At the moment, Find Security Bugs is only supporting the latest version.
Previous versions can be used but they are not recommended. Rules that are removed are usually considered obsolete. The API SpotBugs does not change enough to have breaking changes.
The attack surface of Find Security Bugs is limited. The plugin is not accepting user input other than the source code model. We do not connect to any services at runtime. That said, we still encourage any report related to security.
We are welcoming reports affecting the following:
- Find Security Bugs users
- Find Security Bugs infrastructure integrity
The current point of contact is @h3xstream on Twitter. Send a short summary (a line or two) of the issue you found. Further instructions will be given to you if more details are needed.