Need help with setup, performance tuning, or custom SMPP development? Talk to us →

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues. Use one of these private channels instead:

Include the affected version, a description of the issue and its impact, and steps or a proof-of-concept to reproduce it. We acknowledge reports within 72 hours, triage with a severity estimate within 7 days, and target fixes for confirmed issues at the next patch release. Reporters are credited unless they prefer anonymity.

A machine-readable policy lives at /.well-known/security.txt (RFC 9116).

Supported versions

ProjectVersionStatus
smpp-core1.0.x (latest patch) Supported - receives security and bug fixes
smpp-kafka-producer2.1.x (latest patch) Supported - receives security and bug fixes
Older releases-Unsupported - upgrade to the latest patch

Security fixes ship on the newest release line. Because both projects follow semantic versioning, upgrading to the latest patch within your minor version is designed to be a drop-in change.

What we consider in scope

smpp-core parses untrusted network input - SMPP PDUs from peers you may not control. Malformed-PDU handling, decoder resource exhaustion, and TLS configuration issues are all in scope and taken seriously. smpp-kafka-producer additionally exposes an HTTP/2 REST API and ships as a container, so authentication bypasses, HTTP endpoint issues, and deployment hardening gaps are in scope there.

Dependency vulnerabilities are tracked continuously with Dependabot and CodeQL, and addressed in patch releases.

Versioning & support policy

  • Semantic versioning. Patch releases (1.0.x) contain only fixes and dependency updates. Minor releases may add features but not break public API. Any breaking change means a major version.
  • Java baseline. smpp-core targets Java 21 LTS. The baseline only moves to a newer LTS in a major release, announced ahead of time.
  • SMPP compatibility. SMPP 3.4 wire compatibility is a stability guarantee - protocol behavior changes are treated as breaking.
  • Deprecation. Public API is deprecated for at least one minor release before removal in a major.

Every release is published to Maven Central with GPG-signed artifacts, and documented on the releases page.