|
| 1 | +# Reporting Security Vulnerabilities |
| 2 | + |
| 3 | +The GraalVM team values the independent security research community and believes |
| 4 | +that responsible disclosure of security vulnerabilities in GraalVM Community |
| 5 | +Edition as well as GraalVM Enterprise Edition helps us ensure the security and |
| 6 | +privacy of all our users. |
| 7 | + |
| 8 | +If you believe you have found a security vulnerability, please submit a report |
| 9 | +to [email protected] preferably with a proof of concept. Please refer to |
| 10 | +[Reporting |
| 11 | +Vulnerabilities](https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html) |
| 12 | +for additional information including our public encryption key for secure |
| 13 | +email. We ask that you do not contact project contributors directly or through |
| 14 | +other channels about a report. |
| 15 | + |
| 16 | +### Security Updates, Alerts and Bulletins |
| 17 | + |
| 18 | +GraalVM Community Edition security updates will be released on a quarterly basis |
| 19 | +in conjunction withe GraalVM Enterprise Edition security updates that are part |
| 20 | +of the Oracle Critical Patch Update program. Security updates are released on |
| 21 | +the Tuesday closest to the 17th day of January, April, July and October. A |
| 22 | +pre-release announcement will be published on the Thursday preceding each |
| 23 | +Critical Patch Update release. For additional information including past |
| 24 | +advisories, please refer to [Security |
| 25 | +Alerts](https://www.oracle.com/security-alerts/). |
| 26 | + |
| 27 | +### Security-Related Information |
| 28 | + |
| 29 | +Please refer to the [GraalVM Security |
| 30 | +Guide](https://www.graalvm.org/docs/security-guide/) for security related topics |
| 31 | +such as how to support trusted and less trusted code execution using the Truffle |
| 32 | +language framework, or compiler mitigations for transitive execution |
| 33 | +attacks. However please note that we do not currently support the execution of |
| 34 | +untrusted or adversarial code. Non-vulnerability related security issues may be |
| 35 | +discussed on GitHub Issues or the Security channel in the [GraalVM Slack |
| 36 | +Workspace](https://graalvm.slack.com/) |
| 37 | + |
0 commit comments