Reporting security issues in ASF infrastructure
We strongly encourage you to report potential security vulnerabilities privately, before disclosing them in a public forum.
ASF infrastructure includes the apache.org websites, email infrastructure and version control systems.
There are some classes of common reports that we consider invalid up-front:
- We already know our mailservers do not use DKIM/DMARC. We plan to support this in the future, but this is nontrivial given our strong reliance on mailinglists.
- As an open source organization with transparency at our core, read access to directory listings, source code repositories and build servers is intentionally public.
- Systems that disclose the versions of the servers and software we use
- Data that is publicly accessible in our bug tracking systems
If you think you have found an infrastructure issue other than the ones listed above, contact root@apache.org