<#import "/_scaffold.html" as main> <@main.scaffold title="Security Vulnerabilities"> <div class="page-header top5"> <div> <div class="row"> <p> Lombok is a build-time only dependency; there is no need for <code>lombok.jar</code> to be available when your application is run, it just needs to be there when you compile your code. </p><p> Therefore, lombok is highly unlikely to be a source of security vulnerabilities. </p><p> Nevertheless, if you have a concern or found a vulnerability, please disclose the vulnerability privately. We would like to coordinate with you so that we can release a fix for the vulnerability together with the disclosure of the vulnerability to the public. As an open source project we are not currently able to offer a monetary reward, but we will acknowledge your contribution (and we'll owe you a refreshing beverage of your choice, of course!), and work with you to set a reasonable timeline for a fix. </p><p> If you want to report a vulnerability, please contact the <a href="https://tidelift.com/security">tidelift security team</a>. Alternatively, you can contact us directly via <a href="mailto:info@projectlombok.org">info@projectlombok.org</a>. </p> </div> </div> </div> </@main.scaffold>