If you discover a security vulnerability in tantivy4java, please report it privately. Do not file a public issue.
Use GitHub's private vulnerability reporting: https://github.com/indextables/tantivy4java/security/advisories/new
This routes your report directly to the maintainers and keeps the details confidential until a fix is available.
- A description of the issue and its potential impact
- Steps to reproduce, including affected versions and platforms
- Any proof-of-concept code or test cases (where safe to share)
- Suggested mitigation, if known
The maintainers will acknowledge receipt of your report and work with you on a coordinated disclosure timeline. Fixes are released as patch versions of the affected components, with a security advisory published once the fix is available.
Security fixes target the latest minor release line. Older versions are supported on a best-effort basis.
This policy covers the tantivy4java library and its native components. For vulnerabilities in upstream Tantivy or Quickwit, please report to those projects directly: