Please, open a draft security advisory if you need to disclose and discuss a security issue in private with the Spring Framework team. Note that we only accept reports against supported versions.
For more details, check out our security policy.
Spring Framework JARs released on Maven Central are signed. You'll find more information about the key here: https://spring.io/GPG-KEY-spring.txt