The general guidelines are set by the Apache Security Team and described at https://apache.org/security/