Security Vulnerability Disclosure
The Apache Software Foundation (ASF) takes a strict stance on security issues in its software projects. Apache Doris also pays close attention to security issues related to product features and functionality. This page describes how to report security vulnerabilities or potential threats to Doris through the official ASF process.
Reporting Channel Quick Reference
| Item | Description |
|---|---|
| Recipient | Apache Security Team |
| Email address | security@apache.org |
| Project name | Always specify Doris in the email |
| Disclosure principle | Do not disclose the vulnerability through any public channel before submitting the email |
Reporting Steps
- Compose the email: Send it to security@apache.org, and make sure the subject and body clearly identify the project name as
Doris. - Describe the issue: Clearly state the impact scope, affected versions, and possible attack scenarios of the vulnerability or potential threat.
- Attach reproduction steps: Provide minimal reproduction steps, a PoC, or log snippets that reproduce the security issue.
- Wait for a reply: The Apache Security Team and the Doris community will contact you directly after evaluation and analysis.
Important Notes
- Do not disclose publicly: Do not discuss the vulnerability on any public channel, including GitHub Issues, mailing lists, Slack, or social media, before receiving a reply from the security team and coordinating a disclosure window.
- Do not use the regular feedback channels: Security issues must not be submitted through GitHub Issues or the dev mailing list described in Feedback.
- Follow responsible disclosure: For the full process, see the ASF Security Disclosure Policy.
Related Links
- ASF Security Team Home
- Feedback: Channel for non-security issues.
- Join the Community: Other community communication channels.
