Reporting security issues in ASF infrastructure

We strongly encourage you to report potential security vulnerabilities privately, before disclosing them in a public forum.

ASF infrastructure includes the apache.org websites, email infrastructure and version control systems.

There are some classes of common reports that we consider invalid up-front:

We already know our mailservers do not use DKIM/DMARC. We plan to support this in the future, but this is nontrivial given our strong reliance on mailinglists.
As an open source organization with transparency at our core, read access to directory listings, source code repositories and build servers is intentionally public.
Systems that disclose the versions of the servers and software we use
Data that is publicly accessible in our bug tracking systems

If you think you have found an infrastructure issue other than the ones listed above, contact root@apache.org