PALO ALTO, Calif., June 08, 2026 (GLOBE NEWSWIRE) -- Today, Broadcom Inc. (NASDAQ: AVGO), a global technology leader that designs, develops, and supplies semiconductor and infrastructure software solutions, announced significant security investments for the Spring and Java ecosystem, relied on by over half of Fortune 500 companies.

To help the Spring community navigate an unprecedented surge in AI-detected security threats, Broadcom’s Tanzu business released the largest set of Spring security updates to open source in Spring’s 23-year history. Additionally, for customers, Broadcom is extending its proven clean-room build architecture, foundational to Bitnami, to build the Java dependencies for the entire Spring ecosystem. These investments aim to protect the integrity of Spring and prepare Broadcom’s customers for the continued rise in AI-enabled security threats.

Recent federal action establishing a national clearinghouse to coordinate and prioritize software vulnerability remediation underscores the core challenge: threat discovery is accelerating, and the bottleneck has shifted to the speed of remediation.

"Spring is one of the most widely adopted application development frameworks in the world, and as its steward, we have a deep responsibility for its security,” said Purnima Padmanabhan, Vice President and General Manager, Tanzu Division, Broadcom. “Because we maintain Spring and are the sole committers, we can better secure it at the source for everyone who depends on it. This investment is about two things we will never separate: the health of the Spring community and the security of our customers who trust Spring to run their business."

Recent advancements in foundation models have driven an explosion of newly-detected security vulnerabilities while shrinking the time-to-exploit window following vulnerability disclosure. The number of monthly security advisories reported to Broadcom by the Spring community alone increased over 1700% from March to April 2026. As a response, Broadcom’s Spring engineering team has significantly scaled its investment in advanced AI-assisted security analysis, including frontier model–based scanning and validation workflows to proactively identify vulnerabilities, assess remediation paths, and validate fixes across the dependency ecosystem.

Day Zero access to validated, CVE-only patches for Tanzu Spring customers
In addition to these security initiatives, Tanzu Spring now provides customers with day zero access to validated common vulnerabilities and exposures (CVE) patch-only releases via the Spring Enterprise Repository before patches are released to open source. CVE-only patches isolate the security fix from any other change, allowing customers to remediate faster, shrinking the window of exposure. By utilizing Tanzu Spring’s private artifact repositories, customers can be confident that the artifacts are the official, validated patches from Broadcom, the steward of Spring. As always, Broadcom will continue to issue CVEs for all versions of every Spring project under open source support and older versions under Tanzu Spring enterprise support. Broadcom’s VMware Tanzu Spring enterprise support includes:

• Certified source for secure spring libraries
• Commercial-first release of patches for both current and older, enterprise supported versions
• Access to dependent Java binaries
• Automated, deterministic upgrades with Spring Application Advisor
• Exclusive Tanzu Spring components for governance and security
• 24x7 support, hands-on expertise and access to the Spring team

Securing the Java Software Supply Chain for Spring
As part of this expanded investment in securing the Spring ecosystem and its dependencies, Tanzu Spring customers will now have access to:

• Secured, SLSA Level 3–validated software supply chain for Java dependencies.
• Coverage that spans the full transitive dependency graph managed by the Spring Boot bill of materials.
• Thousands of secured dependencies, built and tested across every supported Spring version. Spring Boot 4.0 alone manages 1,768 of them; across the full supported portfolio, that totals more than 100,000 validated dependency builds.
  

This extensive investment to provide Spring customers with a clean room-built, verifiable software supply chain across all supported versions of Spring represents a leap forward in strengthening trust, transparency, and resilience across one of the world’s most widely adopted Java application development platforms. This capability gives customers validated dependencies across both current and end-of-life Spring versions, helping customers reduce software supply chain risk while continuing to benefit from the productivity and consistency of Spring Boot's dependency management model.

Broadcom is also committed to helping customers apply patches faster to keep up with today’s AI-enabled security threats. Broadcom enables customers to assess their application estate, both in source code and running applications, and deterministically recommend and implement upgrades. Broadcom offers capabilities like Tanzu Platform, Tanzu Build Service and buildpacks that better secure the build and deployment of Java applications and allow a single fix to propagate across the application portfolio.

For more information
Read Spring and Security in the Times of AI
Read How to Prepare for the World of AI-Driven Exploits
Watch Spring Vulnerability Update video
Learn about Tanzu Spring for enterprise support

About Broadcom 
Broadcom Inc. (NASDAQ: AVGO) is a technology leader that designs, develops, and supplies semiconductors and infrastructure software for global organizations’ complex, mission-critical needs. Broadcom combines long-term R&D investment with superb execution to deliver the best technology, at scale. Broadcom is a Delaware corporation headquartered in Palo Alto, CA. For more information, visit www.broadcom.com.

Media contact:
John D’Avolio
Tanzu Division, Broadcom
john.davolio@broadcom.com 
Telephone: +1 503 308 3096