To shore up Java’s security, a private group that operates outside the normal open source community process is under consideration.
The proposed OpenJDK (Java Development Kit) Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them. Coordinating the release of fixes also would be part of the group’s mandate. (Java SE, the standard edition of Java, has been developed under the auspices of OpenJDK.)The vulnerability group and Oracle’s internal security teams would work together, and it may occasionally need to work with external security organizations.
The group would be unusual in several respects, and thus requires an exemption from OpenJDK bylaws. Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle.
“These requirements do, strictly speaking, violate the OpenJDK bylaws,” Reinhold said. “The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements.”
If the Java security group is approved, Andrew Gross, leader of Oracle’s internal Java vulnerability team, would lead it.
Currently, there is no organized discussion of security vulnerabilities in the OpenJDK community. Non-Oracle organizations shipping binary products based on OpenJDK code bases—such as IBM, Red Hat, and SAP—mostly handle security vulnerabilities on their own, with occasional help through private communication with Oracle. Most private communication that does occur is focused on distributing fixes rather than developing them. This current setup is inefficient, the proposal says.
Java has had its share of security maladies over the years, with Oracle tackling several issues after taking over Java from Sun Microsystems in 2010. For example, Oracle last year decided to move away from the Java browser plug-in, which had caused security issues in the platform.