How to Report Potential Security Vulnerabilities

Any potential security vulnerabilities in the entire Project Reactor should be reported through the Security Advisories page.

The Project Reactor team needs to receive reports of potential security vulnerabilities through GitHub’s ability to privately report a security vulnerability. To simplify the process, the reactor/security-advisories repository is used to report potential vulnerabilities for any project within the Project Reactor.

Viewing Security Vulnerabilities

All security vulnerabilities are posted to https://spring.io/security/.

Guidelines for Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it as described in How to Report Potential Security Vulnerabilities. Below, you can see examples of vulnerabilities and examples of non-vulnerabilities.

Examples of Vulnerabilities

For examples of vulnerabilities, refer to https://spring.io/security/.

Examples of Non-vulnerabilities

Vulnerabilities in Dependencies

Vulnerabilities in Project Reactor’s dependencies should be reported to the respective project and not to the Project Reactor team.

Vulnerable Dependency Versions

The Project Reactor does its best to keep its dependencies up to date regardless of whether a dependency contains a vulnerability. However, we do not consider it a vulnerability in Project Reactor when Project Reactor defines a vulnerable dependency version, because developers can override these versions and because releasing for any transitive dependency would become unmanageable for the Project Reactor.

It is up to the developer of the dependency to release a compatible version with the security fix. If this is made available, the Project Reactor will be updated to that dependency version prior to releasing the next version of the Project Reactor.

Typically, there is not a special release for updating dependency versions. Instead, the Project Reactor team encourages developers to override the version until the next Project Reactor release.