Security
How to report vulnerabilities, what we support, and the commitments behind each release.
Reporting a vulnerability
Please do not report security vulnerabilities through public GitHub issues. Use one of these private channels instead:
- GitHub private vulnerability reporting (preferred): smpp-core · smpp-kafka-producer
- Email: [email protected] with the subject line
[SECURITY]
Include the affected version, a description of the issue and its impact, and steps or a proof-of-concept to reproduce it. We acknowledge reports within 72 hours, triage with a severity estimate within 7 days, and target fixes for confirmed issues at the next patch release. Reporters are credited unless they prefer anonymity.
A machine-readable policy lives at /.well-known/security.txt (RFC 9116).
Supported versions
| Project | Version | Status |
|---|---|---|
| smpp-core | 1.0.x (latest patch) | ✓ Supported - receives security and bug fixes |
| smpp-kafka-producer | 2.1.x (latest patch) | ✓ Supported - receives security and bug fixes |
| Older releases | - | Unsupported - upgrade to the latest patch |
Security fixes ship on the newest release line. Because both projects follow semantic versioning, upgrading to the latest patch within your minor version is designed to be a drop-in change.
What we consider in scope
smpp-core parses untrusted network input - SMPP PDUs from peers you may not control. Malformed-PDU handling, decoder resource exhaustion, and TLS configuration issues are all in scope and taken seriously. smpp-kafka-producer additionally exposes an HTTP/2 REST API and ships as a container, so authentication bypasses, HTTP endpoint issues, and deployment hardening gaps are in scope there.
Dependency vulnerabilities are tracked continuously with Dependabot and CodeQL, and addressed in patch releases.
Versioning & support policy
- Semantic versioning. Patch releases (1.0.x) contain only fixes and dependency updates. Minor releases may add features but not break public API. Any breaking change means a major version.
- Java baseline. smpp-core targets Java 21 LTS. The baseline only moves to a newer LTS in a major release, announced ahead of time.
- SMPP compatibility. SMPP 3.4 wire compatibility is a stability guarantee - protocol behavior changes are treated as breaking.
- Deprecation. Public API is deprecated for at least one minor release before removal in a major.
Every release is published to Maven Central with GPG-signed artifacts, and documented on the releases page.