1<!--- https://www.eclipse.org/security/ ---> 2_ISO 27005 defines vulnerability as: 3 "A weakness of an asset or group of assets that can be exploited by one or more threats."_ 4 5## The Eclipse Security Team 6 7The Eclipse Security Team provides help and advice to Eclipse projects 8on vulnerability issues and is the first point of contact 9for handling security vulnerabilities. 10Members of the Security Team are committers on Eclipse Projects 11and members of the Eclipse Architecture Council. 12 13Contact the [Eclipse Security Team](mailto:security@eclipse.org). 14 15**Note that, as a matter of policy, the security team does not open attachments.** 16 17## Reporting a Security Vulnerability 18 19Vulnerabilities can be reported either via email to the Eclipse Security Team 20or directly with a project via the Eclipse Foundation's Bugzilla instance. 21 22The general security mailing list address is security@eclipse.org. 23Members of the Eclipse Security Team will receive messages sent to this address. 24This address should be used only for reporting undisclosed vulnerabilities; 25regular issue reports and questions unrelated to vulnerabilities in Eclipse software 26will be ignored. 27Note that this email address is not encrypted. 28 29The community is also encouraged to report vulnerabilities using the 30[Eclipse Foundation's Bugzilla instance](https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Vulnerability%20Reports&keywords=security&groups=Security_Advisories). 31Note that you will require an Eclipse Foundation account to create an issue report, 32but by doing so you will be able to participate directly in the resolution of the issue. 33 34Issue reports related to vulnerabilities must be marked as "committers-only", 35either automatically by clicking the provided link, by the reporter, 36or by a committer during the triage process. 37Note that issues marked "committers-only" are visible to all Eclipse committers. 38By default, a "committers-only" issue is also accessible to the reporter 39and individuals explicitly indicated in the "cc" list. 40 41## Disclosure 42 43Disclosure is initially limited to the reporter and all Eclipse Committers, 44but is expanded to include other individuals, and the general public. 45The timing and manner of disclosure is governed by the 46[Eclipse Security Policy](https://www.eclipse.org/security/policy.php). 47 48Publicly disclosed issues are listed on the 49[Disclosed Vulnerabilities Page](https://www.eclipse.org/security/known.php).