Eclipse Foundation is a <a href="https://cve.mitre.org/">Common Vulnerabilities and Exposures</a> (CVE) Numbering Authority.</p>
+<p>The Eclipse Foundation is a <a href="https://cve.mitre.org/">Common Vulnerabilities and Exposures</a> (CVE) Numbering Authority and does assign CVE numbers to projects hosted by the Foundation.</p>
</div>
<div class="paragraph">
<p>A unique vulnerability number like a CVE allows developers, distributions and security researchers to talk about the same issue using a common name. It also helps the project documentation.</p>
@@ -2599,7 +2689,7 @@
</td>
<td class="content">
<div class="paragraph">
-<p>If you’re not sure whether or not a CVE is required, err on the side of caution and request one.</p>
+<p>If you’re not sure whether or not a CVE is required, err on the side of caution and request one. If the reporter requests a CVE number, the Eclipse Foundation Security Team will assign one if there is a reasonable probability of a real Vulnerability.</p>
</div>
<div class="paragraph">
<p>A CVE number related to a bugfix release gives users a clear sign that an update is strongly recommended.</p>
@@ -2705,7 +2795,7 @@
<p>Check the second checkbox when you’re ready for the Eclipse Foundation Security Team to submit the request to the central authority (that is, when you’re ready for the issue to be disclosed publicly).</p>
</div>
<div class="paragraph">
-<p>If the project is using a <a href="https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories">GitHub Security Advisory</a> to track mitigation of the vulnerability, the Security Team intervention will likely be required to submit the advisory. Click the second checkbox to indicate that you’re ready for the Security Team to submit the advisory on the project team’s behalf.</p>
+<p>If the project is using a <a href="https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories">GitHub Security Advisory</a> to track mitigation of the vulnerability, the Security Team intervention may be required to submit the advisory. Click the third checkbox to indicate that you’re ready for the Security Team to submit the advisory on the project team’s behalf.</p>
</div>
</div>
<div class="sect3">
@@ -2719,16 +2809,34 @@
<p><strong>Prepare the initial data</strong>: The project receives initial data in the report and assesses that it is a real vulnerability.</p>
</li>
<li>
-<p><strong>Request the number</strong>: When you know that there is a security issue (the fix is not yet needed at this point), contact the Eclipse Foundation Security Team to request the number.</p>
+<p><strong>Request the number</strong>: When you know that there is a security issue (the fix is not yet needed at this point), go to <a href="https://gitlab.eclipse.org/security/cve-assignement/-/issues/new?issuable_template=cve">the CVE Request form</a> to request the number. You do not need to fill the complete form if all the information is available in your advisory - in this case just submit the link to the advisory in your CVE request.</p>
</li>
+</ul>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABHNCSVQICAgIfAhkiAAABSZJREFUWIXll1toVEcYgL+Zc87u2Yu7MYmrWRuTJuvdiMuqiJd4yYKXgMQKVkSjFR80kFIVJfWCWlvpg4h98sXGWGof8iKNICYSo6JgkCBEJRG8ImYThNrNxmaTeM7pQ5IlJkabi0/9YZhhZv7///4z/8zPgf+7KCNRLgdlJijXwRyuDTlcxV9hbzv8nQmxMjg+XDtiOEplkG9PSfkztGmTgmFQd+FCVzwa3fYN/PHZAcpBaReicW5xcbb64IEQqko8Lc26d/58cxS+/BY6hmJvyEfQBoUpwWCmW1FErKaGWHU13uRk4QkEUtxQNFR7QwIoB4eiKD9PWbVKbb10CZmaCqmpxCormRYO26QQx85B0mcD+AeK0xYvHqu1tNDx+DH6gQM4jh0j3tCA3tGBLyfHLuD7zwJwAcYqun44sHy51nr5MsqsWWj5+djCYdS5c4ldvUr24sU2qarflUL6qAN0wqH0vDy7+fAhXZEI+v79CNmt7igpofPVK5SmJvyhkJBwYlQBSiHd7vUWZ86bp8WqqtCWLkVbuBAhBEIItGAQ2+rVxG7cICMY1KTDsekc5IwagIQTmStXis47dzBiMfR9+xCi+wb39s79+zFiMczGRjLmzTMlnBoVgLMwyzF+/Cb/lClq2/Xr2AoKUKdPxzAMWltbiUajmKaJkpGBY8sW3tbW4g8EVNXrXVEKK0YMoMKp7Px8K15Tg2VZOHbvBiASiRAMBgkGg0QiEYQQOIuLsRSFrnv3yJo/HxVOW5947D4KUAa57qysvNSUFOVtbS32rVuRfj9CCFwuV2Kfy+VCCIFMScFVVET7/fukJidLm883rQy+HhaABUII8cvUNWt4W1WFcLvRd+5MnHl/AOjOB+eOHchx44jX1ZEdCqkSTpaDbcgA5+GrpNmzc9ymKdvr67Hv2oVMSko4cjgcKIqCoijoup64EdLpxLV3Lx1PnuCVUrgmTfK9hV1DAjgKqlSUk1PCYdl25QrS70cvLEw4SWS+04nT6XxvXgiBc8MGtKlTaa+rIysnR1Ok/OF38PxngAzY4VuwYKL99WvR8fQpjj17kLqeiL6393g8eDyeAWBSVfEcOkRXczOOaBRvVpZuDPJEDwD4DVyKrv+UlZurxSorUWfMQC8oGOBcCDHgC/Rdc4TD2BctIl5fT+bkyTahaXvOw8RPApiwd2Ju7hjZ2EhXSwvOkhKQcoADgIqKCioqKgYcQW9LOnIEIxZDbWpiXCCABT9+FKAUxtm83pKMUEiLVVejLVqEtmTJB50LIdi2bRuFPbnRd7232efMwbVuHR2PHjHR77dJXS8sg5mDAihweFJenmrevYvR1oazpGTQ6IQQaJqG7ClI/dd655IOHsSyLMSLF6QFAib9nugEQClk2Xy+orTsbK3t1i3sa9ei5eQMGr0QgvLyci5evDiocyEEtsxMPNu30/nsGRO8XlVzu8NlkNvrV+0T/fHMZcusrtu3MeNx9PXrobUVq8cYQrw3TrRub1h9+v573Bs3Ej1zBvP5c/zp6dbLhoaTwPy+ANKCfF92thq7dg2A6JYt/fNlxGK8eUNSerryHEJHQT8K8V4A5ztojty8OeaLzZul1DSwLCzDANPEMozusWFgmWZ33288YK3/nGlixuM0v3xpWfDX0Z4i1VupXEWwIgRnJfhGPfQ+YsLr+7DzNFwCuvqWyiRg7DSYoIBu9smPkYqEd4AwIN4ITUAL0A4Da7UC6ICdEfy2fUBMoAvo7GnWKNoemfwLcAuinuFNL7QAAAAASUVORK5CYII=" alt="Warning"/>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>GitHub will reject CVE number requests from Eclipse Foundation projects. Fill the <a href="https://gitlab.eclipse.org/security/cve-assignement/-/issues/new?issuable_template=cve">the CVE Request form</a> instead. Both teams are working on a solution to make this process more streamlined.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="ulist">
+<ul>
<li>
-<p><strong>Receive the number</strong>: The Eclipse Foundation Security Team will request a number and GitHub will assign one (or ask for more information in the report). You can start using it internally when preparing documentation of the release containing the fix.</p>
+<p><strong>Receive the number</strong>: The Eclipse Foundation Security Team will assign one (or ask for more information in the report). You can start using it internally when preparing documentation of the release containing the fix.</p>
</li>
<li>
<p><strong>Prepare the fix</strong> (with backports to all supported branches) and the release: The common practice is to avoid using the CVE number in the fix commit message or the fix itself. Use generic terms instead. The goal is to allow time for all users to upgrade without giving potential attackers too much information. See also the next step (you can do them in parallel).</p>
</li>
<li>
-<p><strong>Ask for publication of the issue</strong>: When you have the fix ready and published, as the Eclipse Foundation Security team to publish the advisory. Make sure that you specify the version (or versions) where the bug is fixed, including all stable branches. Fill in the description of the issue. You may also consider removing some of the comments (for example containing sensitive or incorrect information). At this stage you may decide to publish only partial information (for example without the link to the commit with the fix). Ideally your release happens earlier or at the same time as the publication. You can ask for a publication at your specific date, for example at your planned release date.</p>
+<p><strong>Ask for publication of the issue</strong>: When you have the fix ready and published, ask the Eclipse Foundation Security team to publish the advisory. Update your CVE request. Make sure that you specify the version (or versions) where the bug is fixed, including all stable branches. Fill in the description of the issue. You may also consider removing some of the comments (for example containing sensitive or incorrect information). At this stage you may decide to publish only partial information (for example without the link to the commit with the fix). Ideally your release happens earlier or at the same time as the publication. You can ask for a publication at your specific date, for example at your planned release date.</p>
</li>
<li>
<p><strong>See it publicly</strong>: The advisory becomes public, so is the CVE entry.</p>
@@ -2769,6 +2877,9 @@
