New criteria for accepting Polymorphic Deserialization vulns (CVEs) for 2.9 (end of 2.9 at end of 2020)

[Tatu Saloranta]

Quick announcement: Jackson 2.9 support (releasing new micro-patches) will end on December 31, 2020. But before this, starting September 15, 2020, a new criteria will be used on kinds of vulnerabilities that will be accepted to be worked on (and for which CVE IDs will be allocated by the project).

This is outlined on Wiki:

https://github.com/FasterXML/jackson/wiki/Jackson-Polymorphic-Deserialization-CVE-Criteria

but the basic idea is that we will only accept reports for "gadget" classes in:

* JDK 8 (or later)

* Publicly available, "popular enough" libraries with 20 or more dependencies from other libraries (as per https://mvnrepository.com)

This criteria is added since a few classes have been reported on libraries that do not seem to be used by anything else; I think security researchers are not scanning full set of libraries and over time will find matches from things no one uses, and there is no value in adding blocks in such cases.

-+ Tatu +-