We highly appreciate everyone who responsibly reports security issues to us: a diverse mix of community members, independent security researchers, software auditing firms, etc.
When we release a fix for a vulnerability in one of our projects, we publish a security advisory crediting the reporter, and distribute it though various Apache mailinglists, oss-security and the CVE programme: this way, we proactively signal the urgency to upgrade to our users.
The Apache Software Foundation, being a volunteer organization, does not have a bug bounty program. However, some Apache projects are covered under 3rd-party bounty programs such as the HackerOne Internet Bug Bounty.
Valid reports about our project infrastructure are typically not eligible for a CVE, as downstream users do not need to take any action, so they do not need to be notified.
Still, as a token of our appreciation, we’d like to thank a number of such reporters here:
- Aviv Keller for helping identify a number of XSS problems in various Apache project websites, and for helping fix a large number of complex GitHub Actions permissions issues.
- Harish for working with us to resolve a GitHub Actions issue
- Li Jiantao of STAR Labs SG Pte. Ltd. for reporting a problem with an internal administrative tool.
- Gaurang Maheta for notifying us of a remaining reference to polyfill.io on an ASF domain.
- Ahmed Ghazy for notifying us of leaked credentials