The Apache Security Team exists to provide help and advice to Apache projects on security issues and to provide co-ordination of the handling of security vulnerabilities. All members of the Security Team are also members of the Apache Software Foundation.


We strongly encourage folks to report security vulnerabilities to one of our private security mailing lists first, before disclosing them in a public forum.

A list of security contacts for Apache projects is available. If you can't find a project specific security e-mail address and you have an undisclosed security vulnerability to report then please use the general security address below.

Please note that the security mailing lists should only be used for reporting undisclosed security vulnerabilities in Apache products and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security related queries at these addresses. All mail sent to these addresses that does not relate to an undisclosed security problem in an Apache product will be ignored.

Also note that the security team handles vulnerabilities in Apache products, not running ASF services. All reports of vulnerabilities in running ASF services should be sent to root@apache.org only.

The general security mailing list address is: security@apache.org. This is a private mailing list and only members of the Apache Security Team are subscribed.


  • apache.org
This is a community-curated profile. [?]