Security Policy

Supported Versions

As stated in our Release Policy, we will backport critical bugfixes and security fixes for versions dating back 18 months. These fixes will be backported depending on severity and demand.

Reporting a Vulnerability

🚨 To report a vulnerability, DO NOT open a pull request or issue or GitHub discussion. DO NOT post publicly.

Instead, report the vulnerability privately via the Security tab on graphql-java GitHub repository. See instructions at https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability