Merge pull request #7301 from 0xdaryl/security

Create an Eclipse OMR security policy
eclipse-omr · Apr 11, 2024 · 7d48bfe · 7d48bfe
2 parents 0e07ad1 + b17e677
commit 7d48bfe
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+Eclipse OMR follows the [Eclipse Vulnerability Reporting Policy](https://www.eclipse.org/security/policy.php).  Vulnerabilities are tracked by the Eclipse OMR project leads, or by the Eclipse security team in cooperation with the OMR project leads.  Fixing vulnerabilities is the responsibility of OMR project committers.
+
+## Supported Versions
+
+Eclipse OMR only supports security updates in upcoming OMR releases.
+
+## Reporting a Vulnerability
+
+In case of suspected vulnerabilities, we recommend you do not use the public Eclipse OMR GitHub issue tracker.  Instead, contact an Eclipse OMR project lead via the [OMR Slack](https://eclipse-omr.slack.com) workspace and a private channel will be created for the discussion.  You can join the Eclipse OMR Slack workspace [here](https://join.slack.com/t/eclipse-omr/shared_invite/enQtMzg2ODIwODc4MTAyLWFiMzZkNmNhODc5OTM0MjgwZDdjNzg5YTg5NzM0ZmEzNTIyMGViMjk1YjYwNzczYjYwODc4YTM5MDk0NjIxMjg) if required.  The project leads will follow the Eclipse Foundation policy for reporting and resolving security vulnerabilities.
+
+| Project Lead | Slack Handle |
+| :--- | :--- |
+| Daryl Maier | @0xdaryl |
+| Mark Stoodley | @mstoodle |
+| Charlie Gracie | @charliegracie |
+
+Alternatively, you may contact the Eclipse Security Team via an email to [email protected].