Pi4J is a project of the Commonhaus Foundation.

This document explains how to report security issues for Pi4J.

This project follows the Commonhaus Foundation Security Policy.

Please report suspected security issues privately.

• Email report@pi4j.com.
• Do not open a public issue for suspected vulnerabilities.

When reporting, please include:

• A description of the issue and affected versions
• Steps to reproduce (ideally a minimal proof-of-concept)
• Assessment of potential impact
• Your contact information
• Any specific requests, such as anonymity for you and/or the organization you represent

We aim to handle reports quickly and responsibly.

• Our goal is to acknowledge reports as soon as possible.
• We will provide an initial assessment as capacity allows.
• Progress updates will be shared until resolution.
• Disclosure will be coordinated with the reporter, and credit given unless anonymity is requested.

By default, Pi4J does not accept long embargoes. Security reports will usually become public once a fix is available and confirmed. A short embargo may be considered in exceptional cases (e.g., downstream user protection), but is not guaranteed.

Reporters should understand that:

• This project's security reports are handled by volunteers.
• Reports with clear steps, proof-of-concept, or test cases help us respond faster.
• Respecting maintainer capacity and workload benefits the community overall.

This policy applies to the Pi4J codebase and related artifacts. We currently support security fixes for V4, and V5 of Pi4J's core library.

Older versions may not receive patches; in such cases we advise to upgrade.

We may document known security issues or our response status when appropriate. This helps users understand our process and sets realistic expectations.