Eclipse OMR follows the Eclipse Vulnerability Reporting Policy. Vulnerabilities are tracked by the Eclipse OMR project leads, or by the Eclipse security team in cooperation with the OMR project leads. Fixing vulnerabilities is the responsibility of OMR project committers.

Eclipse OMR only supports security updates in upcoming OMR releases.

In case of suspected vulnerabilities, we recommend you do not use the public Eclipse OMR GitHub issue tracker. Instead, contact an Eclipse OMR project lead via the OMR Slack workspace and a private channel will be created for the discussion. You can join the Eclipse OMR Slack workspace here if required. The project leads will follow the Eclipse Foundation policy for reporting and resolving security vulnerabilities.

Alternatively, you may contact the Eclipse Security Team via an email to [email protected].