Lombok is a build-time only dependency; there is no need for lombok.jar to be available when your application is run, it just needs to be there when you compile your code.

Therefore, lombok is highly unlikely to be a source of security vulnerabilities.

Nevertheless, if you have a concern or found a vulnerability, please disclose the vulnerability privately. We would like to coordinate with you so that we can release a fix for the vulnerability together with the disclosure of the vulnerability to the public. As an open source project we are not currently able to offer a monetary reward, but we will acknowledge your contribution (and we'll owe you a refreshing beverage of your choice, of course!), and work with you to set a reasonable timeline for a fix.

If you want to report a vulnerability, please contact the tidelift security team. Alternatively, you can contact us directly via security@projectlombok.org.