Hello Glassfish team,
The Eclipse Foundation receives potential vulnerability reports from different sources and is redirecting them to different projects, in this case the Glassfish project.
Technically, those reports end up as confidential issues in
https://gitlab.eclipse.org/security/vulnerability-reports/ and are made public when the issue has been resolved. Currently we are adding the Project Leads of Glassfish to those issues. For most other projects, we're adding all the Committers - however we have one difficulty in the Glassfish situation. The difficulty is that there are quite many committers who have never logged in to the Eclipse Foundation GitLab instance, and because of that they cannot be added to any issues.
If the project wants more people to be added to those issues, we need to solve them: either everyone logs in at least once, or the Project decides to retire the Committer status from people who have been inactive for a long time. >From a quick look, most of the people on the list have not contributed for a long time.
Committers who have never logged in to the EF GitLab instance:
What do you think?
Kind regards,
Marta Rybczynska
Technical Program Manager, Security Team, Eclipse Foundation
