Security is fundamental to open source software. With growing dependencies, evolving threats, and expanding community usage, proactive security reviews have become essential.
Perforce Software, in partnership with the Eclipse Foundation, has released the findings of the 2025 State of Automotive Software Development Survey. The report provides key insights into the current practices and emerging trends within the automotive software industry, including the use of open source software. The survey, conducted in Q4 2024, gathered responses from more than 650 automotive development professionals worldwide.
In late March 2025, a security researcher in our community reported a security concern about a publicly accessible API endpoint containing user information on accounts.eclipse.org. After reviewing the issue, we determined this API endpoint was unnecessary and have since disabled it.
We looked through our access logs for the past few months and confirmed that the only requests were from the security researcher and the Eclipse Foundation staff who verified the report.
As the Head of Security at the Eclipse Foundation, I want to clarify the situation, explain DLL side-loading, and reaffirm our commitment to security and collaboration with the community. My goal is to provide a clear understanding of both the technical aspects of this misuse and our approach to maintaining a secure ecosystem.
It's time to reflect on the strides we've made in enhancing the security of our open source projects in 2024.
Free security training for all Eclipse Foundation Committers and Contributors!
Join us for hands-on training, designed to give you practical, real-world security skills, alongside the opportunity to engage directly with Eclipse Foundation security experts, discuss a wide array of topics and ask questions in an open, collaborative environment.
What will you learn?
Free security training for all Eclipse Foundation Committers and Contributors!
Join us for hands-on training, designed to give you practical, real-world security skills, alongside the opportunity to engage directly with Eclipse Foundation security experts, discuss a wide array of topics and ask questions in an open, collaborative environment.
What will you learn?
In response to requests from various projects and after discussions between the Eclipse Foundation Security Team and the Architecture Council, we recently announced the creation of Project Security Teams.
The security track at OCX 2024 is packed with sessions that address the most pressing challenges and opportunities in open source security. Check this blog for a sneak peek at what the security track has in store.
The Eclipse Foundation is a CNA (CVE Numbering Authority), responsible for assigning vulnerability identification numbers, known as CVE (Common Vulnerability Enumerations), to our projects. This August, a new set of rules for CNAs comes into force.