Lombok only runs during compilation and is not required on your servers or in your application's distribution. Nevertheless, the Project Lombok team and community take all security bugs seriously.

To report a security vulnerability, please follow the procedure described in the Tidelift security policy.

Alternatively, you can send us an email privately via security@projectlombok.org.

When we receive a security bug report, it will be assigned a primary handler. This person will coordinate the fix and release process. In case this process requires additional resources beyond the scope of what the core contributors of Project Lombok can reasonably supply, we will inform the Tidelift security team for additional help and coordination. This process will involve the following steps:

• Inventorize all affected versions along with the platform(s) that lombok runs on which are affected.
• Audit code to find any potential similar problems.
• Prepare fixes for all releases, push these out to all distribution channels including the maven central repo, and put in all due effort to get affected versions marked as affected.

Any comments on this policy or suggestions for improvement can be discussed on our forum, or you can send us an email for any comments or suggestions that contain sensitive information.