Reporting a vulnerability


Please do not report security issues using our public Github instance. Use the private mailing list described below.

If you believe you’ve found a security issue or a vulnerability, please send a description of it to our private mailing list at

You are also encouraged to encrypt this email using PGP. Keys of our developers can be found at

Once you’ve submitted an issue, you should receive an acknowledgment from one our of team members in 48 hours or less. If further action is necessary, you may receive additional follow-up emails.

How are vulnerabilities handled?

We follow a standard Apache Software Foundation vulnerability handling process which is described at