OpenJDK Vulnerabilities

Vulnerabilities in OpenJDK source code are handled by the OpenJDK Vulnerability Group, who coordinate fixes and releases.

How to report a vulnerability

We welcome reports of vulnerabilities in the JDK. To submit a report, please send e-mail to We prefer mail encrypted with our report encryption key. Please include as much detail as is reasonable, e.g., the output of the java -version command, a proof-of-concept (PoC) program, crash logs, and relevant environment and configuration information.

Vulnerability reports that you submit are covered by the OpenJDK Web Site Terms of Use.


Current and previous advisories are available for reference.

Last update: 2019/7/17 21:29 UTC