Reporting security issues
We strongly encourage you to report potential security vulnerabilities privately, before disclosing them in a public forum.
Please select:
| Infrastructure | Dependencies | ASF code |
|---|---|---|
| If you found a potential issue with ASF infrastructure such as the apache.org websites, email infrastructure or version control systems. | If you found an advisory for a library in the dependency tree of an ASF project or artifact | If you found a potential issue in the codebase of an ASF project |
If you do not want to report an issue in any of the three categories above, but instead have a question such as:
- how to configure the package securely
- whether a published vulnerability applies to specific versions of the Apache packages you are using
- whether a published vulnerability applies to the configuration of the Apache packages you are using
- obtaining further information on a published vulnerability
- the availability of patches and/or new releases to address a published vulnerability
… then we recommend contacting the project on their regular, open communication channels, such as their ‘users’ mailinglist.