If you discover a security vulnerability in PCRE4J, please report it through GitHub Security Advisories. This ensures the issue is handled confidentially.

Please do not open a public issue for security vulnerabilities.

This security policy covers the PCRE4J binding layer — the Java code in this repository that interfaces with the PCRE2 native library.

Security issues in the PCRE2 native library itself should be reported to the PCRE2 upstream project.

We aim to acknowledge security reports within 72 hours and provide a timeline for a fix. Critical vulnerabilities will be prioritized for patching.