We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
The JVM Memory Calculator team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
Send an email to: contact@patbaumgartner.com
Please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Possible impact
- Any suggested fixes (if available)
- We will acknowledge receipt of your vulnerability report within 48 hours
- We will provide a more detailed response within 72 hours indicating the next steps
- We will keep you informed of the progress towards a fix and full announcement
After submitting a report, you can expect:
- Confirmation - We'll confirm receipt of your report
- Assessment - We'll assess the vulnerability and determine severity
- Fix Development - We'll work on a fix (if needed)
- Release - We'll release the fix and credit you (if desired)
- Disclosure - We'll coordinate public disclosure
- Vulnerability Assessment - Determine severity and impact
- Fix Development - Create and test security patch
- Release Preparation - Prepare new version with security fix
- Coordinated Disclosure - Release fix and security advisory
- User Notification - Notify users via GitHub releases and documentation
When using the JVM Memory Calculator:
- Run with non-root user (our Docker image does this by default)
- Use read-only file systems where possible
- Limit container capabilities to minimum required
- Regular container base image updates
- The calculator validates all memory input formats
- Invalid inputs are rejected with clear error messages
- No user input is executed as shell commands
- Written in Go with memory safety guarantees
- No buffer overflows or memory corruption vulnerabilities
- Static binary with minimal attack surface
We use minimal dependencies and keep them updated:
- Primary dependency:
github.com/paketo-buildpacks/libjvm - Dependabot automatically creates PRs for dependency updates
- All dependencies are reviewed for security issues
- Input Sanitization: All user inputs are validated and sanitized
- No Code Execution: Calculator doesn't execute user-provided code
- Minimal Privileges: Runs with minimal required permissions
- Container Ready: Secure container deployment patterns
- Dependency Scanning: Automated dependency vulnerability scanning
- Private Disclosure: Security issues are first disclosed privately to maintainers
- Fix Development: Security fixes are developed privately
- Coordinated Release: Public disclosure happens with fix release
- Credit: Security researchers receive credit (if desired)
For security-related questions or concerns:
- Email: contact@patbaumgartner.com
- Scope: JVM Memory Calculator security issues only
Thank you for helping keep JVM Memory Calculator and our users safe!