Reporting potential security issues

[Florian Weimer]

What are your preferences for reporting potential security issues?
Shall I post them here, open a bug, or send them through
<secur...@apache.org>?