Hi Venkat, > Is there a way to keep track of security vulnerabilities discovered in Apache > POI?
I know the following sources: the official CVE list: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-22766/Apache-POI.html our change list not necessarily point out security issues: http://poi.apache.org/changes.html our sonar instance reports vulnerabilities: https://sonarcloud.io/dashboard?id=poi-parent you can verify the source commits / logs, if you like ... but usually we don't write "ATTENTION severe vulnerability" into it ... and as every Apache project, we have a private mailing list, which is only available to committers, where every now and then (maybe once every 1/2 year), we discuss security issues. Best wishes, Andi
signature.asc
Description: OpenPGP digital signature
