Group Proposal, for discussion: Vulnerability Group

Mario Torre neugens.limasoftware at
Thu Aug 24 17:53:02 UTC 2017

Hi Mark!

This is a fantastic news, thanks for moving this forward!

My only complain is that now I have one argument less for FOSDEM ;)


2017-08-24 17:49 GMT+02:00  <mark.reinhold at>:
> (This is not a call for votes; it is just a call for discussion.)
> The Governing Board has been discussing the creation of a Vulnerability
> Group for a while now.  This new Group is intended to be a secure,
> private forum in which trusted members of the OpenJDK Community can
> receive reports of vulnerabilities in OpenJDK code bases, review them,
> collaborate on fixing them, and coordinate the release of such fixes.
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement.  These requirements do,
> strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
> discussed this, however, and I expect that the Board will approve the
> creation of this Group with these exceptional requirements.
> I've posted a detailed proposal for the Vulnerability Group here:
> That document contains a link to a draft of the non-disclosure and
> license agreement.
> The initial Lead of the Vulnerability Group will be Andrew Gross, who
> leads Oracle's internal Java Vulnerability Team.
> Comments?
> - Mark

pgp key: PGP Key ID: 80F240CF
Fingerprint: BA39 9666 94EC 8B73 27FA  FC7C 4086 63E3 80F2 40CF

Java Champion - Blog: - Twitter: @neugens
Proud GNU Classpath developer:

Please, support open standards:

More information about the discuss mailing list