This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/main by this push:
new c885fb5d9 docs(security): links security reporting with security
guideline (#300)
c885fb5d9 is described below
commit c885fb5d9f8dadca258d86e3785a2902fe7311c0
Author: Lukasz Lenart <[email protected]>
AuthorDate: Wed May 27 07:37:25 2026 +0200
docs(security): links security reporting with security guideline (#300)
---
source/security.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/source/security.md b/source/security.md
index 85e48fc53..445b7c2e0 100644
--- a/source/security.md
+++ b/source/security.md
@@ -7,7 +7,7 @@ title: Security Issues
> Please read more detailed guideline
> [here](https://github.com/apache/struts/blob/main/SECURITY.md).
-The Apache Struts project takes a very active stance in eliminating security
problems and denial of service attacks against applications using the Apache
Struts framework.
+The Apache Struts project takes a very active stance in eliminating security
problems and _denial of service_ attacks against applications using the Apache
Struts framework.
**We strongly encourage folks to report such security problems to our private
security mailing list first, before disclosing them in a public forum**.
@@ -15,8 +15,12 @@ We cannot accept regular bug reports or other queries at
this address, we ask th
> All mail sent to this address that does not relate to security problems in
> the Apache Struts source code will be ignored`.
-Note that all networked servers are subject to denial of service attacks, and
we cannot promise magic workarounds to generic problems (such as a client
streaming lots of data to your server, or re-requesting the same URL
repeatedly). In general our philosophy is to avoid any attacks which can cause
the server to consume resources in a non-linear relationship to the size of
inputs.
+Note that all networked servers are subject to _denial of service_ attacks,
and we cannot promise magic workarounds to generic problems (such as a client
streaming lots of data to your server, or re-requesting the same URL
repeatedly). In general, our philosophy is to avoid any attacks, which can
cause the server to consume resources in a non-linear relationship to the size
of inputs.
The mailing address is:
[[email protected]](mailto:[email protected])
+## Security guideline
+
+The project also provides a detailed [security guideline](security/index) with
many _ready-to-use_ advice and hardening options. Read it through before
reporting any potential vulnerability in the framework.
+
[The Apache Security Team](https://www.apache.org/security/)
