Non-Oracle organisations shipping binary products based on OpenJDK code bases, such as IBM, Red Hat, and SAP, mostly handle security vulnerabilities on their own, with occasional help through private communication with Oracle. Most private communication …