Group Proposal, for discussion: Vulnerability Group

Weijun Wang at
Fri Aug 25 02:08:56 UTC 2017

Suppose I am a "recognized" export in Area A, and Bob is one in Area B. We both have been handling security issues before. Does this mean we would be both included in the group and I can read all discussions in Area B?

Also, what is the proper way to temporarily include someone when working on a specific bug? For example, a test engineer, a 3rd-party expert (Ex: a bug only on Windows and we work with someone in Microsoft) or a customer. Since vuln-dev at is not opened to them I assume I cannot CC one while writing to this list. Do I just talk to him/her one-to-one?


> On Aug 24, 2017, at 11:49 PM, mark.reinhold at wrote:
> (This is not a call for votes; it is just a call for discussion.)
> The Governing Board has been discussing the creation of a Vulnerability
> Group for a while now.  This new Group is intended to be a secure,
> private forum in which trusted members of the OpenJDK Community can
> receive reports of vulnerabilities in OpenJDK code bases, review them,
> collaborate on fixing them, and coordinate the release of such fixes.
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement.  These requirements do,
> strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
> discussed this, however, and I expect that the Board will approve the
> creation of this Group with these exceptional requirements.
> I've posted a detailed proposal for the Vulnerability Group here:
> That document contains a link to a draft of the non-disclosure and
> license agreement.
> The initial Lead of the Vulnerability Group will be Andrew Gross, who
> leads Oracle's internal Java Vulnerability Team.
> Comments?
> - Mark

More information about the discuss mailing list