Security fixes are implemented as fast as possible and released for all currently supported versions. The fix is mentioned in the release notes, and we also send a separate security notification email to all our registered users, explaining the issue and how to fix it (typically by updating to a new maintenance version).
If a developer or user finds a potential security issue, they can report it directly to email@example.com. The issue is reviewed and fixed internally, before publishing to GitHub. See https://vaadin.com/security/ for more details.
If the issue is minor and public discussion is OK, issues can reported directly in GitHub.
All code that’s committed at Vaadin goes through an internal code review before it’s merged. Each change is also run against our existing battery of tens of thousands of unit, integration and behavior tests that have to be passed in order for the merge to be accepted.
Developers are also encouraged to actively think about security issues while developing the framework and its parts. At Vaadin, we take security seriously. Anyone can escalate an issue that they think might be a security issue, and investigating the issue is given priority over other tasks.
Vaadin always updates dependencies on third-party libraries when security patches for them are released. When necessary, a new maintenance version of Vaadin is created to apply the fix.
Usually, developers can also specifically update versions of external libraries using Maven, if updated versions of Vaadin libraries aren’t yet available.
This is done by adding a new dependency definition to the project
pom.xml file with the required library and version number.
This causes Maven to override the Vaadin-defined version of the dependency with whichever version the developer specified.