Eclipse Foundation is a CVE Numbering Authority

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority.

Eclipse project committers can use the tools that best suit their needs to remediate their vulnerability, provided that–when disclosed–related issues are tracked via the official (open and transparent) project issue tracker. To the extent possible, tools used to remediate a vulnerability must be vendor neutral; that is, all project committers should be able to participate in the remediation process.

Eclipse open source project committers can request a CVE by opening an issue in the Eclipse Foundation’s Bugzilla instance (this will change soon to use the Eclipse Foundation’s GitLab instance instead, stay tuned). Committers have the ability to mark individual issues as “committers-only” in Bugzilla, limiting the issue’s visibility while the project team works on remediation. At the project team’s discretion, the Bugzilla record can be used to track remediation, if only as a means of having a semi-private discussion (that will ultimately be made public).

All vulnerabilities must be disclosed, regardless of whether or not they are actually fixed. Absent special circumstances, vulnerabilities must be disclosed to the community after no more than three months.

Whether or not a CVE is required is the project team’s call. A project committer must make the request and provide the information that we need to push the request to the central authority. When the project team isn’t sure, the Eclipse Foundation’s Security Team can help. Note that the Security Team help facilitate mitigation and provide advice; they’re not (necessarily) the ones who identify issues or submit patches.

There’s more help in the Eclipse Foundation Project Handbook.