The Serenity BDD project actively maintains the most recent major and minor versions of the Serenity core libraries.
Security fixes are generally applied to:
- The latest released version
- The previous minor release (when feasible)
Older versions may not receive security patches. Users are encouraged to stay up to date with the latest release.
If you discover a security vulnerability in Serenity BDD, please do not create a public GitHub issue.
Instead, report it securely via the Tidelift coordinated disclosure process:
👉 https://tidelift.com/security
Tidelift will work with the project maintainers to:
- Review the report
- Coordinate the fix
- Manage a responsible disclosure process
This ensures that security issues are handled quickly, safely, and in a way that protects the wider ecosystem.
To help us assess your report efficiently, please include (when possible):
- A clear description of the vulnerability
- Steps to reproduce
- Expected vs actual behavior
- Versions of Serenity BDD and relevant dependencies
- Any suggested mitigations or patches
We appreciate all responsible security research.
When a vulnerability is confirmed:
- A fix will be developed privately.
- A patched release will be published to Maven Central.
- A security advisory will be issued (via GitHub Security Advisories and/or Tidelift).
- Users will be encouraged to upgrade.