blob: 8f6a918d374403da3f2272d2e59d958ea2ca138e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
# Security Policies and Procedures
Lombok only runs during compilation and is not required on your servers or in your application's distribution. Nevertheless, the _Project Lombok_ team and community take all security bugs seriously.
## Reporting a Bug
To report a security vulnerability, please follow the procedure described in the [Tidelift security policy](https://tidelift.com/docs/security?utm_source=lombok&utm_medium=referral&utm_campaign=github).
Alternatively, you can send us an email privately via `security@projectlombok.org`.
## Disclosure Policy
When we receive a security bug report, it will be assigned a primary handler. This person will coordinate the fix and release process. In case this process requires additional resources beyond the scope of what the core contributors of _Project Lombok_ can reasonably supply, we will inform the Tidelift security team for additional help and coordination. This process will involve the following steps:
* Inventorize all affected versions along with the platform(s) that lombok runs on which are affected.
* Audit code to find any potential similar problems.
* Prepare fixes for all releases, push these out to all distribution channels including the maven central repo, and put in all due effort to get affected versions marked as affected.
## Comments on this Policy
Any comments on this policy or suggestions for improvement can be discussed on [our forum](https://groups.google.com/forum/#!forum/project-lombok), or you can send us an email for any comments or suggestions that contain sensitive information.
|
