We provide security updates for the latest stable release of jPOS (tip). Older versions (tail) may receive updates on a case-by-case basis (see tip and tail).

If you think you've found a vulnerability, please use the Report a vulnerability button found in the security tab of the project on Github or contact security at jpos dot org. Avoid disclosing security related issues publicly in GitHub Issues or pull requests.

We acknowledge reports within 24 hours (usually less) and follow coordinated disclosure practices.

This process is documented in GitHub's Secure Coding guide: Privately reporting a security vulnerability.

• Security vulnerabilities are triaged and patched promptly.
• Changelogs and CVEs (when applicable) document known issues.
• Releases are signed with GPG and validated for integrity.

• All pull requests require approval by a core maintainer.
• Contributor License Agreements (CLAs and CCLAs when appropriate) are mandatory for significant contributions.
• Maintainers must enable GitHub 2FA and use signed commits.
• CI pipelines validate code and enforce reproducible builds and over 3000 unit tests.

• We review dependencies for known vulnerabilities using tools like OWASP dependency-check, that is integrated as a Gradle task.
• We avoid dependencies that fetch remote resources at build time.

• Governance Policy
• Contributor Guidelines
• ChangeLog
• Resources

If you think you've found a vulnerability, please use the Report a vulnerability button found in the security tab of the project on Github or contact security at jpos dot org.

This process is documented in GitHub's Secure Coding guide: Privately reporting a security vulnerability.