How to Report Potential Security Vulnerabilities
Any potential security vulnerabilities should be reported through the Security Advisories page.
The Micrometer team needs to receive reports of potential security vulnerabilities through GitHub’s ability to privately report a security vulnerability. To simplify the process, the micrometer-metrics/security-advisories repository is used to report potential vulnerabilities for any project within the Micrometer org.
Viewing Security Vulnerabilities
All security vulnerabilities are posted to micrometer-metrics/security-advisories.
Guidelines for Reporting a Vulnerability
Examples of Non-vulnerabilities
Vulnerabilities in Dependencies
Vulnerabilities in Micrometer’s dependencies should be reported to the respective project and not to the Micrometer team.
Vulnerable Dependency Versions
The Micrometer team does its best to keep its dependencies up to date regardless of whether a dependency contains a vulnerability. However, we do not consider it a vulnerability in Micrometer when Micrometer defines a vulnerable dependency version, because developers can override these versions and because releasing for any transitive dependency would become unmanageable for Micrometer.
It is up to the developer of the dependency to release a compatible version with the security fix. If this is made available, Micrometer will be updated to that dependency version prior to releasing the next version of Micrometer.
Typically, there is not a special release for updating dependency versions. Instead, the Micrometer team encourages developers to override the version until the next Micrometer release.