We as a community encourage researchers, users and contributors to report vulnerabilities and security related issues to the Eiffel community. All issues are thoroughly investigated by a community security officer and/or other community security volunteers. All reported and fixed security and vulnerability issues can be found on the Eiffel community security page .

To file a vulnerability report please send and e-mail to the private eiffel-community-security@googlegroups.com list. The e-mail should list the security specific details as well as the standard bug report information. Only the community security officers will have access to e-mails sent on the security and vulnerability list. This process is the same whether the report stems from a project within the Eiffel community or from an external contributor.

Triage and handling of the vulnerability report will be conducted within one week. If the vulnerability severity and impact is high a patch will be published with urgency.

• You think you discovered a potential security vulnerability in an eiffel-community service, application or repository
• You are unsure how a vulnerability affects the eiffel-community service or application.
• You think you discovered a vulnerability in another project that a eiffel-community service or application depends on.

As mentioned, each report is acknowledged and analyzed by a eiffel-community security officer within one week. If the vulnerability is reproduced and verified a response will be sent to the reporter. As the issue progresses from triage, to fix, test and release the reporter will be updated.

The eiffel-community humbly asks all vulnerability reporters to hold off on public disclosure and instead negotiate a time frame within which the vulnerability report will be processed, fixed and released by the eiffel-community. Once released it will be listed on the Eiffel community security page .