To shore up Java’s security, a private group that operates outside the normal open source community process is under consideration.
The proposed OpenJDK (Java Development Kit) Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them. Coordinating the release of fixes also would be part of the group’s mandate. (Java SE, the standard edition of Java, has been developed under the auspices of OpenJDK.)
The vulnerability group and Oracle’s internal security teams would work together, and it may occasionally need to work with external security organizations.