This document outlines security procedures and general policies for the Eclipse Adoptium project.
The Eclipse Adoptium community take all security vulnerabilities seriously. Thank you for improving the security of our projects. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
Report a security vulnerability privately by creating a draft security advisory following the guidelines described in the GitHub documentation. Reporters without a GitHub account should email the Eclipse Security Team at security@eclipse.org.
Disclosure is initially limited to the reporter and Adoptium security team, but will eventually be expanded to include other individuals, and the general public as appropriate. The timing and manner of disclosure is governed by the Eclipse Security Policy.
Publicly disclosed issues are listed on the Disclosed Vulnerabilities Page.
If you have suggestions on how this process could be improved please submit a pull request.