Security updates will always be applied to the latest -SNAPSHOT
prior to being included in the latest release. We generally do not backport security updates given that the connector itself is intended to be backwards compatible between (minor) releases.
To report a vulnerability, please consider raising an issue. If there are sensitive details that you do not want to risk including directly in an issue, you can alternatively email the (non-public) Egeria security team at: egeria-security@lists.lfaidata.foundation
Please ideally include:
- details on where the vulnerability exists (e.g. in connector code itself, a dependent library, etc)
- point to any existing CVE or other published details on the vulnerability (if available)
- give a brief summary of the impact of the vulnerability (if not immediately obvious from the above)
We will triage these details and determine the appropriate course of action, typically including:
- publishing a security advisory alerting the community to the vulnerability
- suggesting approaches to avoid the vulnerability (e.g. fixes and / or interim workarounds)
License: CC BY 4.0, Copyright Contributors to the ODPi Egeria project.