SECURITY.md - jgit - Git at Google

 <!--- https://www.eclipse.org/security/ --->
 _ISO 27005 defines vulnerability as:
  "A weakness of an asset or group of assets that can be exploited by one or more threats."_

 ## Reporting a Security Vulnerability

 Vulnerabilities can be reported either via
 [email to the Eclipse Security Team](security@eclipse-foundation.org)
 or using the
 [dedicated security issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability).

 ## Additional Information

 **The Eclipse Foundation Security Team** provides help and advice to Eclipse Foundation projects on
 vulnerability issues and is the first point of contact for handling security vulnerabilities.
 Members of the Eclipse Foundation Security Team are selected amongs committers on Eclipse Projects,
 members of the Eclipse Architecture Council, and Eclipse Foundation staff.

 The general security mailing list address is security@eclipse-foundation.org. Members of the Eclipse
 Foundation Security Team will receive messages sent to this address. This address should be used
 only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to
 vulnerabilities in Eclipse Foundation software will be ignored. Note that this email set to this
 address is not encrypted.

 **Note that, as a matter of policy, the security team does not open attachments.**

 The community is also encouraged to report vulnerabilities using the
 [Eclipse Foundation’s issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability).
 Note that you will need an Eclipse Foundation account to create an issue report
 ([create an account here if you do not have one](https://accounts.eclipse.org/user/register?destination=user)),
 but by doing so you will be able to participate directly in the resolution of the issue.

 Issue reports related to vulnerabilities must be marked as “confidential”, either automatically by
 clicking the provided link by the reporter, or by a committer during the triage process.

 ## Disclosure

 The timing and manner of disclosure is governed by the
 [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy).

 Publicly disclosed issues are listed on the
 [Disclosed Vulnerabilities page](https://www.eclipse.org/security/known).
	<!--- https://www.eclipse.org/security/ --->
	_ISO 27005 defines vulnerability as:
	"A weakness of an asset or group of assets that can be exploited by one or more threats."_

	## Reporting a Security Vulnerability

	Vulnerabilities can be reported either via
	[email to the Eclipse Security Team](security@eclipse-foundation.org)
	or using the
	[dedicated security issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability).

	## Additional Information

	The Eclipse Foundation Security Team provides help and advice to Eclipse Foundation projects on
	vulnerability issues and is the first point of contact for handling security vulnerabilities.
	Members of the Eclipse Foundation Security Team are selected amongs committers on Eclipse Projects,
	members of the Eclipse Architecture Council, and Eclipse Foundation staff.

	The general security mailing list address is security@eclipse-foundation.org. Members of the Eclipse
	Foundation Security Team will receive messages sent to this address. This address should be used
	only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to
	vulnerabilities in Eclipse Foundation software will be ignored. Note that this email set to this
	address is not encrypted.

	Note that, as a matter of policy, the security team does not open attachments.

	The community is also encouraged to report vulnerabilities using the
	[Eclipse Foundation’s issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability).
	Note that you will need an Eclipse Foundation account to create an issue report
	([create an account here if you do not have one](https://accounts.eclipse.org/user/register?destination=user)),
	but by doing so you will be able to participate directly in the resolution of the issue.

	Issue reports related to vulnerabilities must be marked as “confidential”, either automatically by
	clicking the provided link by the reporter, or by a committer during the triage process.

	## Disclosure

	The timing and manner of disclosure is governed by the
	[Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy).

	Publicly disclosed issues are listed on the
	[Disclosed Vulnerabilities page](https://www.eclipse.org/security/known).