Please report vulnerabilities to security@adoptopenjdk.net. A member of the security team will respond within 48 hours with details on how to proceed including whether or not the vulnerability was accepted, declined or requires further investigation.