Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 337005

Summary: [Security] Reporting
Product: Community Reporter: Wayne Beaton <wayne.beaton>
Component: Architecture CouncilAssignee: eclipse.org-architecture-council
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: Ed.Merks, gunnar, remy.suen
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
URL: http://eclipse.org/security/
Whiteboard:
Bug Depends on: 343743    
Bug Blocks: 337004    

Description Wayne Beaton CLA 2011-02-11 15:10:04 EST 
Our bugzilla instance is configured such that projects can request the ability to mark bugs as "committers-only". This restricts visibility of the bug to eclipse.org committers, the bug reporter, assignee, people in the cc list, etc. (i.e. committers and anybody else explicitly listed).

To report a security issue with an Eclipse project, the reporter needs to explicitly flip this bit (it appears at the bottom of the submit page). AFAIK, this is not represented in Mylyn.

Perhaps we can encourage projects to provide a link that has this bit flipped on automatically.

How do we handle bugs from a user who doesn't know what project to report against? Should we make a "security" email alias that forward to a trusted "inner circle" (you'll find that I use this term a lot) who can do the initial triage?

At the moment, the ability to mark a bug as "committers-only" is on a project-by-project basis (you have to ask the Webmaster). AFAIK, this was done to avoid adding additional complexity to the reporting page. Should we just enable this for all projects?

At the moment, we have 36 bugs marked as "committers-only". IMHO, many of these do not need to be marked as such (in fact, I would go so far as to say that they are incorrectly marked as such).

Ultimately, once a conclusion has been reached, I believe that the "committers-only" flag should be cleared on all bugs. When that happens is an interesting question that I'll create another bug for discussion.
Comment 1 Gunnar Wagenknecht CLA 2011-02-11 15:16:24 EST 
(In reply to comment #0)
> How do we handle bugs from a user who doesn't know what project to report
> against? Should we make a "security" email alias that forward to a trusted
> "inner circle" (you'll find that I use this term a lot) who can do the initial
> triage?

I like that idea. The "inner circle" can identify the project and eventually the initial classification. The more I think about it, the more I think this should be the *promoted* way of reporting security issues. A reporting link/form could be provided on www.eclipse.org.

What about security@eclipse.org? Should it be possible to report issues via mail or just Bugzilla?
Comment 2 Wayne Beaton CLA 2011-05-25 15:50:25 EDT 
I believe that the Security Team will be the inner circle.

I have included links for security@eclipse.org as a means of reporting a vulnerability.
Comment 3 Wayne Beaton CLA 2013-12-18 16:08:34 EST 
I declare victory.