The Apache Software Foundation takes security issues very seriously. We appreciate your efforts to responsibly disclose your findings.
If you discover a security vulnerability in Apache GeaFlow (Incubating), please report it through one of the following methods:
Please send your security vulnerability report to the Apache Security Team at:
You can also report to the GeaFlow project team directly at:
When reporting a security vulnerability, please include the following information:
- Description: A detailed description of the vulnerability
- Impact: The potential impact and severity of the issue
- Affected Versions: Which versions of GeaFlow are affected
- Steps to Reproduce: Clear steps to reproduce the vulnerability
- Proof of Concept: If possible, provide a proof-of-concept or example code
- Suggested Fix: If you have suggestions for fixing the issue, please include them
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 3 business days
- Updates: We will send you updates on the progress of fixing the vulnerability
- Credit: If you wish, we will credit you in the security advisory when the issue is fixed
- Timeline: We aim to address critical security issues as quickly as possible, typically within 90 days
We kindly ask that you:
- Do not disclose the vulnerability publicly until we have had a chance to address it
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Provide us with a reasonable amount of time to fix the issue before any public disclosure
Security fixes will be released as part of regular GeaFlow releases and announced through:
- Apache GeaFlow mailing lists
- The project's GitHub Security Advisories
- Apache Software Foundation security announcements