Eclipse hawkBit follows the Eclipse Foundation Security Policy. Vulnerabilities are tracked by the hawkBit project leads, in cooperation with the Eclipse security team. Fixing vulnerabilities is taken care of by the hawkBit project committers, with assistance and guidance of the security team.

Eclipse hawkBit provides security updates for the two most recent minor versions.
These versions of Eclipse hawkBit are currently being supported with security updates.

If you identify a potential vulnerability, DO NOT publicly disclose it immediately! Instead, give the Eclipse hawkBit team sufficient time to investigate and address the issue appropriately. So, please DO NOT report your finding using GitHub issues. Instead, please submit your report through hawkBit GitHub Security using the Report a vulnerability feature.

For further information regarding the responsible disclosure of security vulnerabilities within the Eclipse Foundation, please refer to Security at the Eclipse Foundation.