Eclipse RDF4J follows the Eclipse Vulnerability Reporting Policy. Vulnerabilities are tracked by the Eclipse security team, in cooperation with the RDF4J project lead. Fixing vulnerabilities is taken care of by the RDF4J project committers, with assistance and guidance of the security team.
Eclipse RDF4J supports security updates for the following releases:
| Version | Supported |
|---|---|
| current release | ✅ |
| latest minor release before the current | ✅(on request only) |
| latest major release before the current | ✅(on request only) |
| anything older | ❌ |
For example if the current release is 4.1, we support security patches for 4.1.x (the current release) and 4.0.x (latest minor before current), as well as for 3.7.x (latest major before current), but not for 3.6.x or older. Security patches for the current release are provided proactively by the team, while patches for older supported releases are provided on request only.
We recommend that in case of suspected vulnerabilities you do not use the RDF4J public issue tracker, but instead contact the Eclipse Security Team directly via security@eclipse.org.