| <?php |
| /** |
| * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others. |
| * |
| * This program and the accompanying materials are made |
| * available under the terms of the Eclipse Public License 2.0 |
| * which is available at https://www.eclipse.org/legal/epl-2.0/ |
| * |
| * Contributors: |
| * Wayne Beaton (Eclipse Foundation)- initial API and implementation |
| * Christopher Guindon (Eclipse Foundation) |
| * |
| * SPDX-License-Identifier: EPL-2.0 |
| */ |
| |
| /* |
| * Assemble the base URL and the interesting arguments |
| * separately. We'll combine them into a URL and a form. |
| */ |
| $bugzilla = 'https://bugs.eclipse.org/bugs/enter_bug.cgi'; |
| $options = array( |
| 'product' => 'Community', |
| 'component' => 'Vulnerability Reports', |
| 'keywords' => 'security', |
| 'groups' => 'Security_Advisories' |
| ); |
| |
| /* |
| * Assemble the bits into the artifacts that we're going to |
| * need. |
| */ |
| $args = array(); |
| $inputs = array(); |
| foreach($options as $key => $value) { |
| $args[] = $key . '=' . preg_replace('/\s/','%20', $value); |
| $inputs[] = "<input type=\"hidden\" name=\"$key\" value=\"$value\"/>"; |
| } |
| $inputs[] = "<button type=\"submit\">Report a potential vulnerability now</button>"; |
| |
| $link = "$bugzilla?" . implode('&', $args); |
| $form = "<form method=\"get\" action=\"$bugzilla\">" . implode('', $inputs) . "</form>"; |
| |
| ?> |
| <p> |
| <i>ISO 27005 defines vulnerability as: "A weakness of an asset |
| or group of assets that can be exploited by one or more |
| threats."</i> |
| </p> |
| <h2>The Eclipse Security Team</h2> |
| <p>The Eclipse Security Team provides help and advice to Eclipse |
| projects on vulnerability issues and is the first point of contact for |
| handling security vulnerabilities. Members of the Security Team are |
| committers on Eclipse Projects and members of the Eclipse |
| Architecture Council. |
| </p> |
| <p> |
| Contact the <a href="mailto:security@eclipse.org">Eclipse Security |
| Team</a>. |
| </p> |
| |
| <p><strong>Note that, as a matter of policy, the security team does not |
| open attachments.</strong></p> |
| |
| <h2>Reporting a Security Vulnerability</h2> |
| <p>Vulnerabilities can be reported either via email to the Eclipse |
| Security Team or directly with a project via the Eclipse Foundation's |
| Bugzilla instance. |
| </p> |
| <p> |
| The general security mailing list address is <a |
| href="mailto:security@eclipse.org">security@eclipse.org</a>. Members |
| of the Eclipse Security Team will receive messages sent to this |
| address. This address should be used only for reporting undisclosed |
| vulnerabilities; regular issue reports and questions unrelated to |
| vulnerabilities in Eclipse software will be ignored. Note that this |
| email address is not encrypted. |
| </p> |
| <p> |
| The community is also encouraged to report vulnerabilities using the |
| <a href="<?php echo $link; ?>">Eclipse Foundation's Bugzilla |
| instance</a>. Note that you will require an Eclipse Foundation account |
| to create an issue report, but by doing so you will be able to participate |
| directly in the resolution of the issue. |
| </p> |
| <p> |
| <?php print $form; ?> |
| </p> |
| <p> |
| Issue reports related to vulnerabilities must be marked as |
| "committers-only", either automatically by clicking the provide |
| link, by the reporter, or by a committer during the triage process. Note that issues marked |
| "committers-only" are visible to all Eclipse committers. By |
| default, a "committers-only" issue is also accessible to the |
| reporter and individuals explicitly indicated in the "cc" list. |
| </p> |
| <h2>Disclosure</h2> |
| <p> |
| Disclosure is initially limited to the reporter and all Eclipse |
| Committers, but is expanded to include other individuals, and the |
| general public. The timing and manner of disclosure is governed by |
| the <a href="policy.php">Eclipse Security Policy</a>. |
| </p> |
| <p> |
| Publicly disclosed issues are listed on the <a href="known.php">Disclosed |
| Vulnerabilities Page</a>. |
| </p> |