With over 425 open source projects and billions of downloads, it’s increasingly difficult for any Eclipse contributor to manage security best practices across their project and handle their dependencies appropriately. Through close collaboration and guidance for our community, the Eclipse Foundation makes it easier to mitigate risks in open source projects.
Transparency and trust are foundational and lead to an improved software security posture throughout the Eclipse community. Our security initiatives are designed to empower contributors with the knowledge and tools to manage OSS security risks effectively. This includes vulnerability management and reporting, project security support, best practices for repository management, developer training, self-service tools, and security advocacy.
Report a Vulnerability
To report a security vulnerability in an Eclipse Foundation Project,
first, check the project’s repository for a SECURITY.md
file and follow its instructions. If none exist, you can email the
Eclipse Foundation Security Team at
security@eclipse-foundation.org or
use the
dedicated issue tracker.
For the principles under which the Eclipse Foundation manages the reporting, management, discussion, and disclosure of vulnerabilities discovered in Eclipse software, refer to the Eclipse Foundation Vulnerability Reporting Policy.
For more details on how we handle vulnerability reports, see the dedicated chapter in the Eclipse Project Handbook.
Known Vulnerabilities and Advisories
Projects can communicate security information to users through security advisories. They describe a vulnerability (or a class of vulnerabilities) and the solutions to mitigate risks. They usually contain information on which product versions are affected and which contain a fix, including workarounds if available.
Key Services and Benefits
The Eclipse Foundation’s software security services ensure the integrity, authenticity, and compliance of Projects, empowering development teams with expert guidance, secure infrastructure, and essential training. By prioritising OSS security at every development stage, we help maintain the trustworthiness of our open source ecosystem, enabling projects to thrive while reducing risks and vulnerabilities.
Vulnerability Management and Reporting
(PSIRT & CVE Assignment)
Eclipse Foundation’s Project Security Incident Response Team (PSIRT) manages vulnerability reporting, triage, disclosure, and remediation, while also acting as a CVE Numbering Authority (CNA).
Repository Management and
Infrastructure Security
Best practices in repository management through self-service tools and the management of overall infrastructure security.
Project Security Support
Infrastructure support, OSS security audits, and guidance to help Projects improve their overall security posture.
Code and Artifacts Signing
Supports code and artifact signing to verify the authenticity and integrity of software releases.
Security Advocacy and Communication
Provides both inward (to all contributors) and outward (to the general technical public) communication to raise awareness and guide security best practices and achievements.
Developer Training
Educational programs to help developers learn best practices, secure coding principles, and vulnerability management.
About the Eclipse Foundation
Security Team
The Eclipse Foundation (EF) Security Team is the part of the Eclipse Management Organization (EMO) tasked with software security and vulnerability coordination and management on behalf of the Eclipse community. It is composed of a small number of security experts.
The EF Security Team does not resolve vulnerabilities; rather, they are addressed and resolved by a project's security team and committers with guidance and assistance from the EF Security Team. The EF Security team triages and redirects vulnerability reports to the appropriate project.
Email the Eclipse Foundation
Security Team at
security@eclipse-foundation.org