Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork233
Security: FasterXML/jackson-dataformat-xml
Security
SECURITY.md
Last Updated: 2022-09-20
Current status of open branches, with new releases, can be found fromJackson Releaseswiki page
The recommended mechanism for reporting possible security vulnerabilities followsso-called "Coordinated Disclosure Plan" (seedefinition of DCPfor general idea). The first step is to file aTidelift security contact:Tidelift will route all reports via their system to maintainers of relevant package(s), and start theprocess that will evaluate concern and issue possible fixes, send update notices and so on.Note that you do not need to be a Tidelift subscriber to file a security contact.
Alternatively you may also report possible vulnerabilities toinfo at fasterxml dot commailing address. Note that filing an issue to go with report is fine, but if you do that pleaseDO NOT include details of security problem in the issue but only in email contact.This is important to give us time to provide a patch, if necessary, for the problem.
(for more in-depth explanation, seeApache Release Signing document)
To verify that any given Jackson artifact has been signed with a valid key, have a look atKEYS file of the main Jackson repo:
https://github.com/FasterXML/jackson/blob/master/KEYS
which lists all known valid keys in use.