Security

Reporting a vulnerability

Email security@asymm.systems. Responsible disclosure policy: acknowledgement within 72 hours, remediation target within 30 days for high-severity issues. Public advisories are published after fixes ship.

Do not file security issues as GitHub Issues on the public repo. Upstream OpenJDK vulnerabilities should be reported to the OpenJDK Vulnerability Group; Eliya-specific issues (patches, packaging, configuration) come to us.

Hardening, always on

Eliya modifies conf/security/java.security in the overlay so hardening is active from the first JVM invocation — no flags required. This is separate from -XX:+UseEliyaDefaults (which controls GC and performance, not security).

If a specific deployment genuinely needs vanilla defaults (legacy interoperability), use -Djava.security.properties==<path-to-vanilla-java.security> (double equals overrides rather than appends). Not recommended for general use.

Patch commitment

• Quarterly CPU: Eliya publishes within two weeks of each upstream OpenJDK CPU (third Tuesday of January, April, July, October).
• CVE-triggered rebuild: If upstream releases an out-of-cycle patch for a critical CVE, Eliya targets one week to ship.
• No SLA: Eliya does not today offer commercial support SLAs. The target windows above are commitments, not contractual guarantees. Enterprise support is a Phase 2 consideration.

See the lifecycle page for the forward CPU calendar.

Advisories

Each Eliya release documents the upstream CVEs it addresses plus any Eliya-specific patches. Canonical advisory list: PATCHES.md on GitHub.