Do NOT report security vulnerabilities through public GitHub issues.

Please report security vulnerabilities to the Apache Security Team by emailing [email protected]. This is a private mailing list. Please send one plain-text, unencrypted, email for each vulnerability you are reporting.

The ASF Security Team coordinates the handling of all security vulnerabilities for Apache projects. The vulnerability handling process is:

1. The reporter reports the vulnerability privately to Apache
2. The appropriate project's security team works privately with the reporter to resolve the vulnerability
3. The project creates a new release of the package the vulnerability affects to deliver its fix
4. The project publicly announces the vulnerability and describes how to apply the fix

For complete details on reporting and the process, see the ASF Security Team page.

This security policy applies to:

• The ATR application (including web interface and API)
• Documentation and examples in this repository

Out of scope:

• Third-party dependencies (report to the respective project)
• ASF infrastructure not specific to ATR (report to ASF Infrastructure at [email protected])

We are grateful to security researchers who help us improve ATR. With your permission, we will acknowledge your contribution in release notes.

For more information about ATR security:

• Authentication documentation - How users authenticate to ATR
• Authorization documentation - Access control model
• Input validation documentation - Data validation patterns

ATR is a continuously deployed service. We address security issues in the current production version. There are no separately maintained release branches at this time.