We apply security updates to the latest language (2.x.0) or tooling release (2.x.20) of the compiler and build plugins.

We also ship fixes with the next incremental (2.x.y) or bug fix release (2.x.yz).

We apply all fixes to the master branch so they are included in upcoming releases.

Starting with Kotlin 2.4.0, the Kotlin standard library for the JVM has an 18-month support window for each release line. Language releases (2.x.0) and the following tooling releases (2.x.20) belong to the same release line (2.x).

If we discover a security vulnerability that affects the Kotlin standard library for the JVM, we ship the following simultaneously:

• A bug fix release based on the latest Kotlin release in the release line that includes the security fix.
• Bug fix releases for every release line within its active support window.

For example, if we discover a security vulnerability and the latest Kotlin release is Kotlin 2.4.20, we release a bug fix version for Kotlin 2.4.20 only. We don't release a bug fix version for Kotlin 2.4.0.

For the latest information, see Standard library security support.

You can find instructions for reporting a vulnerability on the Security page.