Oracle values the independent security research community, and believes that responsible disclosure of security vulnerabilities helps us to ensure the security and privacy of all of our users.

Please do NOT raise a GitHub Issue to report a security vulnerability. If you believe you have found a security vulnerability, then please submit a report to secalert_us@oracle.com preferably with a proof of concept. Please review some additional information on how to report security vulnerabilities to Oracle. Oracle encourages anyone who contacts Oracle Security to use email encryption, using our encryption key.

Please do not use other channels, or contact the project maintainers directly.

For non-vulnerability related security issues, including ideas for new or improved security features, you are welcome to post these as GitHub Issues.

Oracle issues security updates on a regular cadence. Many of our projects typically include release security fixes in conjunction with the Oracle Critical Patch Update program. Security updates are released on the Tuesday closest to the 17th day of January, April, July and October. A pre-release announcement will be published on the Thursday preceding each release. Additional information, including past advisories, is available on our security alerts page.

Oracle will provide security-related information in our documentation. The information can be a threat model, best practices for secure use, or any known security issues. Please note that labs and example code are intended to demonstrate a concept. These examples should not be used for production use without ensuring that the code is hardened, and in compliance with common security practices.