Group Proposal, for discussion: Vulnerability Group

mark.reinhold at mark.reinhold at
Thu Aug 24 15:49:38 UTC 2017

(This is not a call for votes; it is just a call for discussion.)

The Governing Board has been discussing the creation of a Vulnerability
Group for a while now.  This new Group is intended to be a secure,
private forum in which trusted members of the OpenJDK Community can
receive reports of vulnerabilities in OpenJDK code bases, review them,
collaborate on fixing them, and coordinate the release of such fixes.

This Group will be unusual in several respects, due to the sensitive
nature of its work: Membership will be more selective, there will be a
strict communication policy, and members (or their employers) will need
to sign a non-disclosure and license agreement.  These requirements do,
strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
discussed this, however, and I expect that the Board will approve the
creation of this Group with these exceptional requirements.

I've posted a detailed proposal for the Vulnerability Group here:

That document contains a link to a draft of the non-disclosure and
license agreement.

The initial Lead of the Vulnerability Group will be Andrew Gross, who
leads Oracle's internal Java Vulnerability Team.


- Mark

More information about the discuss mailing list