apache-waf-api is experimental and NOT production-ready.

Use at your own risk. Security vulnerabilities are expected during early development.

If you discover a security vulnerability, please report it responsibly.

Email: [email protected]

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Resolution: Depends on severity and complexity

1. We'll acknowledge receipt of your report
2. We'll investigate and assess the issue
3. We'll work on a fix
4. We'll credit you in the release notes (unless you prefer otherwise)

We follow coordinated disclosure:

1. Reporter notifies us privately
2. We investigate and develop a fix
3. We release the fix
4. We publicly disclose after patch is available

Please allow reasonable time for us to address issues before public disclosure.