<div class="paragraph">
<p>The request may optionally include additional information, such as a Common Vulnerability Scoring System (CVSS) code, a link to the commit fixing the issue etc.</p>
</div>
+<div class="paragraph">
+<p>Each CVE entry must include at least one public link.</p>
+</div>
<div class="listingblock">
<div class="title">Example CVE Report data</div>
<div class="content">
@@ -2798,6 +2909,29 @@
<p>If unsure on how to fill the form, ask the Eclipse Foundation Security Team for assistance.</p>
</div>
</div>
+<div class="sect3">
+<h4 id="cvss-scoring"><a class="anchor" href="#cvss-scoring"></a><a class="link" href="#cvss-scoring">CVSS Scoring</a></h4>
+<div class="paragraph">
+<p>The Eclipse Foundation CNA is currently using Common Vulnerability Scoring System (CVSS) version 4. The CVSS scoring gives an estimation of the impact of the issue. One important thing to know about CVSS is that it describes the situation under a <strong>reasonable worst-case scenario</strong>. This also means there might be differences in the scoring between different people.</p>
+</div>
+<div class="paragraph">
+<p>The final result (score) of CVSS if a value from 0.0 (minimal impact) to 10.0 (critical impact); in addition to the score, the CVSS also includes a more detailed explanation (vectors) of various factors.</p>
+</div>
+<div class="paragraph">
+<p>The Eclipse Foundation Security Team recommends to fill the following fields:
+* <strong>Attack Vector</strong>: Does the attacker need physical access to the system, a local account, or a local network (e.g., Bluetooth or the same IP subnet), or can the attack be conducted remotely?
+* <strong>Attack Complexity</strong>: is the attack easy to perform with code that will work every time (low complexity), or require work and preparation, or multiple attempts (to generate a race condition, for example) (high complexity)
+* <strong>Attack Requirements</strong>: shows if the attack is possible in all conditions. "None" means there are no specific conditions. However, "Present" means that the attack can take place in a particular configuration; the attacker needs to control the path between the user and the vulnerable system, and so on.
+* <strong>User Interaction</strong>: what is the involvement of the user? The score might be None (no user interaction required), Passive (involuntary actions from the user who is not working with the attacker), and Active (where the user is working with the attacker—for example, placing a file in a specific place or ignored a security warning).
+* <strong>Privileges Required</strong>: Does the attack require no permission at all? Low permissions (for example, a user account)? Or high permissions (for example, an administrator account)?
+* <strong>Product Confidentiality</strong>: There is either no loss of confidentiality, low loss with either a limited amount of confidential information obtained or limited control of what is obtained, or high loss when all confidential information of a system is available to the attacker.
+* <strong>Product Integrity</strong>: There is either no loss of integrity, a low loss with either limited or partial modification by the attacker, or a complete loss of integrity when the attacker can modify any information in the vulnerable component.
+* <strong>Product Availability</strong>: There is either no loss of availability, limited loss when, for example, the component is working slowly, or a high availability loss in case of a complete denial of service.
+* <strong>Subsequent Confidentiality/Integrity/Availability</strong> are scored as the above, but for systems that are not directly attacked, but might be impacted indirectly.
+* <strong>Vulnerability Response Effort</strong>: How much effort does responding to the vulnerability require? Is it a trivial change in a configuration, a simple update, or does a technician have to have physical access to each affected device?
