Apache APISIX follows the Apache Software Foundation's vulnerability-disclosure policy. Please report security vulnerabilities to the ASF Security team at security@apache.org per https://www.apache.org/security/.
The project's threat model is at
docs/en/latest/security-threat-model.md.
Maintainers and automated security tooling consult that
document to determine what counts as a security
vulnerability in Apache APISIX, what is out of scope, and
what triage dispositions apply.