Eclipse OpenJ9 follows the Eclipse Vulnerability Reporting Policy. Vulnerabilities are tracked by the Eclipse OpenJ9 project leads, or by the Eclipse security team in cooperation with the OpenJ9 project leads. Fixing vulnerabilities is taken care of by the OpenJ9 project committers.

Eclipse OpenJ9 supports security updates only in upcoming OpenJ9 releases.

Since OpenJ9 currently uses a single stream to support the Long Term Support (LTS) releases of Java (8, 11 and 17) as well as the feature releases, fixes to the single OpenJ9 stream will be available in each of the next Java releases.

In case of suspected vulnerabilities, we recommend that you do not use the OpenJ9 public issue tracker, but instead contact an Eclipse OpenJ9 project lead via the OpenJ9 Slack (join here) and a private channel will be created for the discussion. Or contact the Eclipse Security Team via security@eclipse.org.

The project leads will ensure that a private bugzilla issue is created for any confirmed vulnerability to track the fixing of said issue.