OpenJDK Vulnerabilities

Vulnerabilities in OpenJDK source code are handled by the OpenJDK Vulnerability Group, who coordinate fixes and releases.

How to report a vulnerability

We welcome reports of vulnerabilities in the JDK. To submit a report, please send e-mail to We prefer mail encrypted with our report encryption key. Please include as much detail as is reasonable, e.g., the output of the java -version command, a proof-of-concept (PoC) program, crash logs, and relevant environment and configuration information.

Vulnerability reports that you submit are covered by the OpenJDK Web Site Terms of Use.

Oracle values the members of the independent security research community who find security vulnerabilities and work with Oracle so that security fixes can be issued to all customers. Oracle's policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued. In order to receive credit, security researchers must follow responsible disclosure practices, including:


Current and previous advisories are available for reference.

Last update: 2019/7/17 21:29 UTC