Security Policy

How to Report Potential Security Vulnerabilities

Any potential security vulnerabilities should be reported through the Security Advisories page.

The Micrometer team needs to receive reports of potential security vulnerabilities through GitHub’s ability to privately report a security vulnerability. To simplify the process, the micrometer-metrics/security-advisories repository is used to report potential vulnerabilities for any project within the Micrometer org.

Viewing Security Vulnerabilities

All security vulnerabilities are posted to micrometer-metrics/security-advisories.

Guidelines for Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it as described in How to Report Potential Security Vulnerabilities. Below, you can see examples of non-vulnerabilities.

Examples of Non-vulnerabilities

Vulnerabilities in Dependencies

Vulnerabilities in Micrometer’s dependencies should be reported to the respective project and not to the Micrometer team.

Vulnerable Dependency Versions

The Micrometer team does its best to keep its dependencies up to date regardless of whether a dependency contains a vulnerability. However, we do not consider it a vulnerability in Micrometer when Micrometer defines a vulnerable dependency version, because developers can override these versions and because releasing for any transitive dependency would become unmanageable for Micrometer.

It is up to the developer of the dependency to release a compatible version with the security fix. If this is made available, Micrometer will be updated to that dependency version prior to releasing the next version of Micrometer.

Typically, there is not a special release for updating dependency versions. Instead, the Micrometer team encourages developers to override the version until the next Micrometer release.