Group Proposal, for discussion: Vulnerability Group

Martijn Verburg martijnverburg at
Thu Aug 24 17:33:41 UTC 2017

Hi Mark,

Totally applaud this idea!  I have some suggested wording changes that
might be easiest to suggest as a diff or some sort of track changes on the
original text.  Do you have a preferred mechanism for that type of feedback?


On 24 August 2017 at 16:49, <mark.reinhold at> wrote:

> (This is not a call for votes; it is just a call for discussion.)
> The Governing Board has been discussing the creation of a Vulnerability
> Group for a while now.  This new Group is intended to be a secure,
> private forum in which trusted members of the OpenJDK Community can
> receive reports of vulnerabilities in OpenJDK code bases, review them,
> collaborate on fixing them, and coordinate the release of such fixes.
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement.  These requirements do,
> strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
> discussed this, however, and I expect that the Board will approve the
> creation of this Group with these exceptional requirements.
> I've posted a detailed proposal for the Vulnerability Group here:
> That document contains a link to a draft of the non-disclosure and
> license agreement.
> The initial Lead of the Vulnerability Group will be Andrew Gross, who
> leads Oracle's internal Java Vulnerability Team.
> Comments?
> - Mark

More information about the discuss mailing list