...
To report a vulnerability you can either email security /at/ spamassassin.apache.org or open a bugzilla issue being very careful to set the Component to Security so that it is not generally visible. If you create the bug report you will have access to it, as will the security team.
Security team process
The Apache process for vulnerability handling by committers is listed at Vulnerability Handling. Our writeup here is intended to be our version of the steps, but compatible with that.
Once a potential vulnerability is reported to the committers, and has been verified to be an issue, here's what to do (based on what we did for bug 5480):
...
- Write up a general vulnerability statement explaining the issue.
- Request a CVE. security /at/ apache.org last said to contact Mark J Cox <mark /at/ awe.com> to get a number.one or more CVEs, following the instructions in step 8 at Vulnerability Handling.
- Notifications are made in advance to the vendor-sec private mailing list <vendor-sec /at/ lst.de> described at mailing-list:distros (note: read their different addresses for issues that are to be made public within 14 days vs those that will be longer), and anyone the committers feel like informing, as long as it is kept private. notifications contain the vulnerability statement, CVE info, and patch (if possible). (We may need to override on an issue-by-issue basis; for certain issues (e.g. remote root hole in the default configuration via malformed mail messages or something), we may want to keep these *extremely* secret and be very careful with vendor/packager notification.)
...