Thank you for your collaboration keeping Thymeleaf safe and secure. If you believe you have found a security issue in Thymeleaf, please notify us so that we can work with you in its prompt resolution.

• Let us know as soon as possible by sending an email to [email protected].
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. Especially, do not create a GitHub issue ticket yourself talking about the vulnerability. We may publicly disclose the issue before resolving it, but only if appropriate.

We will credit the reporter of a confirmed vulnerability in the GitHub ticket created for publishing it (typically once it is fixed).

We reserve the right to consider out of the scope of Thymeleaf's security:

• Developer bad practices and inadequate uses of Thymeleaf that effectively create the vulnerability in the applications being developed with Thymeleaf.
• Attacks requiring physical access to the machine Thymeleaf is running on.
• Issues in Thymeleaf's software dependencies which should be reported to these dependencies' maintainers.

Versions of Thymeleaf look like X.Y.Z, meaning X = Major, Y = Minor and Z = patch. We recommend keeping Thymeleaf dependencies in applications upgraded to the latest patch version.

Also please note that, in general, only the latest minor version will be considered supported and will receive timely updates and security patches.

Published artifacts for Thymeleaf, such as JARs released on Maven Central, are signed with GPG keys that can be verified at the Thymeleaf Organization Repository