security-advisories

This repository is the official channel for reporting security vulnerabilities in any Spring project. If someone discovers a security flaw in Spring Framework, Spring Boot, or another Spring library, they submit it here as a private draft advisory rather than posting it publicly where attackers could exploit it before a fix is ready.

The README spends considerable space explaining what counts as a valid security report and what does not. A genuine vulnerability is one where Spring's own code processes untrusted input in an unsafe way. Common non-qualifying situations include: code the developer wrote unsafely (Spring just routed the request), vulnerabilities in third-party libraries that Spring depends on, and issues only reproducible if someone with admin access deliberately misconfigures the application. The document gives detailed examples of each category so reporters can self-screen before filing.

Before submitting, reporters are expected to build a minimal sample application that demonstrates the problem. The sample must use a currently supported Spring version, be written in Java, run without external services like databases unless absolutely necessary, and contain only the code needed to trigger the issue. The repository README contains a template to fill out when creating the advisory, covering a summary, steps to reproduce, the expected result, and the actual result.

The collaboration workflow uses GitHub's temporary private fork feature, which keeps the vulnerable code and the fix hidden from public view until the advisory is officially published. The README walks through the shell commands for cloning that private fork, pushing a reproducer to a branch called sample, committing a fix, and notifying the original reporter to review the patch. This process applies to Spring team members working on fixes as well as external reporters sharing their reproducers.