Within OpenJDK, the OpenJDK Vulnerability Group receives and discusses reports about security vulnerabilities in OpenJDK. It implements and tests fixes, then coordinates the release plan for those fixes with Oracle and other major distributors.
Unlike most OpenJDK activity — where mailing lists and code reviews are public — the Vulnerability Group works under an embargo until a fix is released. Mailing list information and group membership can be found at mail.openjdk.org.
The Oracle CPU Process
Security fixes for Java are released by Oracle on a quarterly schedule as part of the Oracle Critical Patch Update (CPU), published in January, April, July, and October. Each CPU includes fixes for all currently supported Oracle Java SE versions. The advisory lists the CVE identifiers, CVSS scores, affected component, and vector for each vulnerability.
At CPU release time, Oracle publishes a security advisory and updated JDK builds. The major OpenJDK distributors (Adoptium, Azul, Amazon, Red Hat, BellSoft, SAP) typically publish their own updated builds on the same day or within a few days, incorporating the same fixes from the upstream OpenJDK patches.
Reporting Vulnerabilities
Security vulnerabilities in OpenJDK should be reported to the OpenJDK Vulnerability Group via the contact information at openjdk.org/groups/vulnerability/. Vulnerabilities in Oracle Java SE products (including those covering OpenJDK code) can also be reported through Oracle's responsible disclosure process.