Apache APISIX follows the Apache Software Foundation's vulnerability-disclosure policy. Please report security vulnerabilities to the ASF Security team at security@apache.org per https://www.apache.org/security/.

The project's threat model is at docs/en/latest/security-threat-model.md. Maintainers and automated security tooling consult that document to determine what counts as a security vulnerability in Apache APISIX, what is out of scope, and what triage dispositions apply.