We take security very seriously at SDA SE. We welcome any review of the latest release of all our open source code to ensure that these components can not be compromised. In case you identified a security related issue with severity of low to medium, please create a GitHub issue.
In case you identified a security related issue with severity of high or critical, please disclose information about the issue non public via email to opensource-security@sda.se.
We encourage researchers to include a Proof-of-Concept, supported by screenshots or videos. For each given security related issue with severity high or critical (based on SDA SE own assessment), we will respond within one week.
Please be aware that only the most recent version in channel 3.x.x will be subject of security patches. The changelog provides information about feature and security related fixes like patches.
The SecurityBundle (sda-commons-server-security) hardens the configuration of Dropwizard. The README provides information about addressed risks and how to use the SecurityBundle.
There is no format in commits to identify security related fixes and it is not planned yet.
We identified that validation of JSON input with annotations in data classes might be too late in terms of deserialization attacks in jackson-databind.
Therefore, we perform daily vulnerability scans to be informed about known vulnerabilities in jackson-databind. We perform a vulnerability assessment as soon as possible and perform actions based on the outcome.