Documentation versions (currently viewingVaadin 24)

Security Practices at Vaadin

Provides an overview of the steps Vaadin takes to ensure an application remains secure.

Vaadin takes several steps to ensure your application remains secure. They’re described here.

Releasing Security Patches

Security fixes are implemented as fast as possible and released for all currently supported versions. The fix is mentioned in the release notes, and Vaadin also sends a separate security notification email to all Vaadin registered users, explaining the issue and how to fix it (typically by updating to a new maintenance version).

How Users Can Report Security Issues

If a developer or user finds a potential security issue, they can report it directly to The issue is reviewed and fixed internally, before publishing to GitHub. See for more details.

If the issue is minor and public discussion is OK, issues can reported directly in GitHub.

Internal Security Practices

All code that’s committed at Vaadin goes through an internal code review before it’s merged. Each change is also run against Vaadin existing battery of tens of thousands of unit, integration and behavior tests that have to be passed in order for the merge to be accepted.

Developers are also encouraged to actively think about security issues while developing the framework and its parts. Vaadin takes security seriously. Anyone can escalate an issue that they think might be a security issue, and investigating the issue is given priority over other tasks.

Third-Party Libraries

Vaadin always updates dependencies on third-party libraries when security patches for them are released. When necessary, a new maintenance version of Vaadin is created to apply the fix.

Usually, developers can also specifically update versions of external libraries using Maven, if updated versions of Vaadin libraries aren’t yet available. This is done by adding a new dependency definition to the project pom.xml file with the required library and version number. This causes Maven to override the Vaadin-defined version of the dependency with whichever version the developer specified.