Security

Apache Tomcat's security model and disclosure process are published on the project website rather than in the repository:

• Threat model and security policy: https://tomcat.apache.org/security-model.html
• How to report a vulnerability: see the Security section of https://tomcat.apache.org/.

The project website is the authoritative source; this file exists so agents and tooling that look for SECURITY.md in the repository can mechanically follow the link to the canonical documents.