Apache ORC is a library rather than an execution framework and thus is less likely to have security vulnerabilities. However, if you have discovered one, please follow the process below.
We strongly encourage folks to report security vulnerabilities to our private security mailing list first, before disclosing them in a public forum.
Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities in Apache ORC and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security related queries at this address. All mail sent to this address that does not relate to an undisclosed security problem in Apache ORC will be ignored.
The ORC security mailing list address is: security@orc.apache.org. This is a private mailing list and only members of the ORC project are subscribed.
Please note that we do not use a team GnuPG key. If you wish to encrypt your e-mail to security@orc.apache.org then please use the GnuPG keys from ORC GPG keys for the members of the ORC PMC.
An overview of the vulnerability handling process is:
The full process can be found on the Apache Security Process page.