+* <strong>Urgency</strong>: How urgent is it to remediate this vulnerability?</p>
+</div>
+</div>
</div>
<div class="sect2">
<h3 id="security-faq"><a class="anchor" href="#security-faq"></a><a class="link" href="#security-faq">Frequently Asked Questions</a></h3>
@@ -2805,7 +2939,7 @@
<ol>
<li>
<p><em>In what form should a disclosure be published? Is publishing the bug on the <a href="https://www.eclipse.org/security/known.php">Known Vulnerabilities page</a> enough? </em></p>
-<p>Publishing on the Known Vulnerabilities page will happen automatically. This is minimal disclosure. Whether or not you should do more is a project team decision. If you need help with that decision, connect with your <a href="#roles-pmc">Project Management Committee</a> (PMC) or the Security Team.</p>
+<p>Publishing on the Known Vulnerabilities page will happen automatically. This is minimal disclosure. Whether or not you should do more is a project team decision. If you need help with that decision, connect with your <a href="#roles-pmc">Project Management Committee</a> (PMC) or the Eclipse Foundation Security Team.</p>
<div class="paragraph">
<p>If the vulnerability real and is in release software (i.e., it’s likely to have been adopted), you should <a href="#vulnerability-cve">request a CVE</a>.</p>
</div>
@@ -2843,40 +2977,56 @@
<div class="paragraph">
<p>If you’re not sure, check with your PMC or the <a href="#vulnerability-team">Security Team</a>.</p>
</div>
-<div class="paragraph">
-<p>It’s a bit of a rite of passage for an open source project to disclose their first vulnerability. If in doubt, ask the Eclipse Foundation Security Team for guidance.</p>
-</div>
</li>
-<li>
-<p><em>Do we need a <a href="#vulnerability-cve">CVE</a> for versions of software that we released before moving our project to the Eclipse Foundation? </em></p>
-<p>The answer to this is not obvious, but as a general rule…​ no. The answer is not obvious because the continuity of the source of affected products may not be obvious (or relevant) to consumers, and it is not strictly wrong for a CVE Numbering Authority to create a CVE for a version of a product not immediately in their purview.</p>
-<div class="paragraph">
-<p>Ultimately, whether or not we should create a CVE is the project team’s call.</p>
+</ol>
</div>
-</li>
-<li>
-<p><em>I think that my project hasn’t received all notifications about security issues? </em></p>
+<div class="paragraph">
+<p>If the reporter requests a CVE number, the Eclipse Foundation Security team will assign one if there is a reasonable probability of a real Vulnerability.</p>
+</div>
+<div class="paragraph">
+<p>+
+It’s a bit of a rite of passage for an open source project to disclose their first vulnerability. If in doubt, ask the Eclipse Foundation Security Team for guidance.</p>
+</div>
+<div class="dlist">
+<dl>
+<dt class="hdlist1">Do we need a <a href="#vulnerability-cve">CVE</a> for versions of software that we released before moving our project to the Eclipse Foundation? </dt>
+<dd>
+<p>The answer to this is not obvious, but as a general rule…​ no. Ultimately, whether or not we should create a CVE is the project team’s call.</p>
+</dd>
+</dl>
+</div>
+<div class="paragraph">
+<p>It might be that the previous CNA is more appropriate for releasing the CVE.</p>
+</div>
+<div class="dlist">
+<dl>
+<dt class="hdlist1">Do we release CVEs for end-of-life versions? </dt>
+<dd>
+<p>In general, yes. The Project might decide not to release one, but in this case the reporter may request a CVE from another CNA. In this case, the Project will have no control on the content of the entry. The Eclipse Foundation Security team recommends projects to clearly mark supported and unsupported versions, but still release CVEs for all of them, even if some CVEs will never receive a fix.</p>
+</dd>
+<dt class="hdlist1">I think that my project hasn’t received all notifications about security issues? </dt>
+<dd>
<p>In this case, please contact the <a href="#vulnerability-team">Security Team</a>. Please note that the Eclipse Foundation Security Team notifies project leads by default.</p>
