For the assumptions, trust boundaries, scope, and what Apache StormCrawler considers a security vulnerability, see the Apache StormCrawler Security Model.
Please report security vulnerabilities privately following the ASF security process — email [email protected]. Do not open public GitHub issues for security reports.