Thanks for helping keep MapStruct and its users safe. This document describes how to report a security vulnerability in MapStruct and what you can expect from the maintainers in return.

Please do not open a public GitHub issue for security reports. Public issues are indexed and searchable, which makes them a poor fit for coordinated disclosure.

Please report vulnerabilities via GitHub Private Vulnerability Reporting on this repository. Reports made this way are visible only to the maintainers and to you, and give us a shared workspace for triage, patching, and CVE assignment.

When reporting, please include:

• A description of the vulnerability and its impact.
• A minimal reproducer — ideally a small @Mapper or project that demonstrates the issue.
• The MapStruct version(s) affected and the JDK / build tool you reproduced on.
• Any suggested mitigation, if you have one.

Security fixes are released for the latest minor version line only. Older minor lines do not receive backports.

In scope — vulnerabilities in:

• The MapStruct annotation processor (the processor module).
• The public runtime API in the core / core-jdk8 modules.
• Code generated by the processor, where the processor itself is the root cause.

Out of scope for this repository's security policy:

• The mapstruct.org website and the mapstruct/mapstruct.org repository.
• Third-party integrations (Spring, CDI, etc.) — please report those to the integration's own maintainers.
• The examples repository.
• Vulnerabilities in code a user wrote that happens to use MapStruct, when the processor behavior is correct.

If you are unsure whether something is in scope, report it anyway and we will route it.

• Acknowledgement within 48 hours of your report.
• A status update at least weekly until the issue is resolved or closed.
• A disclosure timeline coordinated with you, targeting 90 days or less from the initial report. We may push for a faster timeline on actively exploited or high-severity issues.
• A CVE assigned via the GitHub Security Advisory flow.
• Credit in the published advisory unless you ask us not to.
• A patch release to Maven Central and a public announcement at the agreed disclosure time.
• If we determine your report is out of scope or does not constitute a vulnerability, we will tell you promptly via the same private channel — you will not be left without a response.

For the internal process MapStruct maintainers follow once a security report arrives — triage, severity assignment, private fix development, release, and announcement — see .github/INCIDENT_RESPONSE.md.