Optional Identity Verification for Eclipse Foundation Committers Launches June 2
On June 2, the Eclipse Foundation will make optional identity verification generally available for Eclipse Foundation committers.
Security
Security training on vulnerability management and SBOMs from November 2025 - Videos are Online!
In early November 2025, the Eclipse Foundation Security Team delivered the second part of our security training for developers for the second time. This part included updates from the first time we delivered the training in June.
Open VSX security update - October 2025
Over the past few weeks, the Open VSX team and the Eclipse Foundation have been responding to reports of leaked tokens and related malicious activity involving certain extensions hosted on the Open VSX Registry.
Imixs OIDC Security Module for Jakarta EE 10 with Unified Browser and API Authentication
The Imixs open source project today announced the release of Imixs-OIDC 3.0, a security module that combines OpenID Connect (OIDC) authentication flows with Bearer token validation in a single, unified architecture. This Jakarta EE 10 solution addresses the enterprise challenge of maintaining secure user authentication while providing robust API access control within one lightweight, framework-agnostic implementation.
OpenSSF Community Day Europe 2025
The Eclipse Foundation security team will be speaking at OpenSSF Community Day 2025! This event brings together a dynamic community from the security and open source ecosystems to share ideas and progress on advancing the capabilities that make it easier to securely develop, maintain, and consume the software we all rely on.
Eclipse Open VSX Registry Security Advisory
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized extension uploads. It did not affect existing extensions or admin functions.
The issue was reported on May 4, 2025, fully fixed by June 24, and followed by a complete audit. No evidence of compromise was found, but 81 extensions were proactively deactivated as a precaution.
Announcing Security Training on Vulnerability Management, SBOM and related subjects
After the first series of training focused on general concepts, the Eclipse Foundation Security team is offering a new set of training, this time focused on vulnerability management and related subjects like dependencies and Software Bills of Materials.
Raising the Security Bar: Eclipse Foundation Rapid Security Reviews Launching in 2025
Security is fundamental to open source software. With growing dependencies, evolving threats, and expanding community usage, proactive security reviews have become essential.
2025 State of Automotive Software Development: Growing Contribution to Open Source Software and Increasing Confidence in Its Security and Safety
Perforce Software, in partnership with the Eclipse Foundation, has released the findings of the 2025 State of Automotive Software Development Survey. The report provides key insights into the current practices and emerging trends within the automotive software industry, including the use of open source software. The survey, conducted in Q4 2024, gathered responses from more than 650 automotive development professionals worldwide.
Security Incident Review: API Endpoint Exposure on accounts.eclipse.org
In late March 2025, a security researcher in our community reported a security concern about a publicly accessible API endpoint containing user information on accounts.eclipse.org. After reviewing the issue, we determined this API endpoint was unnecessary and have since disabled it.
We looked through our access logs for the past few months and confirmed that the only requests were from the security researcher and the Eclipse Foundation staff who verified the report.