Reporting Security Issues

Reporting Security Issues

The Apache Software Foundation takes a strict stance on eliminating security issues in its software projects. Apache Dubbo is very sensitive to issues related to its functionality and features and addresses them promptly.

Reporting Vulnerabilities

If you have concerns about the security of Dubbo, or if you discover vulnerabilities or potential threats, please email the Apache Dubbo security team at security@dubbo.apache.org. In your email, specify a description of the issue or potential threat. You are also encouraged to suggest ways to reproduce and replicate the issue. The Dubbo community will reach out to you after evaluating and analyzing the investigation results.

Please note to report security issues in a secure email before making the issue public.

Vulnerability Handling

An overview of the vulnerability handling process is:

  • The reporter secretly reports the vulnerability to Apache.
  • The corresponding project’s security team collaborates privately with the reporter to resolve the vulnerability.
  • A new version of the relevant Apache product containing the fix is produced.
  • The vulnerability is publicly announced.

For a detailed description of this process, please see here

Last modified September 30, 2024: Fix compile (8c81bb93b5)