-</li>
-<li>
-<p><em>I can’t see a confidential issue in the Eclipse Foundation GitLab instance </em></p>
+</dd>
+<dt class="hdlist1">I can’t see a confidential issue in the Eclipse Foundation GitLab instance </dt>
+<dd>
<p>If you have received a notification of a confidential issue by email, make sure to log in to the Eclipse Foundation instance of GitLab first, before following the link. Otherwise you will get a 404 error page.</p>
<div class="paragraph">
-<p>If you are following a link, verify with the person managing the issue (for example the reporter) if you have been added to the issue. Currently, in the general issue tracker, each person needs to be added manually. In case of difficulties, ask the Eclipse Foundation Security team for assistance.</p>
+<p>If you are following a link, verify with the person managing the issue (for example the reporter) if you have been added to the issue. Currently, in the general issue tracker, each person needs to be added manually. In case of difficulties, ask the Eclipse Foundation Security Team for assistance.</p>
</div>
<div class="paragraph">
<p>Also please note that we need an activated GitLab account to add a user to a confidential issue. In practice, the user needs to log in into the Eclipse Foundation GitLab instance at least once.</p>
</div>
-</li>
-<li>
-<p><em>Confidential issues are not visible to all committers </em></p>
-<p>Currently, in the general issue tracker, each person needs to be added manually. In case of difficulties, ask the Eclipse Foundation Security team for assistance.</p>
-</li>
-<li>
-<p><em>I can see <code>.eclipsefdn</code> repository in my project. What is this? </em></p>
+</dd>
+<dt class="hdlist1">Confidential issues are not visible to all members of the Project’s Security Team </dt>
+<dd>
+<p>Currently, in the general issue tracker, each person needs to be added manually. In case of difficulties, ask the Eclipse Foundation Security Team for assistance.</p>
+</dd>
+<dt class="hdlist1">I can see <code>.eclipsefdn</code> repository in my project. What is this? </dt>
+<dd>
<p>This repository is used to keep project management data. See the related <a href="#resources-github-self-service">documentation</a> or ask the Eclipse Foundation staff for help.</p>
-</li>
-</ol>
+</dd>
+</dl>
</div>
</div>
</div>
@@ -10271,12 +10421,36 @@
<div class="ulist">
<ul>
<li>
+<p>2024-08-19 Minor spelling and grammar fixes.</p>
+</li>
+<li>
+<p>2024-08-19 Restore the copyright and licence header</p>
+</li>
+<li>
+<p>2024-08-06 feat: add chat service</p>
+</li>
+<li>
+<p>2024-07-31 security: add a chapter on CVSS</p>
+</li>
+<li>
+<p>2024-07-31 security.adoc: update the section on private advisories</p>
+</li>
+<li>
+<p>2024-07-18 Add section about archiving repositories</p>
+</li>
+<li>
<p>2024-07-16 Add an Incubation section</p>
</li>
<li>
<p>2024-07-16 Add discussion of "Other Roles"</p>
</li>
<li>
+<p>2024-07-10 security: add Project’s Security Teams</p>
+</li>
+<li>
+<p>2024-07-10 resources: update Otterdog links</p>
+</li>
+<li>
<p>2024-07-08 Update the IP content</p>
</li>
<li>
@@ -10291,39 +10465,6 @@
<li>
<p>2024-05-23 Use positive language to describe conditions when review is required.</p>
</li>
-<li>
-<p>2024-05-13 Restore EMO as "Eclipse Management Organization" per the bylaws</p>
-</li>
-<li>
-<p>2024-05-13 Add a caveat regarding ownership of trademarks when starting a project</p>
-</li>
-<li>
-<p>2024-05-13 Refine the committer election content.</p>
-</li>
-<li>
-<p>2024-05-01 Add the Generative AI Usage guidelines.</p>
-</li>
-<li>
-<p>2024-05-01 Minor fixes.</p>
-</li>
-<li>
-<p>2024-04-19 Add a section describing our OpenChain conformance claims.</p>
-</li>
-<li>
-<p>2024-04-18 Consistently use "third party" rather than "third-party"</p>
-</li>
-<li>
-<p>2024-04-18 Use inclusive language</p>
-</li>
-<li>
-<p>2024-04-18 Consistently refer to the "Eclipse IT Team"</p>
-</li>
-<li>
-<p>2024-04-18 The project scope should be expressed in the present tense.</p>
-</li>
-<li>
-<p>2024-04-18 Add an FAQ entry "Why doesn’t company logo appear?"</p>
-</li>
</ul>
</div>
</div>