OpenJDK Vulnerabilities
Vulnerabilities in OpenJDK source code are handled by the OpenJDK Vulnerability Group, who coordinate fixes and releases.
How to report a vulnerability
We welcome reports of vulnerabilities in the JDK. To submit a
report, please send e-mail to vuln-report@openjdk.org.
We prefer mail encrypted with our report encryption key.
Please include as much detail as is reasonable, e.g., the output of
the java -version
command, a proof-of-concept (PoC)
program, crash logs, and relevant environment and configuration
information.
Vulnerability reports that you submit are covered by the OpenJDK Web Site Terms of Use.
Oracle values the members of the independent security research community who find security vulnerabilities and work with Oracle so that security fixes can be issued to all customers. Oracle's policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued. In order to receive credit, security researchers must follow responsible disclosure practices, including:
-
They do not publish the vulnerability prior to Oracle releasing a fix for it
-
They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code
Advisories
Current and previous advisories are available for reference.