Hi, > On 6. May 2026, at 20:30, Ernesto Reinaldo Barreiro <[email protected]> > wrote: > > Question. Shouldn't we create ISSUE for such things and add ISSUE > number to commit? SO, that the ISSUE is reported on release and it is > clear that this is a security fix, requiring us to warn users they > should upgrade?
Please have a look at the ASF guidelines for handling vulnerabilities: https://www.apache.org/security/committers.html In particular: https://www.apache.org/security/committers.html#work-in-private I believe it will answer your questions :) Cheers, -- Richard
