I know this question might be kind of broad. There may be some exceptions.
Suppose I compiled with Java 6 jdk, but than ran with Java 7 jre. Would the application be vulnerable to Java 6 exploits or java 7 exploits? Or would it be some combination?
Assuming it is a combination, how do you tell which issues are caused by the jdk compile, and which are caused by the jre?
I contacted Oracle. Basically, they confirmed the JRE is what matters, not the JDK. I don't know of any publically available information to support this, but I did get the information from Oracle, in a help issue.