Please follow the Apache Software Foundation's Security Team instructions when reporting any vulnerabilities: https://www.apache.org/security/