Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 337005 - [Security] Reporting
Summary: [Security] Reporting
Status: RESOLVED FIXED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Architecture Council (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: eclipse.org-architecture-council CLA
QA Contact:
URL: http://eclipse.org/security/
Whiteboard:
Keywords:
Depends on: 343743
Blocks: 337004
  Show dependency tree
 
Reported: 2011-02-11 15:10 EST by Wayne Beaton CLA
Modified: 2013-12-18 16:08 EST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wayne Beaton CLA 2011-02-11 15:10:04 EST 
Our bugzilla instance is configured such that projects can request the ability to mark bugs as "committers-only". This restricts visibility of the bug to eclipse.org committers, the bug reporter, assignee, people in the cc list, etc. (i.e. committers and anybody else explicitly listed).

To report a security issue with an Eclipse project, the reporter needs to explicitly flip this bit (it appears at the bottom of the submit page). AFAIK, this is not represented in Mylyn.

Perhaps we can encourage projects to provide a link that has this bit flipped on automatically.

How do we handle bugs from a user who doesn't know what project to report against? Should we make a "security" email alias that forward to a trusted "inner circle" (you'll find that I use this term a lot) who can do the initial triage?

At the moment, the ability to mark a bug as "committers-only" is on a project-by-project basis (you have to ask the Webmaster). AFAIK, this was done to avoid adding additional complexity to the reporting page. Should we just enable this for all projects?

At the moment, we have 36 bugs marked as "committers-only". IMHO, many of these do not need to be marked as such (in fact, I would go so far as to say that they are incorrectly marked as such).

Ultimately, once a conclusion has been reached, I believe that the "committers-only" flag should be cleared on all bugs. When that happens is an interesting question that I'll create another bug for discussion.
Comment 1 Gunnar Wagenknecht CLA 2011-02-11 15:16:24 EST 
(In reply to comment #0)
> How do we handle bugs from a user who doesn't know what project to report
> against? Should we make a "security" email alias that forward to a trusted
> "inner circle" (you'll find that I use this term a lot) who can do the initial
> triage?

I like that idea. The "inner circle" can identify the project and eventually the initial classification. The more I think about it, the more I think this should be the *promoted* way of reporting security issues. A reporting link/form could be provided on www.eclipse.org.

What about security@eclipse.org? Should it be possible to report issues via mail or just Bugzilla?
Comment 2 Wayne Beaton CLA 2011-05-25 15:50:25 EDT 
I believe that the Security Team will be the inner circle.

I have included links for security@eclipse.org as a means of reporting a vulnerability.
Comment 3 Wayne Beaton CLA 2013-12-18 16:08:34 EST 
I declare victory.